W3C home > Mailing lists > Public > public-credentials@w3.org > March 2018

Authentication vs Authorization clarification

From: Pelle Braendgaard <pelle.braendgaard@consensys.net>
Date: Tue, 27 Mar 2018 11:17:37 -0600
Message-ID: <CANQzS_hDN6+2dWfSHv65OC+3TU23SEn8F9vq9b0_U9bE7J2YtQ@mail.gmail.com>
To: Credentials Community Group <public-credentials@w3.org>
I just wanted to clarify my statement in the call, as I think it caused
some confusion.

In a HTTP based world, there is a very clear separation that is needed for
a very good reason.

Blockchains are very different as there is no central server that we need
to authorize ourselves with.

Interacting with apps on all the different blockchains is very much out of
scope I believe, so in most cases traditional protocol level Authorization
is not needed.

That said and (this is where I think the confusion arrived). People are and
will be using verified credentials for authorization on a businesses (NOT
protocol level). So the nice clean separation we had in the HTTP world is
maybe not as clean anymore.

I don't think we need to model authorization at all for DID-AUTH, but just
like authorization is built on top of traditional authorization method, we
should just be aware that business level authorizations will be built on
top of it. Which is why Marcus 2.) definition is what we are currently
supporting with uPort.


*Pelle Brændgaard // uPort Engineering Lead*
49 Bogart St, Suite 22, Brooklyn NY 11206
Web <https://consensys.net/> | Twitter <https://twitter.com/ConsenSys> |
Facebook <https://www.facebook.com/consensussystems> | Linkedin
<https://www.linkedin.com/company/consensus-systems-consensys-> | Newsletter
Received on Tuesday, 27 March 2018 17:18:08 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:18:25 UTC