- From: Adrian Gropper <agropper@healthurl.com>
- Date: Wed, 9 Dec 2020 19:12:02 -0500
- To: Alan Karp <alanhkarp@gmail.com>
- Cc: "W3C Credentials CG (Public List)" <public-credentials@w3.org>
Received on Thursday, 10 December 2020 00:12:27 UTC
> *I'm confused. Company A never delegated to company B. It delegated to the >> Subject that controls a PDP. How do we enable an audit of activity by >> Company A?* >> > > The owner of the service delegated to Company A. Company A delegated to > Company B, which delegated to Bob-as-employee. The PDP isn't in > the delegation chain; it only verifies the signatures and permission > subsetting. That's actually a good thing. The PDP has no need to invoke > the service, so it shouldn't have that permission. > *Still confused. In the real world, Company A never delegates to Company B. Company A just operates a PEP. * *The question of whether Company A delegates to the PDP or the Subject delegates to Company A seems talmudic but maybe it's important to resolving my confusion.* *I agree with you that the PDP has no need to invoke the service so it shouldn't have that permission but in the real world, the PDP can collude with a service provider B out-of band and Company A would have no idea of the collusion.* *Adrian*
Received on Thursday, 10 December 2020 00:12:27 UTC