W3C home > Mailing lists > Public > public-credentials@w3.org > December 2020

Re: VCs - zCaps / OCap a Discussion

From: Adrian Gropper <agropper@healthurl.com>
Date: Wed, 9 Dec 2020 19:12:02 -0500
Message-ID: <CANYRo8j8k8oB9dc5rmBH2jY90ExyZDscKgfERA9MPrTS-mWUGg@mail.gmail.com>
To: Alan Karp <alanhkarp@gmail.com>
Cc: "W3C Credentials CG (Public List)" <public-credentials@w3.org>
> *I'm confused. Company A never delegated to company B. It delegated to the
>> Subject that controls a PDP. How do we enable an audit of activity by
>> Company A?*
> The owner of the service delegated to Company A.  Company A delegated to
> Company B, which delegated to Bob-as-employee.  The PDP isn't in
> the delegation chain; it only verifies the signatures and permission
> subsetting.  That's actually a good thing.  The PDP has no need to invoke
> the service, so it shouldn't have that permission.

*Still confused. In the real world, Company A never delegates to Company B.
Company A just operates a PEP. *

*The question of whether Company A delegates to the PDP or the Subject
delegates to Company A seems talmudic but maybe it's important to resolving
my confusion.*

*I agree with you that the PDP has no need to invoke the service so it
shouldn't have that permission but in the real world, the PDP can collude
with a service provider B out-of band and Company A would have no idea of
the collusion.*

Received on Thursday, 10 December 2020 00:12:27 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 10 December 2020 00:12:28 UTC