- From: Alan Karp <alanhkarp@gmail.com>
- Date: Wed, 9 Dec 2020 16:50:09 -0800
- To: Adrian Gropper <agropper@healthurl.com>
- Cc: "W3C Credentials CG (Public List)" <public-credentials@w3.org>
- Message-ID: <CANpA1Z2=HA9ossBNHvuoaqGYgRJZkn3tqJKNTjMUOXGse=iUAg@mail.gmail.com>
Adrian Gropper <agropper@healthurl.com> wrote: > > *I'm confused. Company A never delegated to company B. It delegated to the >>> Subject that controls a PDP. How do we enable an audit of activity by >>> Company A?* >>> >> >> The owner of the service delegated to Company A. Company A delegated to >> Company B, which delegated to Bob-as-employee. The PDP isn't in >> the delegation chain; it only verifies the signatures and permission >> subsetting. That's actually a good thing. The PDP has no need to invoke >> the service, so it shouldn't have that permission. >> > > > *Still confused. In the real world, Company A never delegates to Company > B. Company A just operates a PEP. * > That's not the ocap way. How does the PEP know that Bob-as-employee of Company B has permission to use the service? It will ask the PDP which will check with the policy access point (PAP). What information will the PAP use to make the decision? > > *The question of whether Company A delegates to the PDP or the Subject > delegates to Company A seems talmudic but maybe it's important to resolving > my confusion.* > You're right. It is an important point. I think I see part of the confusion. Who decides if an employee of Company B gets permission to use the service? In a conventional setup, the PDP talks to a PAP to decide if a particular request matches the access policy, usually based on some authentication presented by the requester. In an ocap system, the PAP is what decides whether to hand out an ocap, and the PDP merely verifies the delegation chain when a request comes in. Figure 5 of https://www.hpl.hp.com/techreports/2008/HPL-2008-204R1.pdf shows the difference. (I have a talk on this that I gave at RSA a number of years ago.) Imagine we're talking about your car. You delegate permission to use the car by giving me the keys, perhaps because I presented a VC that I'm licensed to drive. The ignition lock is the PEP, and the pins in the lock are the PDP. I delegate to my son by giving him the valet key. (I don't trust him not to go poking around in your glove box.) The PEP isn't in the delegation chain, nor does it know anything about the users of the key. All it cares about is that the key moves the pins into the correct position. That's the ocap way. > > *I agree with you that the PDP has no need to invoke the service so it > shouldn't have that permission but in the real world, the PDP can collude > with a service provider B out-of band and Company A would have no idea of > the collusion.* > True, but at least you can't trick the PDP into delegating a capability to the service to you :) > > *Adrian* > -------------- Alan Karp
Received on Thursday, 10 December 2020 00:50:33 UTC