W3C home > Mailing lists > Public > public-credentials@w3.org > December 2020

Re: looking for a specific use-case

From: Alan Karp <alanhkarp@gmail.com>
Date: Tue, 15 Dec 2020 09:07:38 -0800
Message-ID: <CANpA1Z2wj93_qN-1m-5w0VqrkLSg+n=ZXq1+Ek5wTmL+GdW0ew@mail.gmail.com>
To: "Joosten, H.J.M. (Rieks)" <rieks.joosten@tno.nl>
Cc: "W3C Credentials CG (Public List)" <public-credentials@w3.org>
oosten, H.J.M. (Rieks) <rieks.joosten@tno.nl> wrote:

> I'm looking for a use-case, which I think requires:
>    - that is realistic;
>    - that involves (at least) two people, as e.g. in a marriage, a
>    guardianship or otherwise, and some service provider (SP);
>    - where SP has no earlier knowledge of any of these two people (he
>    doesn't know who these people are);
>    - where SP can obtain credentials from only one of these persons (the
>    other is somehow incapable of presenting credentials);
>    - where SP is requested to make a decision (e.g. to provide a service);
>    - where SP needs to authenticate *both* persons in order to make that
>    decision.
> That's a good set of requirements, except the last.  Authenticating the
two identities, which I assume is what you meant, is less important for the
SP than knowing what permissions they have.  Using authentication of
identity, role, or attributes to make an access decision often leads to a
confused deputy vulnerability.

Alan Karp
Received on Tuesday, 15 December 2020 17:08:04 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 15 December 2020 17:08:04 UTC