W3C home > Mailing lists > Public > public-credentials@w3.org > December 2020

Re: VCs - zCaps / OCap a Discussion

From: Adrian Gropper <agropper@healthurl.com>
Date: Wed, 16 Dec 2020 20:43:38 -0500
Message-ID: <CANYRo8ifaDamD_bo4XzxL0qpA1vXk0fJwnnqi7s7W3meTyVB2w@mail.gmail.com>
To: Alan Karp <alanhkarp@gmail.com>
Cc: "W3C Credentials CG (Public List)" <public-credentials@w3.org>
OK - I think we now agree 100%.

Another way I try to explain this: The PDP is the point where the learning
happens on behalf of the subject. You want the repeated requests to come to
the PDP because, regardless of what capabilities are issued to the
requesting party or parties, we want the subject's PDP to have dibs on the
learning.

An interesting aspect of this learning perspective, is that when the
requesting party that interacted with the PDP to get the capability then
delegates that capability to another requesting party we would want the PDP
to learn from that. Following the delegation chain when the PEP introspects
the capability gives the PDP transparency into how their token was
delegated and attenuated, but not why. This is good.

Bob does not have to explain to Alice (the PDP owner) why they delegated a
capability to Carol, right?

How'm I doing?

- Adrian

On Wed, Dec 16, 2020 at 7:14 PM Alan Karp <alanhkarp@gmail.com> wrote:

> Adrian Gropper <agropper@healthurl.com> wrote:
>
>> I have no idea what
>>
>> “ The PEP may know that the token is valid, perhaps because it has cached
>> the validation result, but it doesn't know if the request is included in
>> the permissions specified in the token.”
>>
>> My bad.  I meant PDP.
>
>
>> means. I try to use ‘request’ consistently to refer to interaction at the
>> PDP. I use ‘token’ in relation to the capability presented by a ‘client’ to
>> Company A as the PEP.
>>
>
> Sorry.  That comes from the SPKI spec and allows you to memoize the
> validation of a certificate.  That means the PDP only needs to check the
> delegation chain once for a given zcap no matter how many times it sees
> it.  The PDP still needs to verify that the zcap authorizes the request
> being made every time.
>
> --------------
> Alan Karp
>
>>
Received on Thursday, 17 December 2020 01:44:02 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 17 December 2020 01:44:03 UTC