Re: VCs - zCaps / OCap a Discussion from Alan Karp on 2020-12-22 (public-credentials@w3.org from December 2020)

From: Alan Karp <alanhkarp@gmail.com>
Date: Tue, 22 Dec 2020 13:54:27 -0800
To: Orie Steele <orie@transmute.industries>
Cc: Daniel Hardman <daniel.hardman@evernym.com>, Adrian Gropper <agropper@healthurl.com>, "W3C Credentials CG (Public List)" <public-credentials@w3.org>
Message-ID: <CANpA1Z2z79CjLWT712T3jVL10T3Lkp-uD_pFwQKbmumigE8ytw@mail.gmail.com>

> I made some updates to this strawman proposal for using the VC Data Model
to describe capabilities, capabilities chains, delegation and invocation:
> https://transmute-industries.github.io/authorization-credentials/

I've only started working through your note, but I stopped because I got
confused.

I thought every certificate had a unique identifier, but I didn't see it.
Nor did I see the signatures, which becomes particularly important for
invocations.  (The Navy signed the capability and request separately in
their first implementation based on our Zebra Copy
<https://www.hpl.hp.com/techreports/2007/HPL-2007-105.html> work.)

In example 2, how does the verifier know that the delegation is a subset of
the delegator's permissions.  In both SPKI and the SAML version we built,
the proof field contains the deletator's capability certificate.

In example 3, where is the actual read request?

The issuer and the credential subjects are the same key.  That's not a
problem, but I think the example would be more useful if the delegation was
to a different key.

--------------
Alan Karp

Received on Tuesday, 22 December 2020 21:54:51 UTC