W3C home > Mailing lists > Public > public-credentials@w3.org > February 2020

Re: Today's presentation on Credentials v Capabilities

From: Daniel Hardman <daniel.hardman@evernym.com>
Date: Tue, 18 Feb 2020 16:58:04 -0700
Message-ID: <CAFBYrUo3QVoGwZMKbXJvNKTFdKBWdQ=z=vxa2QArnY0OnGftRA@mail.gmail.com>
To: Joe Andrieu <joe@legreq.com>
Cc: Credentials Community Group <public-credentials@w3.org>
>
> Can you provide an example? Even better if you start with a VC, issued by
> Joe, that claims "The sky is blue". We'll call this VC X.


There are very detailed examples and diagrams in the RFC I linked.
Interestingly, the most elaborated example is one you also used, about
delegation of a car key with a valet.


> So how does anyone know which VCs are delegatable? Further, how does
> anyone know the boundaries of that delegation, that is, the range of
> verifiers for whom such delegation is appropriate? Just because I give my
> child a VC saying they can use my credit card to buy milk at Ralph's
> doesn't mean that the cashier at LiquorMart will honor that constraint.
> Heck, all they need is the credit card # and a willing cashier. More
> importantly, will the credit card companies recognize that delegation as
> legitimate? What if they accept the first one (because "Milk from Ralph's"
> is fairly well defined) but they reject the second one? More likely,
> because the LiquorMart POS almost certainly doesn't require a VC of any
> particular type, the cashier will probably just make the sale. In contrast,
> the same use case using zCaps would originate at the credit card company
> and invoking it at either the LiquorMart or Ralph's would definitively
> validate the purchase according to the delegation framework as defined by
> the credit card company... and the retailer would immediately know whether
> or not the transaction is valid.
>

I believe the RFC I linked to has moderately good answers to these
questions. It is not a deeply polished doc, though, so there could be gaps.


> zCaps is a particular set of semantically rigorous operations that define,
> without ambiguity, how delegation and invocation proceeds for particular
> actions at a given issuer. I have my doubts about the wisdom of
> shoe-horning custom semantics into the VC structure, which is meant for
> verifying statements by one source at another. Statements across trust
> boundaries and actions within a singular trust context are two very
> different beasts, IMO.
>

You are making the claim that capabilities are inherently about a singular
trust context. I think that's an oversimplification. That's fine. We can
agree to disagree. I may be wrong. If so, I agree that this might be a
reason to explore a new mechanism.


> There are some misconceptions about how zCaps work (verifying a DID
> signature doesn't require phoning home to the DID subject)
>

I think you may be misconstruing something. Did you have the following
sentence in mind when you made that conclusion? I said that the zCaps
"mechanism for validating the non-revocation status of each credential in
the delegation chain seemed to follow the same revocation checking pattern
as traditional non-ZKP credentials." Note that this sentence has nothing
about signature verification in it, and that it also has nothing about DID
subjects in it. It's about revocation checking, not signatures.


> and some root disagreements about priorities (ZKP ALL-THE-THINGS).
>

The mechanism I'm advocating is not dependent on ZKP technology, as the RFC
states very explicitly at the top (and several places in the running text).
You could implement it today with Digital Bazaar's JSON-LD-centric
credentials, or with JWT-centric credentials, etc. I also pointed this out
in my first message on the thread. I have never taken the position that we
should "ZKP ALL-THE-THINGS." That is a caricature that seems to crop up
from time to time in these circles; I would be glad of a general commitment
from all of us to kill such distortions. As near as I can tell, the
caricature seems to survive on careless FUD. I find it particularly amusing
in this case, given the non-ZKP-oriented content I linked.


> I also have my doubts about the security implications of "short
> circuiting" VC issuance.
>

Excellent. I invite you to contribute to the discussion about the VC threat
model at credential-fraud-study@googlegroups.com, or to raise issues
against Aries RFC 0207: Credential Fraud Threat Model
<https://github.com/hyperledger/aries-rfcs/blob/master/concepts/0207-credential-fraud-threat-model/README.md>;
when there's evidence of serious engagement on the topic in W3C circles,
perhaps we can finally bring it to this group as a work item. I raised the
threat model topic at the Aug 2019 RWOT, but didn't have an opportunity to
engage with you directly. My perception is that we're not thinking about
this topic hard enough, yet. So your thoughts could probably help us a lot.


> But IMO doing so is barely more rigorous than using a printed contract for
> the same purpose. Maybe it will be accepted by a verifier, maybe it won't.
> Maybe it will make sense to a verifier, maybe it won't. Maybe it will be
> delegated appropriately, maybe it won't. Maybe the verifier will be able to
> make sense of delegations, maybe they won't. zCaps fixes all that
> ambiguity, IMO.
>

It seems like maybe you haven't read the RFC? We could very well still have
a difference of opinion when you've done that, but I doubt it will be about
ambiguity.


> Let me finish by inviting you to present your approach on a future call.
> My discussion was to socialize a distinction between credentials and
> capabilities that is creating value for people I'm working with. As CCG
> co-chair, it would be a service to the community if you could present your
> approach to directed capabilities.
>
> Would you be up for that?
>

Yes, I'd be glad to do that. Thank you for the invitation. How is an item
like this scheduled?
Received on Tuesday, 18 February 2020 23:58:30 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 18 February 2020 23:58:31 UTC