W3C home > Mailing lists > Public > public-credentials@w3.org > February 2020

Re: Today's presentation on Credentials v Capabilities

From: Joe Andrieu <joe@legreq.com>
Date: Tue, 18 Feb 2020 16:39:22 -0800
Message-Id: <8a844b2e-9f9f-4a9d-8dc7-3df73ee6c422@www.fastmail.com>
To: "Credentials Community Group" <public-credentials@w3.org>
On Tue, Feb 18, 2020, at 4:10 PM, Daniel Hardman wrote:
> >Directed Capabilities always return to the same trust context: the issuer. The holder can delegate (if allowed) to any allowed actions and with any allowed attenuations. These holder actions do not require phoning home. HOWEVER, invoking the capability inherently "phones home" because home is where the action takes place.
> I think this is insightful. But I also think it's too simple, for three reasons:
> 
> 1. The issuer doesn't have to be the one to verify; they just have to agree to (not necessarily create, even) the rules by which verification later happens. This means that, although there is a single trust context at the beginning and end, it is not necessarily a trust context wholly controlled by the issuer. We see this in some guardianship use cases. A grandmother guardian is delegated the privilege of making medical care decisions for a granddaughter dependent in a refugee camp. The delegator is an NGO or maybe a government. The enforcer or verifier is the camp. Invoking the capability doesn't phone home; it just means the camp has to follow the rules the delegator set up. These rules are typically embodied in a trust framework that everyone agrees to; that's quite different from embodying them in a phone home to the issuer. For a concrete example of such rules, see here <https://github.com/hyperledger/aries-rfcs/blob/master/concepts/0103-indirect-identity-control/guardianship-sample/trust-framework.md>. (This is a doc that answers many of the questions that Joe raised as examples of ambiguity.)

Sure. You can use DCs in the way you describe, but that would be contrary to the intended practice, just like you can use morse code to send HTML. DCs are intended for invocation at the issuer. Full stop. If the verifier doesn't control the issuance, they can't control the range of actions nor the rules of delegation.

You *can* outsource your trust decision to a trust framework, but I wouldn't.

> 
> 2. Although the beginning and end of delegation may lie within a single trust context, midpoints in a chain can cross trust boundaries.

Sure. But these are cryptographically secured in both paradigms under discussion.

> 
> 3. VCs can absolutely be used within a single trust context. We (all of us) have lots of production use cases where an institution issues, and then later asks a person to prove back to them using the credential they previously received -- do we not?

Why? If you issued the VC you have all the information you need to verify the assertion. I would not recommend using VCs in this case. They externalize potentially risky personal information. The one exception might be if the service provider deletes everything to avoid becoming a honeypot. But I don't know anyone who is willing to abandon all PII stored on a service, externalizing it via VCs to enhance privacy. Theoretically its a nice VRMy idea, but practically speaking, it's a non-starter for companies at any scale.

-j

> 
> On Tue, Feb 18, 2020 at 4:59 PM Joe Andrieu <joe@legreq.com> wrote:
>> __
>> The phrase that rang for me when I replied to Daniel is "trust boundary".
>> 
>> VCs are specifically designed to cross trust boundaries, from the issuer to the verifier. They can be verified without the verifier phoning home.
>> 
>> Directed Capabilities always return to the same trust context: the issuer. The holder can delegate (if allowed) to any allowed actions and with any allowed attenuations. These holder actions do not require phoning home. HOWEVER, invoking the capability inherently "phones home" because home is where the action takes place.
>> 
>> VCs are useful if you need assertions that cross trust boundaries. DCs are useful if you want flexible delegation at the within a given trust boundary.
>> 
>> If you use it elsewhere, use a VC. If you use it at the issuer, use a directed capability.
>> 
>> -j
>> 
>> On Tue, Feb 18, 2020, at 3:38 PM, Kim Hamilton wrote:
>>> I was rambling in IRC about this during the meeting. The data model similarities (and differences) caught my eye, but based on the discussion, I saw why the zcap spec (for example) was more streamlined for the purpose.
>>> 
>>> Yet, I did not understand how no-phone-home yet issuer-specific were reconcilable, but I didn't think there was time to get into it. 
>>> 
>>> Again, I was approaching it from a very low-level data model diff-ing perspective, and wondering if we will end up with a range of VerifiableXs in the future.
>>> 
>>> On Tue, Feb 18, 2020 at 3:54 PM Joe Andrieu <joe@legreq.com> wrote:
>>>> __
>>>> Daniel,
>>>> 
>>>> Let's dive into this. I agree that VCs can be used for delegation. I just don't believe they are the most appropriate way to do so. You can, of course, say *anything* in a VC, so you can easily make statements that are interpreted as delegations. But VCs themselves do not provide mechanisms to specify or interpret capabilities and delegations.
>>>> 
>>>> So, let's take your first statement:
>>>>> 1. Credentials can be made delegatable, and they can be attenuated. This collapses the most interesting differences between credentials and capabilities, making a special new data format for capabilities unnecessary. Capabilities can be done with VCs (any type that's W3C-data-model-compliant).
>>>> 
>>>> Can you provide an example? Even better if you start with a VC, issued by Joe, that claims "The sky is blue". We'll call this VC X.
>>>> 
>>>> What does it mean to delegate that? Or attenuate it.
>>>> 
>>>> Yes, I can make statements about that statement. I can even make arbitrary statements about that statement. I could say "Joe delegates the credential X". But these appear to have no meaning.
>>>> 
>>>> Generally only privileges are delegatable. So, the only VCs that are delegatable are those expressing privileges. But which VCs should be interpreted that way? Certainly not VC X. So how does anyone know which VCs are delegatable? Further, how does anyone know the boundaries of that delegation, that is, the range of verifiers for whom such delegation is appropriate? Just because I give my child a VC saying they can use my credit card to buy milk at Ralph's doesn't mean that the cashier at LiquorMart will honor that constraint. Heck, all they need is the credit card # and a willing cashier. More importantly, will the credit card companies recognize that delegation as legitimate? What if they accept the first one (because "Milk from Ralph's" is fairly well defined) but they reject the second one? More likely, because the LiquorMart POS almost certainly doesn't require a VC of any particular type, the cashier will probably just make the sale. In contrast, the same use case using zCaps would originate at the credit card company and invoking it at either the LiquorMart or Ralph's would definitively validate the purchase according to the delegation framework as defined by the credit card company... and the retailer would immediately know whether or not the transaction is valid.
>>>> 
>>>> zCaps is a particular set of semantically rigorous operations that define, without ambiguity, how delegation and invocation proceeds for particular actions at a given issuer. I have my doubts about the wisdom of shoe-horning custom semantics into the VC structure, which is meant for verifying statements by one source at another. Statements across trust boundaries and actions within a singular trust context are two very different beasts, IMO.
>>>> 
>>>> I also read through the article contrasting zCaps with your approach (https://github.com/hyperledger/aries-rfcs/blob/master/concepts/0104-chained-credentials/contrast-zcap-ld.md). 
>>>> 
>>>> I won't go into it line-by-line here, but I do invite others to review it. 
>>>> 
>>>> There are some misconceptions about how zCaps work (verifying a DID signature doesn't require phoning home to the DID subject) and some root disagreements about priorities (ZKP ALL-THE-THINGS). I also have my doubts about the security implications of "short circuiting" VC issuance.
>>>> 
>>>> That said, I'll repeat my opening statement. YES, you can use VCs to construct delegations. 
>>>> 
>>>> But IMO doing so is barely more rigorous than using a printed contract for the same purpose. Maybe it will be accepted by a verifier, maybe it won't. Maybe it will make sense to a verifier, maybe it won't. Maybe it will be delegated appropriately, maybe it won't. Maybe the verifier will be able to make sense of delegations, maybe they won't. zCaps fixes all that ambiguity, IMO.
>>>> 
>>>> Let me finish by inviting you to present your approach on a future call. My discussion was to socialize a distinction between credentials and capabilities that is creating value for people I'm working with. As CCG co-chair, it would be a service to the community if you could present your approach to directed capabilities.
>>>> 
>>>> Would you be up for that?
>>>> 
>>>> -j
>>>> 
>>>> On Tue, Feb 18, 2020, at 10:52 AM, Daniel Hardman wrote:
>>>>> FWIW, I would like to offer the following alternative perspective to the ideas in Joe's slides.
>>>>> 
>>>>> 1. Credentials can be made delegatable, and they can be attenuated. This collapses the most interesting differences between credentials and capabilities, making a special new data format for capabilities unnecessary. Capabilities can be done with VCs (any type that's W3C-data-model-compliant).
>>>>> 
>>>>> 2. The problem of extending privileges (delegation and attenuation) is actually a special case of the more general problem of data provenance. Delegation just requires that we show the provenance of privileges (did these privileges derive from someone who had them to give away?). But solving the data provenance problem has additional far-reaching benefits (a small employer can prove the provenance of data that they collected from an employee, that originated in a passport -- and the assurance associated with the employment credential, for those attributes, can be as strong as it was for data directly from the passport itself, instead of being governed by whatever trust someone might be inclined to give to the small and unfamiliar employer).
>>>>> 
>>>>> This is discussed at length in Aries RFC 0104: https://github.com/hyperledger/aries-rfcs/blob/master/concepts/0104-chained-credentials/README.md
>>>>> 
>>>>> 
>>>>> On Tue, Feb 18, 2020 at 11:06 AM Joe Andrieu <joe@legreq.com> wrote:
>>>>>> __
>>>>>> Here's a link to the powerpoint for today's tech talk.
>>>>>> 
>>>>>> https://github.com/w3c-ccg/meetings/blob/gh-pages/2020-02-18/credentials_and_capabilities.pptx?raw=true
>>>>>> 
>>>>>> -j
>>>>>> 
>>>>>> --
>>>>>> Joe Andrieu, PMP joe@legreq.com
>>>>>> LEGENDARY REQUIREMENTS +1(805)705-8651
>>>>>> Do what matters. http://legreq.com <http://www.legendaryrequirements.com/>
>>>>>> 
>>>>>> 
>>>> 
>>>> --
>>>> Joe Andrieu, PMP joe@legreq.com
>>>> LEGENDARY REQUIREMENTS +1(805)705-8651
>>>> Do what matters. http://legreq.com <http://www.legendaryrequirements.com/>
>>>> 
>>>> 
>> 
>> --
>> Joe Andrieu, PMP joe@legreq.com
>> LEGENDARY REQUIREMENTS +1(805)705-8651
>> Do what matters. http://legreq.com <http://www.legendaryrequirements.com/>
>> 
>> 

--
Joe Andrieu, PMP joe@legreq.com
LEGENDARY REQUIREMENTS +1(805)705-8651
Do what matters. http://legreq.com <http://www.legendaryrequirements.com/>
Received on Wednesday, 19 February 2020 00:40:03 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:24:57 UTC