- From: Nikos Fotiou <fotiou@aueb.gr>
- Date: Sat, 3 Apr 2021 21:39:26 +0300
- To: "W3C Credentials CG (Public List)" <public-credentials@w3.org>
- Message-Id: <EC2F36D7-65B6-4F4D-B122-46E85D6877DB@aueb.gr>
Hi, I was reading zcaps draft, as well as related work, mostly macaroons (https://research.google/pubs/pub41892/). Something that I found confusing about capability documents is that they do not make clear the actions they concern. For example from this https://w3c-ccg.github.io/zcap-ld/#example-1 it is not clear that this is a capability for "driving a car". A second comment is that, IMHO, the draft does not make a good work in communicating the importance of caveats, which I believe the most important property of zcaps. I tend to believe this happens because of the selected use case. I understood better the importance of caveats by reading the evaluation scenario of macaroons. There, and in a nutshell, they consider the case of a photo storage service. A user has received a token (a "macaroon") that gives him access to all his photos for a long period. Then he decides to use a photo editing application to edit a particular photo: he creates a new macaroon that gives to the application access to a *particular* photo for limited time. From this, it is clear not only the importance of caveats, but also how challenging is to implement and evaluate them correctly, e.g., a caveat can only confine a capability you already have. Best, Nikos -- Nikos Fotiou - http://pages.cs.aueb.gr/~fotiou Researcher - Mobile Multimedia Laboratory Athens University of Economics and Business https://mm.aueb.gr
Attachments
- application/pkcs7-signature attachment: smime.p7s
Received on Saturday, 3 April 2021 18:39:42 UTC