- From: Nikos Fotiou <fotiou@aueb.gr>
- Date: Mon, 26 Apr 2021 14:22:45 +0300
- To: "W3C Credentials CG (Public List)" <public-credentials@w3.org>
- Message-Id: <1C6F3503-09C4-4CB3-9010-C4BD56FA9DC5@aueb.gr>
Hi, I would like to share with you a paper we have written and it will be presented at IEEE ICCCN 2021 (http://www.icccn.org/). You can find the paper here https://arxiv.org/abs/2104.11515 We tried to couple OAuth 2.0 flows with JWT/JWS and VCs in order to implement capabilities-based access control. Our goal was to show gains with minimal changes. Some things that might be of interest: * We used Proof-of-Possession Key Semantics for JSON Web Tokens (RFC 7800) instead of credentialSubject `id` * We used OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP),(https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/) for proving VC ownership * We discuss how Revocation list 2020 has better privacy properties compared to RFC 7662 (which can be used for examining the status of an access token) Moreover, I have to clarify that JTW/JWS encoding was just a design choice and Linked-Data proofs can be used instead. Moreover, and as we discuss in the paper, zcaps can be used instead of VCs. I believe that examining the use of OAuth 2.0 for granting VCs/zcaps has value, especially if the subjects are not humans. e.g, for issuing VCs/zcaps for IoT devices. Best, Nikos -- Nikos Fotiou - http://pages.cs.aueb.gr/~fotiou Researcher - Mobile Multimedia Laboratory Athens University of Economics and Business https://mm.aueb.gr
Attachments
- application/pkcs7-signature attachment: smime.p7s
Received on Monday, 26 April 2021 11:23:01 UTC