W3C home > Mailing lists > Public > public-credentials@w3.org > April 2021

OAuth2.0 and VCs

From: Nikos Fotiou <fotiou@aueb.gr>
Date: Mon, 26 Apr 2021 14:22:45 +0300
Message-Id: <1C6F3503-09C4-4CB3-9010-C4BD56FA9DC5@aueb.gr>
To: "W3C Credentials CG (Public List)" <public-credentials@w3.org>
Hi,
I would like to share with you a paper we have written and it will be presented at IEEE ICCCN 2021 (http://www.icccn.org/). You can find the paper here https://arxiv.org/abs/2104.11515 We tried to couple OAuth 2.0 flows with JWT/JWS and VCs in order to implement capabilities-based access control. Our goal was to show gains with minimal changes. Some things that might be of interest:

* We used Proof-of-Possession Key Semantics for JSON Web Tokens (RFC 7800) instead of credentialSubject `id`
* We used OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP),(https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/) for proving VC ownership
* We discuss how Revocation list 2020 has better privacy properties compared to RFC 7662 (which can be used for examining the status of an access token)

Moreover, I have to clarify that JTW/JWS encoding was just a design choice and Linked-Data proofs can be used instead. Moreover, and as we discuss in the paper, zcaps can be used instead of VCs. I believe that examining the use of OAuth 2.0 for granting VCs/zcaps has value, especially if the subjects are not humans. e.g, for issuing VCs/zcaps for IoT devices.

Best,
Nikos

--
Nikos Fotiou - http://pages.cs.aueb.gr/~fotiou
Researcher - Mobile Multimedia Laboratory
Athens University of Economics and Business
https://mm.aueb.gr


Received on Monday, 26 April 2021 11:23:01 UTC

This archive was generated by hypermail 2.4.0 : Monday, 26 April 2021 11:23:02 UTC