W3C home > Mailing lists > Public > public-credentials@w3.org > August 2021

Re: Create GNAP authorization specification for VC HTTP API (was: Re: Request for CCG Chair Intervention in CCG Process)

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Sun, 22 Aug 2021 13:04:26 -0400
To: public-credentials@w3.org
Message-ID: <b6ff17af-2c00-5c73-cae3-ed1f7e762624@digitalbazaar.com>
Hi David,

You said this:

On 8/22/21 12:19 PM, David Chadwick wrote:
> I was proposing that the separate document be an  authorisation document 
> for the HTTP API, saying which authorisation mechanisms may, should or must
> be used. So that the HTTP API can concentrate on the functionality of the
> API, assuming that another document will describe the authentication and
> authorisation mechanism(s).

... and then you said this:

> Surely the http api should concentrate on the functionality of the 
> endpoints, and authentication and authorisation is required for all of 
> them, which can be the subject of the new document that Orie is suggesting.
> I also assume that using the term authorisation implies authentication as
> well, since you cannot authorise anyone without authentication e.g. I
> present an authz token to you, but you still have to authenticate and
> verify the token.

... and all of that together confused me. Let me try to expand each concern below:

> I was proposing that the separate document be an  authorisation document 
> for the HTTP API, saying which authorisation mechanisms may, should or must
> be used.

This will almost certainly re-create the same issue we have now, where people
are fighting over OAuth2 Client Credentials and GNAP/RAR in the same document. It
just shifts the exact same discussion to a separate document where the same
conversation we've been having will play out again.

I believe Orie is saying -- "separate the GNAP portion out and put it in
another specification, on another call". He'll have to clarify what he meant
before we can chase this down any further.

> Surely the http api should concentrate on the functionality of the 
> endpoints, and authentication and authorisation is required for all of 
> them

That is not clear at this point. I don't think we can make the statement that
"surely authn/authz is required for all VC HTTP API endpoints". Some may be
completely unauthenticated (in order to get a response) -- e.g., Search
engines don't authenticate or authorize you before they return search results
to you. The presentation APIs fall into this category of "no authn/authz
necessary". See why your assumption might not hold here:

https://lists.w3.org/Archives/Public/public-credentials/2021Aug/0318.html

>> I also assume that using the term authorisation implies authentication as
>> well, since you cannot authorise anyone without authentication e.g. I 
>> present an authz token to you, but you still have to authenticate and 
>> verify the token.

I think it might be confusing to use the word "authentication" in the way that
you are. I think I know what you're saying, which is "One needs to determine
that an authorization token *is authentic* to allow the request to proceed."

If we were to put this into a set of steps, it would be:

1. Client authenticates in order to receive an
   authorization token of some kind.
2. Client performs a request to the VC HTTP API with the
   authorization token.
3. Server determines if the authorization token is
   valid and either allows or deny's the request.

As far as I've heard so far, step #1 and #3 is out of scope for the VC HTTP
API, and step #2 is in scope for the VC HTTP API. That is, "We don't care how
you got your authorization token, or how the server determines if it's good
enough for the operation being performed... but we do care about what types of
authorization tokens you can provide because we can't achieve interoperability
w/o defining at least one mechanism."

At this point, I think you and Orie are asking for different things, David.
Did I misunderstand anything?

-- manu

-- 
Manu Sporny - https://www.linkedin.com/in/manusporny/
Founder/CEO - Digital Bazaar, Inc.
News: Digital Bazaar Announces New Case Studies (2021)
https://www.digitalbazaar.com/
Received on Sunday, 22 August 2021 17:04:48 UTC

This archive was generated by hypermail 2.4.0 : Sunday, 22 August 2021 17:04:50 UTC