On 22/08/2021 15:10, Manu Sporny wrote:
On 8/21/21 7:26 PM, steve capell wrote:
* I'm unclear about which VC-API interactions should require authorisation
and which should not.
There is clarity on most, but not all, of the endpoints we have defined so far
wrt. authorization. There is a column here marked "Authorization Required?":

https://docs.google.com/spreadsheets/d/1hlevKRxCXsJBWvJTkL30nZVp8cpF26aY3PJqzuHtIZE/edit#gid=0

To be clear, we're talking exclusively about authorization (not
authentication, e.g., DIDAuth -- that's out of scope).

* I can imagine that an issuer will certainly want to authorise a subject 
that is requesting a VC.  "yes, that's the john smith we know, here's your 
digital drivers license"
The term I believe you meant to use was "authenticate", because
"authorization" is subtly orthogonal. So, let's make sure we're talking about
the same thing first:

https://stackoverflow.com/a/6556548

"yes, that's the john smith we know" is authentication

"and given that it's the john smith we know, he is authorized to receive a
digital driver's license" is authorization.

"here's your digital drivers license" presumes some sort of authorization took
place. Providing the digital drivers license happens AFTER authorization was
successful.

* But I cant imagine why or how a verifier will want to authorise John
when he presents his license as proof of age in a bottle shop because
there's very unlikely to have been any a-priori registration of either john
or his chosen system to the bottle shop system. Instead I'd expect an
anonymous access "yes, that's a valid drivers license and, yes, the photo
on it looks like you sir, here's your vodka".
Again, "yes, that's a valid drivers license and, yes, the photo on it looks
like you sir" is authentication.

"and given that you're above the age of ??, you are allowed to purchase
alcohol" is authorization.

"here's your vodka" presumes some sort of authorization took place.

You're not far off, but we do need to make sure we're very clear about what
we're talking about "authorization", and what's not necessarily the focus of
the current discussion "authentication".

would it be possible to see a diagram of VC-API interactions with some 
indication of which require auth and which dont?
Column G here:

https://docs.google.com/spreadsheets/d/1hlevKRxCXsJBWvJTkL30nZVp8cpF26aY3PJqzuHtIZE/edit#gid=0

The Use Cases team is working on some more detailed data flow diagrams to
elaborate upon the matter further. I expect we're several weeks of from those
being done.

Did that help, Steve?
Surely the http api should concentrate on the functionality of the endpoints, and authentication and authorisation is required for all of them, which can be the subject of the new document that Orie is suggesting. I also assume that using the term authorisation implies authentication as well, since you cannot authorise anyone without authentication e.g. I present an authz token to you, but you still have to authenticate and verify the token.

-- manu