Re: Any Good use case of PAM (Privileged account Management) using Vcs from Bob Wyman on 2021-12-02 (public-credentials@w3.org from December 2021)

From: Bob Wyman <bob@wyman.us>
Date: Thu, 2 Dec 2021 02:11:21 -0500
To: "Michael Herman (Trusted Digital Web)" <mwherman@parallelspace.net>
Cc: "drummond.reed@evernym.com" <drummond.reed@evernym.com>, sethi shivam <sethishivam27@gmail.com>, "W3C Credentials CG (Public List)" <public-credentials@w3.org>
Message-ID: <CAA1s49Xg-KZuhyuoMNjVnC+VRrhrPyuNOkK6f9cS8BHoZZnAeg@mail.gmail.com>
You wrote:

> If I choose to sell the NFT, I’m not only delegating its rights but entire
> ownership of the NFT VC.

"Ownership" is a term used to describe a subset of conventional rights
and sometimes duties, established by various political jurisdictions,
that may be associated with one's relationship to a thing. Those rights are
distinct from the thing itself and are also distinct from the affordances
derived from mere possession of that thing. (Possession may afford an
ability to benefit from some thing, but ownership assigns you a specific
legal right(s) to do so in a certain way(s).) When a thing is sold, the
sale does not modify the thing itself, only the assignment of the legal
rights and duties associated with it. If permitted by applicable law, the
act of sale may, by law, modify some of those rights and duties. (e.g. In
some legal systems, some rights of ownership of some kinds of things may
only be enjoyed by one who has specific characteristics.)

When you "sell" an NFT, you aren't actually selling the NFT itself even
though we commonly say that you do. But, when designing technical systems,
it is important that we attend to the precise technical nature of the
actions we are modeling and that we don't allow the ambiguity of common
parlance to confuse matters. Technically: No matter how many trades occur,
the bits which constitute the NFT continue to exist unchanged and
potentially in an unknownable number of copies. When you "sell" an NFT what
you are actually doing is changing the assignment of the right to claim,
and demonstrate, the right to exercise those rights which the NFT
represents. If you were to delegate (i.e. loan?)  an NFC, you would not be
transferring ownership of the NFT, but rather just the right to exercise
some of the rights of ownership. Just as delegation of a credential does
not cause the delegatee to become the delegator, even though the delegatee
may act as the delegator, the delegation of an NFT does not make the
delegatee the owner of the NFT. Delegation merely authorizes the delegatee
to exercise some of the delegator's rights.

In summary: You should delegate rights, not credentials.

bob wyman


On Wed, Dec 1, 2021 at 11:42 AM Michael Herman (Trusted Digital Web) <
mwherman@parallelspace.net> wrote:

> RE: "One should delegate rights, not credentials." Perfectly put, Bob.
>
>
>
> It totally depends on what the credential represents …in general, you
> can’t make a blanket statement like the above.
>
>
>
> Suppose, for example, the credentialSubject is an NFT (represented as an
> embedded VC). If I choose to sell the NFT, I’m not only delegating its
> rights but entire ownership of the NFT VC.
>
>
>
> Michael Herman
>
> Founder
>
> Trusted Digital Web
>
>
>
> *From:* Drummond Reed <drummond.reed@evernym.com>
> *Sent:* Sunday, November 7, 2021 7:41 PM
> *To:* Bob Wyman <bob@wyman.us>
> *Cc:* sethi shivam <sethishivam27@gmail.com>; W3C Credentials CG (Public
> List) <public-credentials@w3.org>
> *Subject:* Re: Any Good use case of PAM (Privileged account Management)
> using Vcs
>
>
>
> "One should delegate rights, not credentials." Perfectly put, Bob.
>
>
>
> BTW, one *can* use a special class of VCs to delegate rights. There are
> several efforts to define such delegation models—see this discussion of
> Zcaps <https://kyledenhartog.com/comparing-VCs-with-zcaps/> from Kyle Den
> Hartog and the ToIP Authentic Chained Data Container
> <https://wiki.trustoverip.org/display/HOME/ACDC+%28Authentic+Chained+Data+Container%29+Task+Force>
> (ACDC) Task Force.
>
>
>
> Best,
>
> =Drummond
>
>
>
> On Sun, Nov 7, 2021 at 11:17 AM Bob Wyman <bob@wyman.us> wrote:
>
> Sethi,
>
> You asked: "I want to give Access of a machine to my Colleague by sharing
> VC of (Privileged account) ."
>
>
>
> Delegating the rights associated with a VC is sometimes quite reasonable
> and may be supported, however, delegating the right to use an existing VC
> should not be supported. In commonly understood terms, it might sometimes
> be reasonable for me to delegate to you the right to act on my behalf, but
> it is never reasonable to delegate to you the right to "be" me. If you take
> an action, based on rights which were originally delegated to me, the fact
> that it was you, not me, who acted, should be discoverable, even if I
> approve of your actions. A common example of this is when someone uses a
> "Power of Attorney," to sign a contract. When they do, they typically sign
> documents with their own names and an annotation "on behalf of," "for," or
> "by power of attorney," they don't forge the signature of the one who
> granted the power of attorney.
>
>
>
> One should delegate rights, not credentials.
>
>
>
> bob wyman
>
>
>
>
>
> On Sat, Nov 6, 2021 at 7:48 PM sethi shivam <sethishivam27@gmail.com>
> wrote:
>
> Hi Team ,
>
>
>
> Is it possible that we can give our Vcs to someone for a particular period
> of time .
>
>
>
> Like I am on vacation and I want to give Access of a machine to my
> Colleague by sharing VC of (Privileged account) .
>
>
>
> and my second question is :
>
>
>
> Is there any good enterprise level use-case of managing Privileged
> accounts using Vcs .
>
>
>
> I am just trying to explore PIM-PAM use cases with Vcs
>
> PIM = Privileged Identity management
>
>
>
> Today we have many tools like Cyberark , beyondTrust
>
>
>
>
>
> Best Regards
>
> Sethi Shivam
>
>
Received on Thursday, 2 December 2021 07:11:46 UTC