- From: Joosten, H.J.M. (Rieks) <rieks.joosten@tno.nl>
- Date: Thu, 2 Dec 2021 08:44:22 +0000
- To: Bob Wyman <bob@wyman.us>, "Michael Herman (Trusted Digital Web)" <mwherman@parallelspace.net>
- CC: "drummond.reed@evernym.com" <drummond.reed@evernym.com>, sethi shivam <sethishivam27@gmail.com>, "W3C Credentials CG (Public List)" <public-credentials@w3.org>
- Message-ID: <47346552314043ea99f4c379441d2162@tno.nl>
+10. You cannot delegate NFTs (or VCs). All you can do is delegate a right or duty that has been assigned to you, e.g. to perform an action on something, or to maintain a state of something. And you can also only delegate such a right or duty if it is actually delegatable (not all rights/duties are). You might however be able to issue a VC whose payload specifies a delegator, 1+ delegatees, the rights/duties being delegated, the actions to be performed or states to be maintained, the ‘somethings’ involved, and perhaps also some data that are assurances that the delegator had such rights/duties in the first place, and is entitled to delegate them. And I love the phrase “… when designing technical systems, it is important that we attend to the precise technical nature of the actions we are modeling and that we don't allow the ambiguity of common parlance to confuse matters.” Rieks From: Bob Wyman <bob@wyman.us> Sent: donderdag 2 december 2021 08:11 To: Michael Herman (Trusted Digital Web) <mwherman@parallelspace.net> Cc: drummond.reed@evernym.com; sethi shivam <sethishivam27@gmail.com>; W3C Credentials CG (Public List) <public-credentials@w3.org> Subject: Re: Any Good use case of PAM (Privileged account Management) using Vcs You wrote: If I choose to sell the NFT, I’m not only delegating its rights but entire ownership of the NFT VC. "Ownership" is a term used to describe a subset of conventional rights and sometimes duties, established by various political jurisdictions, that may be associated with one's relationship to a thing. Those rights are distinct from the thing itself and are also distinct from the affordances derived from mere possession of that thing. (Possession may afford an ability to benefit from some thing, but ownership assigns you a specific legal right(s) to do so in a certain way(s).) When a thing is sold, the sale does not modify the thing itself, only the assignment of the legal rights and duties associated with it. If permitted by applicable law, the act of sale may, by law, modify some of those rights and duties. (e.g. In some legal systems, some rights of ownership of some kinds of things may only be enjoyed by one who has specific characteristics.) When you "sell" an NFT, you aren't actually selling the NFT itself even though we commonly say that you do. But, when designing technical systems, it is important that we attend to the precise technical nature of the actions we are modeling and that we don't allow the ambiguity of common parlance to confuse matters. Technically: No matter how many trades occur, the bits which constitute the NFT continue to exist unchanged and potentially in an unknownable number of copies. When you "sell" an NFT what you are actually doing is changing the assignment of the right to claim, and demonstrate, the right to exercise those rights which the NFT represents. If you were to delegate (i.e. loan?) an NFC, you would not be transferring ownership of the NFT, but rather just the right to exercise some of the rights of ownership. Just as delegation of a credential does not cause the delegatee to become the delegator, even though the delegatee may act as the delegator, the delegation of an NFT does not make the delegatee the owner of the NFT. Delegation merely authorizes the delegatee to exercise some of the delegator's rights. In summary: You should delegate rights, not credentials. bob wyman On Wed, Dec 1, 2021 at 11:42 AM Michael Herman (Trusted Digital Web) <mwherman@parallelspace.net> wrote: RE: "One should delegate rights, not credentials." Perfectly put, Bob. It totally depends on what the credential represents …in general, you can’t make a blanket statement like the above. Suppose, for example, the credentialSubject is an NFT (represented as an embedded VC). If I choose to sell the NFT, I’m not only delegating its rights but entire ownership of the NFT VC. Michael Herman Founder Trusted Digital Web From: Drummond Reed <drummond.reed@evernym.com> Sent: Sunday, November 7, 2021 7:41 PM To: Bob Wyman <bob@wyman.us> Cc: sethi shivam <sethishivam27@gmail.com>; W3C Credentials CG (Public List) <public-credentials@w3.org> Subject: Re: Any Good use case of PAM (Privileged account Management) using Vcs "One should delegate rights, not credentials." Perfectly put, Bob. BTW, one can use a special class of VCs to delegate rights. There are several efforts to define such delegation models—see this discussion of Zcaps from Kyle Den Hartog and the ToIP Authentic Chained Data Container (ACDC) Task Force. Best, =Drummond On Sun, Nov 7, 2021 at 11:17 AM Bob Wyman <bob@wyman.us> wrote: Sethi, You asked: "I want to give Access of a machine to my Colleague by sharing VC of (Privileged account) ." Delegating the rights associated with a VC is sometimes quite reasonable and may be supported, however, delegating the right to use an existing VC should not be supported. In commonly understood terms, it might sometimes be reasonable for me to delegate to you the right to act on my behalf, but it is never reasonable to delegate to you the right to "be" me. If you take an action, based on rights which were originally delegated to me, the fact that it was you, not me, who acted, should be discoverable, even if I approve of your actions. A common example of this is when someone uses a "Power of Attorney," to sign a contract. When they do, they typically sign documents with their own names and an annotation "on behalf of," "for," or "by power of attorney," they don't forge the signature of the one who granted the power of attorney. One should delegate rights, not credentials. bob wyman On Sat, Nov 6, 2021 at 7:48 PM sethi shivam <sethishivam27@gmail.com> wrote: Hi Team , Is it possible that we can give our Vcs to someone for a particular period of time . Like I am on vacation and I want to give Access of a machine to my Colleague by sharing VC of (Privileged account) . and my second question is : Is there any good enterprise level use-case of managing Privileged accounts using Vcs . I am just trying to explore PIM-PAM use cases with Vcs PIM = Privileged Identity management Today we have many tools like Cyberark , beyondTrust Best Regards Sethi Shivam From: Bob Wyman <bob@wyman.us> Sent: donderdag 2 december 2021 08:11 To: Michael Herman (Trusted Digital Web) <mwherman@parallelspace.net> Cc: drummond.reed@evernym.com; sethi shivam <sethishivam27@gmail.com>; W3C Credentials CG (Public List) <public-credentials@w3.org> Subject: Re: Any Good use case of PAM (Privileged account Management) using Vcs You wrote: If I choose to sell the NFT, I’m not only delegating its rights but entire ownership of the NFT VC. "Ownership" is a term used to describe a subset of conventional rights and sometimes duties, established by various political jurisdictions, that may be associated with one's relationship to a thing. Those rights are distinct from the thing itself and are also distinct from the affordances derived from mere possession of that thing. (Possession may afford an ability to benefit from some thing, but ownership assigns you a specific legal right(s) to do so in a certain way(s).) When a thing is sold, the sale does not modify the thing itself, only the assignment of the legal rights and duties associated with it. If permitted by applicable law, the act of sale may, by law, modify some of those rights and duties. (e.g. In some legal systems, some rights of ownership of some kinds of things may only be enjoyed by one who has specific characteristics.) When you "sell" an NFT, you aren't actually selling the NFT itself even though we commonly say that you do. But, when designing technical systems, it is important that we attend to the precise technical nature of the actions we are modeling and that we don't allow the ambiguity of common parlance to confuse matters. Technically: No matter how many trades occur, the bits which constitute the NFT continue to exist unchanged and potentially in an unknownable number of copies. When you "sell" an NFT what you are actually doing is changing the assignment of the right to claim, and demonstrate, the right to exercise those rights which the NFT represents. If you were to delegate (i.e. loan?) an NFC, you would not be transferring ownership of the NFT, but rather just the right to exercise some of the rights of ownership. Just as delegation of a credential does not cause the delegatee to become the delegator, even though the delegatee may act as the delegator, the delegation of an NFT does not make the delegatee the owner of the NFT. Delegation merely authorizes the delegatee to exercise some of the delegator's rights. In summary: You should delegate rights, not credentials. bob wyman On Wed, Dec 1, 2021 at 11:42 AM Michael Herman (Trusted Digital Web) <mwherman@parallelspace.net<mailto:mwherman@parallelspace.net>> wrote: RE: "One should delegate rights, not credentials." Perfectly put, Bob. It totally depends on what the credential represents …in general, you can’t make a blanket statement like the above. Suppose, for example, the credentialSubject is an NFT (represented as an embedded VC). If I choose to sell the NFT, I’m not only delegating its rights but entire ownership of the NFT VC. Michael Herman Founder Trusted Digital Web From: Drummond Reed <drummond.reed@evernym.com<mailto:drummond.reed@evernym.com>> Sent: Sunday, November 7, 2021 7:41 PM To: Bob Wyman <bob@wyman.us<mailto:bob@wyman.us>> Cc: sethi shivam <sethishivam27@gmail.com<mailto:sethishivam27@gmail.com>>; W3C Credentials CG (Public List) <public-credentials@w3.org<mailto:public-credentials@w3.org>> Subject: Re: Any Good use case of PAM (Privileged account Management) using Vcs "One should delegate rights, not credentials." Perfectly put, Bob. BTW, one can use a special class of VCs to delegate rights. There are several efforts to define such delegation models—see this discussion of Zcaps<https://kyledenhartog.com/comparing-VCs-with-zcaps/> from Kyle Den Hartog and the ToIP Authentic Chained Data Container<https://wiki.trustoverip.org/display/HOME/ACDC+%28Authentic+Chained+Data+Container%29+Task+Force> (ACDC) Task Force. Best, =Drummond On Sun, Nov 7, 2021 at 11:17 AM Bob Wyman <bob@wyman.us<mailto:bob@wyman.us>> wrote: Sethi, You asked: "I want to give Access of a machine to my Colleague by sharing VC of (Privileged account) ." Delegating the rights associated with a VC is sometimes quite reasonable and may be supported, however, delegating the right to use an existing VC should not be supported. In commonly understood terms, it might sometimes be reasonable for me to delegate to you the right to act on my behalf, but it is never reasonable to delegate to you the right to "be" me. If you take an action, based on rights which were originally delegated to me, the fact that it was you, not me, who acted, should be discoverable, even if I approve of your actions. A common example of this is when someone uses a "Power of Attorney," to sign a contract. When they do, they typically sign documents with their own names and an annotation "on behalf of," "for," or "by power of attorney," they don't forge the signature of the one who granted the power of attorney. One should delegate rights, not credentials. bob wyman On Sat, Nov 6, 2021 at 7:48 PM sethi shivam <sethishivam27@gmail.com<mailto:sethishivam27@gmail.com>> wrote: Hi Team , Is it possible that we can give our Vcs to someone for a particular period of time . Like I am on vacation and I want to give Access of a machine to my Colleague by sharing VC of (Privileged account) . and my second question is : Is there any good enterprise level use-case of managing Privileged accounts using Vcs . I am just trying to explore PIM-PAM use cases with Vcs PIM = Privileged Identity management Today we have many tools like Cyberark , beyondTrust Best Regards Sethi Shivam This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. TNO accepts no liability for the content of this e-mail, for the manner in which you use it and for damage of any kind resulting from the risks inherent to the electronic transmission of messages.
Received on Thursday, 2 December 2021 08:44:41 UTC