RE: Any Good use case of PAM (Privileged account Management) using Vcs

RE: But, when designing technical systems, it is important that we attend to the precise technical nature of the actions we are modeling and that we don't allow the ambiguity of common parlance to confuse matters. Technically: No matter how many trades occur, the bits which constitute the NFT continue to exist unchanged and potentially in an unknownable number of copies. When you "sell" an NFT what you are actually doing is changing the assignment of the right to claim, and demonstrate, the right to exercise those rights which the NFT represents.


  1.  I generally, even strongly, agree but there are issues with the use of the term “credential”.

Digging into the details…


  1.  The term “credential” does not imply and is not synonymous with a “verifiable credential” – that latter being a specialization of a credential (watch https://www.youtube.com/watch?v=9RLYS7Xvabc&list=PLU-rWqHm5p45dzXF2LJZjuNVJrOUR6DaD&index=2).
  2.  In the Trusted Digital Web, a credential is simply a collection of claims – one of which may be a claim named “id”.
  3.  A claim is a name-value pair.
  4.  With respect to NFTs, in the Trusted Digital Web, an NFT (https://twitter.com/mwherman2000/status/1465372806670176259) is represented as a verifiable credential (N) … a “#trusted, digital description (trustable credential or token) representing something real or imagined; physical, digital, or virtual. Trustable implies the token is signed and verifiable.”
  5.  Key Point: Ownership of the N (and, hence, indirectly, ownership of the underlying asset) is represented by a second “ownership” verifiable credential, O1 …not N …which once created/minted/issued is immutable (per Bob’s point above).
  6.  Next, N is embedded inside the credentialSubject of O1. That is, N  (in its entirety) is embedded as a claim inside O1’s credentialSubject. O1’s credentialSubject also includes other claims that support who the current owner is/was (owner identity), timestamps, issuer identity, duration/expiry, fractionalization, etc. …that is, whatever additional metadata/properties/attributes/claims are stipulated by a particular jurisdiction (aka marketplace) for the asset class(es) that N is a part/example of.
  7.  Ownership of N is transferred to a new owner in the marketplace when the marketplace processes and governance create/mint/issue a new ownership VC, O2, referencing the new owner and embedding that exact same N (NFT VC).

“More news at 11…”,
Michael Herman
Founder
Trusted Digital Web

From: Bob Wyman <bob@wyman.us>
Sent: Thursday, December 2, 2021 2:11 AM
To: Michael Herman (Trusted Digital Web) <mwherman@parallelspace.net>
Cc: drummond.reed@evernym.com; sethi shivam <sethishivam27@gmail.com>; W3C Credentials CG (Public List) <public-credentials@w3.org>
Subject: Re: Any Good use case of PAM (Privileged account Management) using Vcs

You wrote:
If I choose to sell the NFT, I’m not only delegating its rights but entire ownership of the NFT VC.
"Ownership" is a term used to describe a subset of conventional rights and sometimes duties, established by various political jurisdictions, that may be associated with one's relationship to a thing. Those rights are distinct from the thing itself and are also distinct from the affordances derived from mere possession of that thing. (Possession may afford an ability to benefit from some thing, but ownership assigns you a specific legal right(s) to do so in a certain way(s).) When a thing is sold, the sale does not modify the thing itself, only the assignment of the legal rights and duties associated with it. If permitted by applicable law, the act of sale may, by law, modify some of those rights and duties. (e.g. In some legal systems, some rights of ownership of some kinds of things may only be enjoyed by one who has specific characteristics.)

When you "sell" an NFT, you aren't actually selling the NFT itself even though we commonly say that you do. But, when designing technical systems, it is important that we attend to the precise technical nature of the actions we are modeling and that we don't allow the ambiguity of common parlance to confuse matters. Technically: No matter how many trades occur, the bits which constitute the NFT continue to exist unchanged and potentially in an unknownable number of copies. When you "sell" an NFT what you are actually doing is changing the assignment of the right to claim, and demonstrate, the right to exercise those rights which the NFT represents. If you were to delegate (i.e. loan?)  an NFC, you would not be transferring ownership of the NFT, but rather just the right to exercise some of the rights of ownership. Just as delegation of a credential does not cause the delegatee to become the delegator, even though the delegatee may act as the delegator, the delegation of an NFT does not make the delegatee the owner of the NFT. Delegation merely authorizes the delegatee to exercise some of the delegator's rights.

In summary: You should delegate rights, not credentials.

bob wyman


On Wed, Dec 1, 2021 at 11:42 AM Michael Herman (Trusted Digital Web) <mwherman@parallelspace.net<mailto:mwherman@parallelspace.net>> wrote:
RE: "One should delegate rights, not credentials." Perfectly put, Bob.

It totally depends on what the credential represents …in general, you can’t make a blanket statement like the above.

Suppose, for example, the credentialSubject is an NFT (represented as an embedded VC). If I choose to sell the NFT, I’m not only delegating its rights but entire ownership of the NFT VC.

Michael Herman
Founder
Trusted Digital Web

From: Drummond Reed <drummond.reed@evernym.com<mailto:drummond.reed@evernym.com>>
Sent: Sunday, November 7, 2021 7:41 PM
To: Bob Wyman <bob@wyman.us<mailto:bob@wyman.us>>
Cc: sethi shivam <sethishivam27@gmail.com<mailto:sethishivam27@gmail.com>>; W3C Credentials CG (Public List) <public-credentials@w3.org<mailto:public-credentials@w3.org>>
Subject: Re: Any Good use case of PAM (Privileged account Management) using Vcs

"One should delegate rights, not credentials." Perfectly put, Bob.

BTW, one can use a special class of VCs to delegate rights. There are several efforts to define such delegation models—see this discussion of Zcaps<https://kyledenhartog.com/comparing-VCs-with-zcaps/> from Kyle Den Hartog and the ToIP Authentic Chained Data Container<https://wiki.trustoverip.org/display/HOME/ACDC+%28Authentic+Chained+Data+Container%29+Task+Force> (ACDC) Task Force.

Best,

=Drummond

On Sun, Nov 7, 2021 at 11:17 AM Bob Wyman <bob@wyman.us<mailto:bob@wyman.us>> wrote:
Sethi,
You asked: "I want to give Access of a machine to my Colleague by sharing VC of (Privileged account) ."

Delegating the rights associated with a VC is sometimes quite reasonable and may be supported, however, delegating the right to use an existing VC should not be supported. In commonly understood terms, it might sometimes be reasonable for me to delegate to you the right to act on my behalf, but it is never reasonable to delegate to you the right to "be" me. If you take an action, based on rights which were originally delegated to me, the fact that it was you, not me, who acted, should be discoverable, even if I approve of your actions. A common example of this is when someone uses a "Power of Attorney," to sign a contract. When they do, they typically sign documents with their own names and an annotation "on behalf of," "for," or "by power of attorney," they don't forge the signature of the one who granted the power of attorney.

One should delegate rights, not credentials.

bob wyman


On Sat, Nov 6, 2021 at 7:48 PM sethi shivam <sethishivam27@gmail.com<mailto:sethishivam27@gmail.com>> wrote:
Hi Team ,

Is it possible that we can give our Vcs to someone for a particular period of time .

Like I am on vacation and I want to give Access of a machine to my Colleague by sharing VC of (Privileged account) .

and my second question is :

Is there any good enterprise level use-case of managing Privileged accounts using Vcs .

I am just trying to explore PIM-PAM use cases with Vcs
PIM = Privileged Identity management

Today we have many tools like Cyberark , beyondTrust


Best Regards
Sethi Shivam