W3C home > Mailing lists > Public > public-credentials@w3.org > December 2021

RE: Any Good use case of PAM (Privileged account Management) using Vcs

From: Michael Herman (Trusted Digital Web) <mwherman@parallelspace.net>
Date: Thu, 2 Dec 2021 09:59:55 +0000
To: "Joosten, H.J.M. (Rieks)" <rieks.joosten@tno.nl>, Bob Wyman <bob@wyman.us>
CC: "drummond.reed@evernym.com" <drummond.reed@evernym.com>, sethi shivam <sethishivam27@gmail.com>, "W3C Credentials CG (Public List)" <public-credentials@w3.org>
Message-ID: <MWHPR1301MB209482A3D1258D7BC13AB7A1C3699@MWHPR1301MB2094.namprd13.prod.outlook.com>
RE: You cannot delegate […] (or VCs). All you can do is delegate a right or duty that has been assigned to you, e.g. to perform an action on something, or to maintain a state of something. And you can also only delegate such a right or duty if it is actually delegatable (not all rights/duties are).

Again, it depends, in the technical design of your system, how pervasively you choose to use VCs (as an object technology … reference: https://hyperonomy.com/2021/04/26/the-verifiable-economy-architecture-reference-model-ve-arm-fdo/). Also see my immediately previous email.

I can use one VC N to represent the NFT (and indirectly the underlying asset) and it is not delegable. Once created/minted/issued, it is immutable.

On the other hand, I can create a second VC, O1, that embeds N and represents the current/past ownership of N (per my previous email).  Depending on your interpretation of the term “delegate/delegatable”, this VC, a verifiable credential, can be delegated but in reality it is simply superseded by the marketplace creating/minting/issuing a new ownership VC, O2, when the ownership of N changes.

Michael

From: Joosten, H.J.M. (Rieks) <rieks.joosten@tno.nl>
Sent: Thursday, December 2, 2021 3:44 AM
To: Bob Wyman <bob@wyman.us>; Michael Herman (Trusted Digital Web) <mwherman@parallelspace.net>
Cc: drummond.reed@evernym.com; sethi shivam <sethishivam27@gmail.com>; W3C Credentials CG (Public List) <public-credentials@w3.org>
Subject: RE: Any Good use case of PAM (Privileged account Management) using Vcs

+10.  You cannot delegate NFTs (or VCs). All you can do is delegate a right or duty that has been assigned to you, e.g. to perform an action on something, or to maintain a state of something. And you can also only delegate such a right or duty if it is actually delegatable (not all rights/duties are).

You might however be able to issue a VC whose payload specifies a delegator, 1+ delegatees, the rights/duties being delegated, the actions to be performed or states to be maintained, the ‘somethings’ involved, and perhaps also some data that are assurances that the delegator had such rights/duties in the first place, and is entitled to delegate them.

And I love the phrase “… when designing technical systems, it is important that we attend to the precise technical nature of the actions we are modeling and that we don't allow the ambiguity of common parlance to confuse matters.”

Rieks


From: Bob Wyman <bob@wyman.us<mailto:bob@wyman.us>>
Sent: donderdag 2 december 2021 08:11
To: Michael Herman (Trusted Digital Web) <mwherman@parallelspace.net<mailto:mwherman@parallelspace.net>>
Cc: drummond.reed@evernym.com<mailto:drummond.reed@evernym.com>; sethi shivam <sethishivam27@gmail.com<mailto:sethishivam27@gmail.com>>; W3C Credentials CG (Public List) <public-credentials@w3.org<mailto:public-credentials@w3.org>>
Subject: Re: Any Good use case of PAM (Privileged account Management) using Vcs

You wrote:
If I choose to sell the NFT, I’m not only delegating its rights but entire ownership of the NFT VC.
"Ownership" is a term used to describe a subset of conventional rights and sometimes duties, established by various political jurisdictions, that may be associated with one's relationship to a thing. Those rights are distinct from the thing itself and are also distinct from the affordances derived from mere possession of that thing. (Possession may afford an ability to benefit from some thing, but ownership assigns you a specific legal right(s) to do so in a certain way(s).) When a thing is sold, the sale does not modify the thing itself, only the assignment of the legal rights and duties associated with it. If permitted by applicable law, the act of sale may, by law, modify some of those rights and duties. (e.g. In some legal systems, some rights of ownership of some kinds of things may only be enjoyed by one who has specific characteristics.)

When you "sell" an NFT, you aren't actually selling the NFT itself even though we commonly say that you do. But, when designing technical systems, it is important that we attend to the precise technical nature of the actions we are modeling and that we don't allow the ambiguity of common parlance to confuse matters. Technically: No matter how many trades occur, the bits which constitute the NFT continue to exist unchanged and potentially in an unknownable number of copies. When you "sell" an NFT what you are actually doing is changing the assignment of the right to claim, and demonstrate, the right to exercise those rights which the NFT represents. If you were to delegate (i.e. loan?)  an NFC, you would not be transferring ownership of the NFT, but rather just the right to exercise some of the rights of ownership. Just as delegation of a credential does not cause the delegatee to become the delegator, even though the delegatee may act as the delegator, the delegation of an NFT does not make the delegatee the owner of the NFT. Delegation merely authorizes the delegatee to exercise some of the delegator's rights.

In summary: You should delegate rights, not credentials.

bob wyman


On Wed, Dec 1, 2021 at 11:42 AM Michael Herman (Trusted Digital Web) <mwherman@parallelspace.net<mailto:mwherman@parallelspace.net>> wrote:
RE: "One should delegate rights, not credentials." Perfectly put, Bob.

It totally depends on what the credential represents …in general, you can’t make a blanket statement like the above.

Suppose, for example, the credentialSubject is an NFT (represented as an embedded VC). If I choose to sell the NFT, I’m not only delegating its rights but entire ownership of the NFT VC.

Michael Herman
Founder
Trusted Digital Web

From: Drummond Reed <drummond.reed@evernym.com<mailto:drummond.reed@evernym.com>>
Sent: Sunday, November 7, 2021 7:41 PM
To: Bob Wyman <bob@wyman.us<mailto:bob@wyman.us>>
Cc: sethi shivam <sethishivam27@gmail.com<mailto:sethishivam27@gmail.com>>; W3C Credentials CG (Public List) <public-credentials@w3.org<mailto:public-credentials@w3.org>>
Subject: Re: Any Good use case of PAM (Privileged account Management) using Vcs

"One should delegate rights, not credentials." Perfectly put, Bob.

BTW, one can use a special class of VCs to delegate rights. There are several efforts to define such delegation models—see this discussion of Zcaps from Kyle Den Hartog and the ToIP Authentic Chained Data Container (ACDC) Task Force.

Best,

=Drummond

On Sun, Nov 7, 2021 at 11:17 AM Bob Wyman <bob@wyman.us<mailto:bob@wyman.us>> wrote:
Sethi,
You asked: "I want to give Access of a machine to my Colleague by sharing VC of (Privileged account) ."

Delegating the rights associated with a VC is sometimes quite reasonable and may be supported, however, delegating the right to use an existing VC should not be supported. In commonly understood terms, it might sometimes be reasonable for me to delegate to you the right to act on my behalf, but it is never reasonable to delegate to you the right to "be" me. If you take an action, based on rights which were originally delegated to me, the fact that it was you, not me, who acted, should be discoverable, even if I approve of your actions. A common example of this is when someone uses a "Power of Attorney," to sign a contract. When they do, they typically sign documents with their own names and an annotation "on behalf of," "for," or "by power of attorney," they don't forge the signature of the one who granted the power of attorney.

One should delegate rights, not credentials.

bob wyman


On Sat, Nov 6, 2021 at 7:48 PM sethi shivam <sethishivam27@gmail.com<mailto:sethishivam27@gmail.com>> wrote:
Hi Team ,

Is it possible that we can give our Vcs to someone for a particular period of time .

Like I am on vacation and I want to give Access of a machine to my Colleague by sharing VC of (Privileged account) .

and my second question is :

Is there any good enterprise level use-case of managing Privileged accounts using Vcs .

I am just trying to explore PIM-PAM use cases with Vcs
PIM = Privileged Identity management

Today we have many tools like Cyberark , beyondTrust


Best Regards
Sethi Shivam

From: Bob Wyman <bob@wyman.us<mailto:bob@wyman.us>>
Sent: donderdag 2 december 2021 08:11
To: Michael Herman (Trusted Digital Web) <mwherman@parallelspace.net<mailto:mwherman@parallelspace.net>>
Cc: drummond.reed@evernym.com<mailto:drummond.reed@evernym.com>; sethi shivam <sethishivam27@gmail.com<mailto:sethishivam27@gmail.com>>; W3C Credentials CG (Public List) <public-credentials@w3.org<mailto:public-credentials@w3.org>>
Subject: Re: Any Good use case of PAM (Privileged account Management) using Vcs

You wrote:
If I choose to sell the NFT, I’m not only delegating its rights but entire ownership of the NFT VC.
"Ownership" is a term used to describe a subset of conventional rights and sometimes duties, established by various political jurisdictions, that may be associated with one's relationship to a thing. Those rights are distinct from the thing itself and are also distinct from the affordances derived from mere possession of that thing. (Possession may afford an ability to benefit from some thing, but ownership assigns you a specific legal right(s) to do so in a certain way(s).) When a thing is sold, the sale does not modify the thing itself, only the assignment of the legal rights and duties associated with it. If permitted by applicable law, the act of sale may, by law, modify some of those rights and duties. (e.g. In some legal systems, some rights of ownership of some kinds of things may only be enjoyed by one who has specific characteristics.)

When you "sell" an NFT, you aren't actually selling the NFT itself even though we commonly say that you do. But, when designing technical systems, it is important that we attend to the precise technical nature of the actions we are modeling and that we don't allow the ambiguity of common parlance to confuse matters. Technically: No matter how many trades occur, the bits which constitute the NFT continue to exist unchanged and potentially in an unknownable number of copies. When you "sell" an NFT what you are actually doing is changing the assignment of the right to claim, and demonstrate, the right to exercise those rights which the NFT represents. If you were to delegate (i.e. loan?)  an NFC, you would not be transferring ownership of the NFT, but rather just the right to exercise some of the rights of ownership. Just as delegation of a credential does not cause the delegatee to become the delegator, even though the delegatee may act as the delegator, the delegation of an NFT does not make the delegatee the owner of the NFT. Delegation merely authorizes the delegatee to exercise some of the delegator's rights.

In summary: You should delegate rights, not credentials.

bob wyman


On Wed, Dec 1, 2021 at 11:42 AM Michael Herman (Trusted Digital Web) <mwherman@parallelspace.net<mailto:mwherman@parallelspace.net>> wrote:
RE: "One should delegate rights, not credentials." Perfectly put, Bob.

It totally depends on what the credential represents …in general, you can’t make a blanket statement like the above.

Suppose, for example, the credentialSubject is an NFT (represented as an embedded VC). If I choose to sell the NFT, I’m not only delegating its rights but entire ownership of the NFT VC.

Michael Herman
Founder
Trusted Digital Web

From: Drummond Reed <drummond.reed@evernym.com<mailto:drummond.reed@evernym.com>>
Sent: Sunday, November 7, 2021 7:41 PM
To: Bob Wyman <bob@wyman.us<mailto:bob@wyman.us>>
Cc: sethi shivam <sethishivam27@gmail.com<mailto:sethishivam27@gmail.com>>; W3C Credentials CG (Public List) <public-credentials@w3.org<mailto:public-credentials@w3.org>>
Subject: Re: Any Good use case of PAM (Privileged account Management) using Vcs

"One should delegate rights, not credentials." Perfectly put, Bob.

BTW, one can use a special class of VCs to delegate rights. There are several efforts to define such delegation models—see this discussion of Zcaps<https://kyledenhartog.com/comparing-VCs-with-zcaps/> from Kyle Den Hartog and the ToIP Authentic Chained Data Container<https://wiki.trustoverip.org/display/HOME/ACDC+%28Authentic+Chained+Data+Container%29+Task+Force> (ACDC) Task Force.

Best,

=Drummond

On Sun, Nov 7, 2021 at 11:17 AM Bob Wyman <bob@wyman.us<mailto:bob@wyman.us>> wrote:
Sethi,
You asked: "I want to give Access of a machine to my Colleague by sharing VC of (Privileged account) ."

Delegating the rights associated with a VC is sometimes quite reasonable and may be supported, however, delegating the right to use an existing VC should not be supported. In commonly understood terms, it might sometimes be reasonable for me to delegate to you the right to act on my behalf, but it is never reasonable to delegate to you the right to "be" me. If you take an action, based on rights which were originally delegated to me, the fact that it was you, not me, who acted, should be discoverable, even if I approve of your actions. A common example of this is when someone uses a "Power of Attorney," to sign a contract. When they do, they typically sign documents with their own names and an annotation "on behalf of," "for," or "by power of attorney," they don't forge the signature of the one who granted the power of attorney.

One should delegate rights, not credentials.

bob wyman


On Sat, Nov 6, 2021 at 7:48 PM sethi shivam <sethishivam27@gmail.com<mailto:sethishivam27@gmail.com>> wrote:
Hi Team ,

Is it possible that we can give our Vcs to someone for a particular period of time .

Like I am on vacation and I want to give Access of a machine to my Colleague by sharing VC of (Privileged account) .

and my second question is :

Is there any good enterprise level use-case of managing Privileged accounts using Vcs .

I am just trying to explore PIM-PAM use cases with Vcs
PIM = Privileged Identity management

Today we have many tools like Cyberark , beyondTrust


Best Regards
Sethi Shivam

This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. TNO accepts no liability for the content of this e-mail, for the manner in which you use it and for damage of any kind resulting from the risks inherent to the electronic transmission of messages.
Received on Thursday, 2 December 2021 10:00:13 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:25:25 UTC