W3C home > Mailing lists > Public > public-credentials@w3.org > July 2021

Re: VC-HTTP-API - A follow up on the RAR presentation

From: Ted Thibodeau Jr <tthibodeau@openlinksw.com>
Date: Wed, 7 Jul 2021 22:25:31 -0400
Cc: W3C Credentials Community Group <public-credentials@w3.org>
Message-Id: <22D86483-C4CF-4592-AC4E-DFB918C5849A@openlinksw.com>
To: Adrian Gropper <agropper@healthurl.com>
Adrian --

I knew I should have included more of my own thoughts 
in my previous...

On Jul 7, 2021, at 07:24 PM, Adrian Gropper <agropper@healthurl.com> wrote:
> I will respond to Dave's question below as we wait
> for others to chime in on the numbered issues. 

Your earlier message did not contain numbered *issues*.

It contained numbered *paragraphs*, many of which were 
single sentences, and many of which did not read to me, 
and, I imagine, to others, as issues.

This message to which I am currently responding did at
least *try* to present a sequence of actions, as Dave
requested, but the numbered "steps" in the sequence did 
not appear to me to be uniform in scale, with some being 
comprised of what I think you would agree are multiple 
distinct actions by multiple entities, and others being 
appropriately atomic -- i.e., one action by one entity.

> Definition: A vaccine passport (vc) is a contextual 
> interpretation of a vaccine credential (vp). It's a
> lucky coincidence that vc / vp parallels VC / VP :-)

I'm pretty sure you meant the lowercase vc/vp there to 
be reversed, so that they corresponded to the initials 
of the instruments of which you wrote, and so vc went 
with VC and vp with VP.

But only *pretty* sure, so I'm going to ask that you 
confirm my interpretation.

I'm also going to ask that, going forward, you take 
some extra time to re-proofread everything you send 
out. (fwiw, I do this myself.) Every typo-driven 
misunderstanding steals time and energy from the work 
we are trying to do, including working to understand 
each other's points.

> Finally, I'm not saying this use-case can't work with
> OAuth2 and client credentials and I'm not saying that
> GNAP alone will fix this. What I'm claiming is that
> the success of our SSI adventure depends on not tying
> VC-HTTP API to OAuth2.

To the best of my understanding, no-one is advocating
for the VC-HTTP-API to be designed such that it can 
only be implemented with OAuth2, which is what I take 
you to mean by "tied to OAuth2", nor do I see anyone 
arguing that future implementations should be blocked 
from using GNAP, *once GNAP is in such a shape as allows 
for such implementations,* which GNAP is not today.

Initial implementations of the VC-HTTP-API are likely
to be made with OAuth2 *because it is standardized
sufficiently* to allow for such implementations. 

The goal, as I see it, is to specify the VC-HTTP-API 
such that GNAP *and other standards not yet even 
begun* could substitute for OAuth2 and, if we're all
good little girls and boys, that all of these would 
be interoperable in the end!

If OAuth2 is half as awful as you've been suggesting,
the marketplace will quickly move from it to GNAP or 
some other, even less awful, alternative, and there
will be much rejoicing, throughout the land.


Received on Thursday, 8 July 2021 02:27:32 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:25:18 UTC