W3C home > Mailing lists > Public > public-credentials@w3.org > July 2021

Re: VC-HTTP-API - A follow up on the RAR presentation

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Fri, 9 Jul 2021 09:22:34 -0400
To: public-credentials@w3.org
Message-ID: <10717f45-a9f3-902b-b3ff-5ce81fcba865@digitalbazaar.com>
On 7/7/21 7:24 PM, Adrian Gropper wrote:
> 6. All three of these VCs from three separate issuers are available via 
> VC-HTTP API. Alice hates smartphones and apps but she is willing to use 
> technology to provide consent. For example, when she gets a text message
> on her feature phone saying: Is it OK for {this}? Reply Yes or No.

Ah, there it is!

The Issuer HTTP API doesn't do that; that's out of scope.

There is no API on the issuer that allows someone to pick up a VC on behalf of
a subject because that would be a cross-trust boundary use case and the Issuer
HTTP API does not cross trust boundaries.

What about this, Adrian:

PROPOSAL: The VC HTTP API will support at least OAuth2 + client_credentials
for all API calls that happen within the same trust boundary.

It seems like the real delegation problem rears its head when you cross trust
boundaries.

The only place this gets dicey is in credential exchange, but authz is not
needed in those cases... because you don't want to limit people that have
access to those APIs -- you want anyone to show up and request/present
credentials.

What am I missing?

-- manu

-- 
Manu Sporny - https://www.linkedin.com/in/manusporny/
Founder/CEO - Digital Bazaar, Inc.
News: Digital Bazaar Announces New Case Studies (2021)
https://www.digitalbazaar.com/
Received on Friday, 9 July 2021 13:22:56 UTC

This archive was generated by hypermail 2.4.0 : Friday, 9 July 2021 13:23:02 UTC