Re: VC HTTP API Telecon Minutes for 2021-07-13 from Alan Karp on 2021-07-14 (public-credentials@w3.org from July 2021)

From: Alan Karp <alanhkarp@gmail.com>
Date: Tue, 13 Jul 2021 20:22:40 -0700
To: Justin Richer <jricher@mit.edu>
Cc: Manu Sporny <msporny@digitalbazaar.com>, W3C Credentials CG <public-credentials@w3.org>
Message-ID: <CANpA1Z1WXUViY9D6Uxx0xmRd8ASy-JN98CWHXvTdCJ+g=MzGDA@mail.gmail.com>

As I understand it, RAR is a way to express the desire for an access token
with a subset of the permissions the requester is entitled to, but what if
the client wants to delegate those permissions?  It will have to share its
client secret if there's no way to delegate.  That's why I say that OAuth 2
with client credentials and no delegation is a mistake.

--------------
Alan Karp


On Tue, Jul 13, 2021 at 7:31 PM Justin Richer <jricher@mit.edu> wrote:

> Agreed, and it's exactly that "limitation of authority" that RAR is set to
> solve in an interoperable way. If we don't solve it here, it's going to be
> solved in a hundred worse ways.
>
> -Justin
> ________________________________________
> From: Alan Karp [alanhkarp@gmail.com]
> Sent: Tuesday, July 13, 2021 8:58 PM
> To: Manu Sporny
> Cc: W3C Credentials CG
> Subject: Re: VC HTTP API Telecon Minutes for 2021-07-13
>
> Adrian Gropper:  Just to make sure how we are using Client
>   Credentials: does that mean there can be no delegation?
> <justin_richer> yes, that's exactly what that means
>   ... by the whoever is in control of the credential - whether
>   the subject (typically)...
>   ... Is this making a statement on the ability to delegate?
> Orie Steele: https://oauth.net/2/grant-types/client-credentials/
> Manu Sporny:  It is saying you cannot delegate if you are using
>   OAuth2 Client Credentials, but not saying you can't use another
>   protocol than Client Credentials
>
> There is a long history of trying to prevent delegation, SPKI (
> https://datatracker.ietf.org/doc/html/rfc2692) being the most notable.
> The RFC even says, "but there's nothing to stop someone who wishes to
> delegate against the rules from also loaning out their private key."  The
> inability to prevent credential sharing means that blocking delegation
> results in a system that is harder to use, because people must use ad hoc
> mechanisms to share the credentials, and less secure, because people end up
> granting much more authority than they need to.
>
> --------------
> Alan Karp
>

Received on Wednesday, 14 July 2021 03:23:06 UTC