W3C home > Mailing lists > Public > public-credentials@w3.org > July 2021

Re: VC HTTP API Telecon Minutes for 2021-07-13

From: Alan Karp <alanhkarp@gmail.com>
Date: Wed, 14 Jul 2021 20:30:25 -0700
Message-ID: <CANpA1Z2+YaDGXOms9QxzGTYQmzZ8bYcjOQskwuEFHN87UubfQw@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Cc: Manu Sporny <msporny@digitalbazaar.com>, W3C Credentials CG <public-credentials@w3.org>
On Wed, Jul 14, 2021 at 1:01 PM Justin Richer <jricher@mit.edu> wrote:

> I’m saying something separate but related:
>
> Before you can even think about delegating rights, you have to define the
> rights that can be delegated, whether that delegation happens to a piece of
> software, to another person, or anything else.
>
> I think that defining OAuth 2 with client credentials :in this spec: is a
> mistake because it allows this very important question to be ignored until
> it’s too late and there are already several competing proprietary solutions.
>

I agree.  Two reasons to vote against including in this spec.

--------------
Alan Karp


On Wed, Jul 14, 2021 at 1:01 PM Justin Richer <jricher@mit.edu> wrote:

> I’m saying something separate but related:
>
> Before you can even think about delegating rights, you have to define the
> rights that can be delegated, whether that delegation happens to a piece of
> software, to another person, or anything else.
>
> I think that defining OAuth 2 with client credentials :in this spec: is a
> mistake because it allows this very important question to be ignored until
> it’s too late and there are already several competing proprietary solutions.
>
>  — Justin
>
> On Jul 13, 2021, at 11:22 PM, Alan Karp <alanhkarp@gmail.com> wrote:
>
> As I understand it, RAR is a way to express the desire for an access token
> with a subset of the permissions the requester is entitled to, but what if
> the client wants to delegate those permissions?  It will have to share its
> client secret if there's no way to delegate.  That's why I say that OAuth 2
> with client credentials and no delegation is a mistake.
>
> --------------
> Alan Karp
>
>
> On Tue, Jul 13, 2021 at 7:31 PM Justin Richer <jricher@mit.edu> wrote:
>
>> Agreed, and it's exactly that "limitation of authority" that RAR is set
>> to solve in an interoperable way. If we don't solve it here, it's going to
>> be solved in a hundred worse ways.
>>
>> -Justin
>> ________________________________________
>> From: Alan Karp [alanhkarp@gmail.com]
>> Sent: Tuesday, July 13, 2021 8:58 PM
>> To: Manu Sporny
>> Cc: W3C Credentials CG
>> Subject: Re: VC HTTP API Telecon Minutes for 2021-07-13
>>
>> Adrian Gropper:  Just to make sure how we are using Client
>>   Credentials: does that mean there can be no delegation?
>> <justin_richer> yes, that's exactly what that means
>>   ... by the whoever is in control of the credential - whether
>>   the subject (typically)...
>>   ... Is this making a statement on the ability to delegate?
>> Orie Steele: https://oauth.net/2/grant-types/client-credentials/
>> Manu Sporny:  It is saying you cannot delegate if you are using
>>   OAuth2 Client Credentials, but not saying you can't use another
>>   protocol than Client Credentials
>>
>> There is a long history of trying to prevent delegation, SPKI (
>> https://datatracker.ietf.org/doc/html/rfc2692) being the most notable.
>> The RFC even says, "but there's nothing to stop someone who wishes to
>> delegate against the rules from also loaning out their private key."  The
>> inability to prevent credential sharing means that blocking delegation
>> results in a system that is harder to use, because people must use ad hoc
>> mechanisms to share the credentials, and less secure, because people end up
>> granting much more authority than they need to.
>>
>> --------------
>> Alan Karp
>>
>
>
Received on Thursday, 15 July 2021 03:30:49 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 15 July 2021 03:30:53 UTC