W3C home > Mailing lists > Public > public-credentials@w3.org > July 2021

RE: VC HTTP API Telecon Minutes for 2021-07-13

From: <steve.e.magennis@gmail.com>
Date: Mon, 19 Jul 2021 17:18:08 -0700
To: "'Michael Herman \(Trusted Digital Web\)'" <mwherman@parallelspace.net>, "'Manu Sporny'" <msporny@digitalbazaar.com>, "'Adrian Gropper'" <agropper@healthurl.com>
Cc: "'W3C Credentials CG'" <public-credentials@w3.org>
Message-ID: <06b701d77cfc$b82bccc0$28836640$@gmail.com>
@Michael, can you provide an example of where a claim abut a subject would
be separate from the entity attesting to said claim to help me understand
your distinction?


Would it be something like: Alice attests to the fact that Bob said
something about Carol? This doesn't seem right to me.


From: Michael Herman (Trusted Digital Web) <mwherman@parallelspace.net> 
Sent: Monday, July 19, 2021 3:42 PM
To: Manu Sporny <msporny@digitalbazaar.com>; Adrian Gropper
Cc: W3C Credentials CG <public-credentials@w3.org>
Subject: Re: VC HTTP API Telecon Minutes for 2021-07-13


RE VCs are statements aka attestations by a cryptographic authority about a

...is more correctly worded IMO as...

"VCs are statements (lists of claims) about a subject - attested to by a
cryptographic authority."

The original wording IMO suggested the source of both the statements/claims
as well as well as the attestation is a cryptographic authority. I don't see
this as being a truism (as a generalization). ... it's a bit centralist.


Get Outlook for Android <https://aka.ms/AAb9ysg> 



From: Adrian Gropper <agropper@healthurl.com <mailto:agropper@healthurl.com>
Sent: Monday, July 19, 2021 8:45:54 AM
To: Manu Sporny <msporny@digitalbazaar.com
<mailto:msporny@digitalbazaar.com> >
Cc: W3C Credentials CG <public-credentials@w3.org
<mailto:public-credentials@w3.org> >
Subject: Re: VC HTTP API Telecon Minutes for 2021-07-13 


On Mon, Jul 19, 2021 at 10:07 AM George Lund
<mailto:george.lund@digital.cabinet-office.gov.uk> > wrote:



PS I've not had time to follow this as closely as I'd like, so apologies if
I'm not making sense, but where people are questioning the need for this
kind of protocol, I'd like to float a potential use case, which is that
where OIDC mandates "UserInfo" as a restful endpoint for a bunch of user
data, something along the lines of an "issuer" VC API might well be much
more suitable and scalable. These specifications don't have to concern
themselves with how a client may be authenticated or authorized, in order to
be exceedingly potentially useful :-)


PPS I just saw Kerri's email, and I like that way of thinking too!


+1 this PS by George. The Issuer is just an authoritative UserInfo endpoint
for a Subject. GNAP recognizes this


VC-HTTP API could be scoped as _just_ a resource server. If the spec is
scoped away from the authorization server, then the complexity and the
implementation gap between OAuth 2 and GNAP is miniscule


Regardless of what we name this spec, why must we tackle authorization
servers in this particular CCG group?


- Adrian


On Fri, Jul 16, 2021 at 11:02 AM Adrian Gropper <agropper@healthurl.com
<mailto:agropper@healthurl.com> > wrote:



On Fri, Jul 16, 2021 at 8:47 AM Manu Sporny <msporny@digitalbazaar.com
<mailto:msporny@digitalbazaar.com> > wrote:

On 7/16/21 8:23 AM, Adrian Gropper wrote:
> I'm saying the Subject of the VC has the power to delegate interactions to

> an agent they choose.

Adrian, you continue to conflate "access to an issued Verifiable Credential"
with the VC HTTP API does today.


And Manu, you continue to imply that the DHS use case is the predominant one
for something as central as the API for VC issue. Please consider the cruise
ship use case as well. 

Are you aware that, at present, there is no "access to an issued Verifiable
Credential" VC HTTP API call?

This is why I keep asking you to point to the endpoints that need
delegation... you're presuming endpoints that don't exist right now and are
hand waving over the (very important) details in order to make a meta point.

One variation of an "access to an issued Verifiable Credential" HTTP API
is supported by Encrypted Data Vaults, which do support delegation via ZCAPs
and do support some variation of your cruise ship scenario. This has been
stated multiple times in multiple ways, but I think you keep missing it.


The EDV API, by definition, does not apply to the Issuer because the Issuer
has sovereign power and the EDV does not. The Issuer has the information in
the VC in the clear whereas the EDV does not. 


What the EDV and the Issuer do share is an identity-based relationship with
someone that is typically the Subject of the VC. Because of that, I hope
that the authorization protocol will be the same for Issuer, EDV, and Hubs.
From a (human) agency perspective, these are all just resource servers as
(GDPR) processors.  

There may be other "access to an issued Verifiable Credential" HTTP APIs in
the future... but your argument is cart before the horse... you're talking
about a non-existent VC HTTP API endpoint that sits on a Verifiable
Repository (e.g., wallet).


No. I'm talking about VC-HTTP API as it secures the sovereign Issuer. The
wallet is chosen by the Subject (to the extent the sovereign issuers and
verifiers "allow") and the wallet API would benefit from sharing the
authorization protocol, but this is not my primary concern. 

This isn't an argument against delegation... most of us understand the
of not supporting delegation... I'm merely trying to point out that by
over the details, like you continue to do, you're misunderstanding what the
HTTP API does and does not do and continue to talk past the folks in the
that DO understand the details of the VC HTTP API.


I apologize for my ignorance. I'm doing my best, including struggling to
implement a FastAPI example of protected access to a VC that would
demonstrate any gaps between OAuth 2 and GNAP and clarify if there's really
that much difference when both are done simultaneously from the start. 


Note that our HIE of One project has 5+ years experience implementing an
authorization server (we call it Trustee) that did OAuth 2 and UMA 2
_simultaneously_. We used this to demonstrate how an agent of the patient
(the Trustee) could access the _production_ API of the largest health
records vendor (Epic) and the production API of the US Medicare database,
using legacy OAuth 2. At the same time, this demonstration showed how the
agent interacts with self-sovereign resource servers such as a personal
health record or a community-controlled registry of patients, using UMA 2.
In some respects, our HIE of One group, including our collaboration with
uPort from the earliest days of SSI, has more experience with VCs than the
DHS use cases because ours actually _do connect_ to production private and
government APIs.


I've also had interest from two, possibly three other groups, in
implementing GNAP. 

The VC HTTP API is not a credential repository / digital wallet HTTP API. It
may become one in the future, but at this time, the group hasn't agreed to
that expansion in scope. If the group DOES agree to that expansion in scope,
it'll be far easier to make the case for delegation being a mandatory


This, I agree with.  As mentioned above, my concern is the asymmetry of
power between the sovereign and the subject. This is the fundamental premise
of the Law of Agency https://en.wikipedia.org/wiki/Law_of_agency. 


The VC-HTTP API for Issuers is fundamental to SSI and we can either
down-scope to enable agency at a higher layer or deal with it by
implementing OAuth 2 and GNAP simultaneously in the specification.


- Adrian

-- manu

Manu Sporny - https://www.linkedin.com/in/manusporny/
Founder/CEO - Digital Bazaar, Inc.
News: Digital Bazaar Announces New Case Studies (2021)
Received on Tuesday, 20 July 2021 00:18:30 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:25:18 UTC