Re: VC HTTP Authorization Conversation from Manu Sporny on 2021-06-11 (public-credentials@w3.org from June 2021)

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Fri, 11 Jun 2021 13:23:21 -0400
To: public-credentials@w3.org
Message-ID: <be9c55da-fbf0-0850-ef76-b61d00fa637f@digitalbazaar.com>

On 6/10/21 11:00 AM, Adrian Gropper wrote:
> It's my impression that all of the 8 implementations were built on the basis
> of DHS as the sole issuer and customer. 

As others have mentioned, this is a false impression. Many of those 8
implementing organizations have customers other than DHS.

For example, the National Association of Convenience Stores will be using the
VC HTTP API for their TruAge program:

https://www.businesswire.com/news/home/20210511005386/en/NACS-Announces-TruAge%E2%84%A2-Digital-ID-Verification-Solution

You will note that a key goal of that program is customer privacy, control,
and agency over their digital wallets. This is why the program has picked
Verifiable Credentials, Decentralized Identifiers, and yes, the VC HTTP API to
provide a large chunk of the functionality that is needed in the system.

Other customers exist (that are using the VC HTTP API) in the supply chain,
banking, insurance, and retail environments.

> As others have pointed out in our discussions, there's a difference between
> internal and external interoperability. OAuth2 is fine for internal
> interoperability because the resource server and authorization server are
> internal to the same trust domain. But this is **irrelevant** to the VCHTTP
> spec as I understand it. 

It's not irrelevant. There is no authorization mechanism defined for the VC
HTTP API specification. You are saying that OAuth2 is fine for those use
cases, yet at the same time are opposed to making proposals to that effect.

If we ran this proposal, would you +1 it?

PROPOSAL: At least one authorization mechanism for internal VC HTTP API calls,
that is calls in the same trust domain, will be OAuth2.

If you were able to +1 that, we'd be well on our way to real progress here.

Will you +1 the proposal above, Adrian?

-- manu

-- 
Manu Sporny - https://www.linkedin.com/in/manusporny/
Founder/CEO - Digital Bazaar, Inc.
News: Digital Bazaar Announces New Case Studies (2021)
https://www.digitalbazaar.com/

Received on Friday, 11 June 2021 17:24:27 UTC