Re: VC HTTP Authorization Conversation from Alan Karp on 2021-06-12 (public-credentials@w3.org from June 2021)

From: Alan Karp <alanhkarp@gmail.com>
Date: Fri, 11 Jun 2021 17:28:15 -0700
To: Manu Sporny <msporny@digitalbazaar.com>
Cc: "W3C Credentials CG (Public List)" <public-credentials@w3.org>
Message-ID: <CANpA1Z018WDp-QCV7_2svhvMpEO7PNmO+niNs=oZFMauBZMZJQ@mail.gmail.com>

I finally caught up with this thread, and I think there's one place (maybe
two) where VC-HTTP may need awareness of the authorization token.

Delegation with OAuth 2 and GNAP opaque tokens is done by token exchange.
That means the API needs a way to say, "This token is not for gating access
to this request but to get a sub-scoped version of this token."  This
exception isn't needed for non-opaque, certificate tokens, such as
zcap-ld.  The "maybe" is revocation.

I haven't studied the work on this spec, so my comments may not apply.  If
so, feel free to ignore this note.

--------------
Alan Karp


On Fri, Jun 11, 2021 at 2:32 PM Manu Sporny <msporny@digitalbazaar.com>
wrote:

> On 6/11/21 1:59 PM, Adrian Gropper wrote:
> > If anyone wants me to leave the group, all they need to do is ask.
>
> No one is asking you to leave the group, Adrian. I personally want you to
> remain and I know that others do as well. You're good people.
>
> There are, however, multiple people that are requesting that you reconsider
> your approach.
>
> > I’m proposing that OAuth2 and GNAP be delivered simultaneously as part
> of
> > the same spec and test suite
>
> We have already polled this proposal and it was fairly clear that there was
> strong opposition to it:
>
> https://w3c-ccg.github.io/meetings/2021-06-01-vchttpapi/#57
>
> I don't expect much has changed about how people feel about the proposal in
> the past 10 days.
>
> Would you like to run the proposal officially during the next call, Adrian?
>
> > or else that authorization be out of scope for VC-HTTP.
>
> I expect this to also fail given that many of the implementers are
> requesting
> for OAuth2 to be at least one of the authorization mechanisms.
>
> Would you like to run this proposal during the next call, Adrian?
>
> > The privacy issue I’m raising can be handled with UMA.
>
> We have zero implementers that have said that they want to implement UMA.
> If
> there are implementers that are going to implement UMA to handle
> delegation,
> they should speak up now.
>
> -- manu
>
> --
> Manu Sporny - https://www.linkedin.com/in/manusporny/
> Founder/CEO - Digital Bazaar, Inc.
> News: Digital Bazaar Announces New Case Studies (2021)
> https://www.digitalbazaar.com/
>
>
>

Received on Saturday, 12 June 2021 00:29:54 UTC