W3C home > Mailing lists > Public > public-credentials@w3.org > June 2021

Re: VC HTTP API Endpoint Authz Needs (was: Re: Attempting to block work)

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Sun, 13 Jun 2021 17:24:06 -0400
To: public-credentials@w3.org
Message-ID: <221f6c32-3d5a-e635-f6f8-786f91000fe2@digitalbazaar.com>
On 6/12/21 11:44 AM, Adrian Gropper wrote:
> Brian's initiative and Manu's analysis suggests that we could benefit from 
> separating internal vs. external endpoints. Internal endpoints, for 
> example, are unlikely targets for DoS attacks and benefit from delegation 
> only to the extent it promotes a Zero Trust Architecture.

As is mentioned later in this thread "internal" vs. "external" doesn't quite
capture it. There are really three classes of trust boundaries that we're
talking about:

1. Single Trust Boundary - all systems reside within
   the same trust boundary. At least OAuth2/MTLS is needed
   here because there might be attackers behind your
   firewall/VPN.

2. Multi-tenant Trust Boundaries - multi-tenant
   systems that do not reside within the same trust
   boundary, but reside on the same logical system. At
   least OAuth2/MTLS is needed here because these
   endpoints are exposed to the seedy underbelly of the
   Internet.

3. No Trust Boundary - anyone has access to these APIs and
   trust is gradually established after the first contact.
   The initial presentation exchange endpoint is an
   example of this type of endpoint. You don't want any
   sort of authorization protection on this endpoint
   because you want anyone to be able to start a
   presentation exchange with you. Authorization to
   proceed is determined at a higher layer of logic.

You can apply delegated authorization schemes to the same types of trust
boundaries as the OAuth2/MTLS ones.

So, it's not just internal vs. external... we have at least three types of
trust boundaries that apply to the VC HTTP API.

-- manu

-- 
Manu Sporny - https://www.linkedin.com/in/manusporny/
Founder/CEO - Digital Bazaar, Inc.
News: Digital Bazaar Announces New Case Studies (2021)
https://www.digitalbazaar.com/
Received on Sunday, 13 June 2021 21:24:36 UTC

This archive was generated by hypermail 2.4.0 : Sunday, 13 June 2021 21:24:41 UTC