Re: Attempting to block work (was: Re: VC HTTP Authorization Conversation) from Manu Sporny on 2021-06-15 (public-credentials@w3.org from June 2021)

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Tue, 15 Jun 2021 15:01:15 -0400
To: "W3C Credentials CG (Public List)" <public-credentials@w3.org>
Message-ID: <7530107a-139f-3b8e-166d-335916a5f35a@digitalbazaar.com>

On 6/15/21 2:51 PM, Alan Karp wrote:
> I raised the issue in case the API needed to allow for a separate field to 
> support token exchange.

Yep, point taken, we don't need a separate field as far as we can tell so far
-- we re-use fields that other standards have defined. Namely, the
`Authorization` header... which is used for OAuth, and ZCAPs at least.

> I don't believe that you can build a viable capability system that doesn't 
> support delegation except for the most trivial use cases.  Without
> delegation, people will simply share their access tokens.  As a result they
> will end up granting more permissions than necessary, and you'll lose
> responsibility tracking.

Complete and total agreement from me.

> That has been my concern of using one VC standard both for claims, e.g., 
> driver's licence, and authorizations.  There is a difference in what's 
> important and the mechanisms used to implement features.  For example, 
> delegating a driver's license may not make sense, but permission to drive
> your car does.  Revoking a driver's license requires quite a different
> mechanism than revoking permission to drive your car.  I believe that the
> experience with the VC standard is mostly (entirely?) of the claims type,
> not authorizations.

Yes, correct, and again, violent agreement from me.

However, there are some in the community that still believe that a VC is a
viable authorization format. In time, they may come to understand why that's
so dangerous. That conversation, though, it out of scope for the VC HTTP API.

> If you don't make delegation easy and part of the design from the
> beginning, people will use workarounds that will be less secure.  Worse,
> many of them will conclude that capabilities don't work.  There is
> historical precedent. People who built flawed capability systems reached
> exactly that conclusion.

Yes, and again -- complete and total agreement from me.

-- manu

-- 
Manu Sporny - https://www.linkedin.com/in/manusporny/
Founder/CEO - Digital Bazaar, Inc.
News: Digital Bazaar Announces New Case Studies (2021)
https://www.digitalbazaar.com/

Received on Tuesday, 15 June 2021 19:02:02 UTC