Re: Attempting to block work (was: Re: VC HTTP Authorization Conversation)

On 6/15/21 2:51 PM, Alan Karp wrote:
> I raised the issue in case the API needed to allow for a separate field to 
> support token exchange.

Yep, point taken, we don't need a separate field as far as we can tell so far
-- we re-use fields that other standards have defined. Namely, the
`Authorization` header... which is used for OAuth, and ZCAPs at least.

> I don't believe that you can build a viable capability system that doesn't 
> support delegation except for the most trivial use cases.  Without
> delegation, people will simply share their access tokens.  As a result they
> will end up granting more permissions than necessary, and you'll lose
> responsibility tracking.

Complete and total agreement from me.

> That has been my concern of using one VC standard both for claims, e.g., 
> driver's licence, and authorizations.  There is a difference in what's 
> important and the mechanisms used to implement features.  For example, 
> delegating a driver's license may not make sense, but permission to drive
> your car does.  Revoking a driver's license requires quite a different
> mechanism than revoking permission to drive your car.  I believe that the
> experience with the VC standard is mostly (entirely?) of the claims type,
> not authorizations.

Yes, correct, and again, violent agreement from me.

However, there are some in the community that still believe that a VC is a
viable authorization format. In time, they may come to understand why that's
so dangerous. That conversation, though, it out of scope for the VC HTTP API.

> If you don't make delegation easy and part of the design from the
> beginning, people will use workarounds that will be less secure.  Worse,
> many of them will conclude that capabilities don't work.  There is
> historical precedent. People who built flawed capability systems reached
> exactly that conclusion.

Yes, and again -- complete and total agreement from me.

-- manu

Manu Sporny -
Founder/CEO - Digital Bazaar, Inc.
News: Digital Bazaar Announces New Case Studies (2021)

Received on Tuesday, 15 June 2021 19:02:02 UTC