Re: VC HTTP API Endpoint Authz Needs (was: Re: Attempting to block work) from Alan Karp on 2021-06-15 (public-credentials@w3.org from June 2021)

From: Alan Karp <alanhkarp@gmail.com>
Date: Tue, 15 Jun 2021 12:37:35 -0700
To: Manu Sporny <msporny@digitalbazaar.com>
Cc: Adrian Gropper <agropper@healthurl.com>, W3C Credentials Community Group <public-credentials@w3.org>
Message-ID: <CANpA1Z0x2j6NsXZ0RSCEb=d7O0ubD3z9faTWHLKxo=fzsPzVFA@mail.gmail.com>

On Tue, Jun 15, 2021 at 12:05 PM Manu Sporny <msporny@digitalbazaar.com>
wrote:

> On 6/15/21 2:52 PM, Alan Karp wrote:
> > I believe delegation must be a MUST.
>
> This is the point of contention. If we say "MUST", then we must define a
> mechanism, of which there are zero that are ready to go...

I say the following with great trepidation.

I would rather see no authorization mechanism included in the spec than
have one that is flawed.  (Sorry, Adrian.)  The risk of implementations
going down the wrong track is simply too high.  However, the spec should be
designed so authorizations can be added later.

Is it possible to include recommendations for those who want authorizations?

--------------
Alan Karp

Received on Tuesday, 15 June 2021 19:39:15 UTC