Sideways question: With capability authorizations, is it a "given" that the VCA must (😊) be transmitted as part of the inbound transaction (e.g. the HTTP request)?
...or as an alternate design, can a service endpoint (that receives/processes the inbound transactions) alternately query an authorization service passing the invoker's identity and the subject resource's identity to retrieve the applicable VCA (if it exists)?
Michael
-----Original Message-----
From: Manu Sporny <msporny@digitalbazaar.com>
Sent: June 15, 2021 1:05 PM
To: Alan Karp <alanhkarp@gmail.com>; Adrian Gropper <agropper@healthurl.com>
Cc: W3C Credentials Community Group <public-credentials@w3.org>
Subject: Re: VC HTTP API Endpoint Authz Needs (was: Re: Attempting to block work)
On 6/15/21 2:52 PM, Alan Karp wrote:
> I believe delegation must be a MUST.
This is the point of contention. If we say "MUST", then we must define a mechanism, of which there are zero that are ready to go...
That doesn't mean that people aren't experimenting with capabilities and capability delegation and the VC HTTP API. Digital Bazaar certainly is with ZCAPs... but we don't want to impose that sort of pain on the rest of the group. What we are fairly certain of at this point is that the current design doesn't preclude capability-based delegation, so we're happy to leave it there until the community is ready to make a stand on a capability-based delegation hill in the future.
To put it in perspective, this is already happening in the Encrypted Data Vault work -- that does support capability-based delegation... but it's more experimental (and so people are more willing to take chances) than with the VC HTTP API work.
-- manu
--
Manu Sporny - https://www.linkedin.com/in/manusporny/
Founder/CEO - Digital Bazaar, Inc.
News: Digital Bazaar Announces New Case Studies (2021) https://www.digitalbazaar.com/