Re: VC HTTP API Endpoint Authz Needs (was: Re: Attempting to block work)

On Tue, Jun 15, 2021 at 12:41 PM Michael Herman (Trusted Digital Web) <> wrote:

> Sideways question: With capability authorizations, is it a "given" that
> the VCA must (😊) be transmitted as part of the inbound transaction (e.g.
> the HTTP request)?
Yes.  It's important not to separate designation (which resource you are
invoking) from authorization (which permission you wish to use).

> ...or as an alternate design, can a service endpoint (that
> receives/processes the inbound transactions) alternately query an
> authorization service passing the invoker's identity and the subject
> resource's identity to retrieve the applicable VCA (if it exists)?

That doesn't work.  Say that your "friend" Alice asks you to copy a file of
yours, call it A, to a file of hers, call it B.  However, she specifies a
very important file of yours as B.  When you go to write the file, the
service endpoint will find the VCA of yours with write permission and will
clobber file B.  You've just become a confused deputy.

Alan Karp


Received on Tuesday, 15 June 2021 22:50:05 UTC