- From: Alan Karp <alanhkarp@gmail.com>
- Date: Mon, 21 Jun 2021 13:47:41 -0700
- To: Manu Sporny <msporny@digitalbazaar.com>
- Cc: W3C Credentials CG <public-credentials@w3.org>
- Message-ID: <CANpA1Z0pohykjbCk7nT8zaM-EgKfE=J9qU4qQ+SaD6K5B1EKSw@mail.gmail.com>
I asked a number of people expert in capability systems if delegation is necessary to have a viable system. They concluded it was unless every holder of an authorization token proxies every request in lieu of delegating. I don't know how viable proxying is in the VC use cases. Given that information, I would like to see an option specifying that verified credentials MUST NOT be used as authorizations unless they support attenuated delegation (I believe the OAuth term is sub-scope re-delegation.) and that any such system SHOULD support revocation. If you don't support delegation, people will be forced to share access tokens. The result will be loss of an audit trail and the likelihood that they will share more permissions than necessary. The result is a less secure system that is harder to use. -------------- Alan Karp On Mon, Jun 21, 2021 at 12:52 PM Manu Sporny <msporny@digitalbazaar.com> wrote: > Hi all, Here are some of the proposals that we didn't get to on the call > last > week. We'll be processing them this week (these are all proposals that have > been circulated on the mailing list, I'm just summarizing them here): > > PROPOSAL: Implementations SHOULD support authorization delegation by using > technologies such as GNAP and Authorization Capabilities. > > PROPOSAL: Implementations MUST support authorization delegation by using > technologies such as GNAP and Authorization Capabilities. > > PROPOSAL: Implementations are informally urged to support authorization > delegation. Implementations MAY support other authorization mechanisms, > especially ones that support authorization delegation. > > PROPOSAL: Implementations MUST support OAuth2 for the /credentials/verify > endpoint. Implementations MAY support other authorization mechanisms for > the > /credentials/verify endpoint. > > We will be running these proposals tomorrow to come to some decisions wrt. > the > direction of the authorization aspect of the work... after we process a few > PRs and issues. > > -- manu > > -- > Manu Sporny - https://www.linkedin.com/in/manusporny/ > Founder/CEO - Digital Bazaar, Inc. > News: Digital Bazaar Announces New Case Studies (2021) > https://www.digitalbazaar.com/ > > > >
Received on Monday, 21 June 2021 20:48:22 UTC