W3C home > Mailing lists > Public > public-credentials@w3.org > June 2021

Re: PROPOSALs for VC HTTP API call on 2021-06-22

From: Alan Karp <alanhkarp@gmail.com>
Date: Mon, 21 Jun 2021 13:47:41 -0700
Message-ID: <CANpA1Z0pohykjbCk7nT8zaM-EgKfE=J9qU4qQ+SaD6K5B1EKSw@mail.gmail.com>
To: Manu Sporny <msporny@digitalbazaar.com>
Cc: W3C Credentials CG <public-credentials@w3.org>
I asked a number of people expert in capability systems if delegation is
necessary to have a viable system.  They concluded it was unless every
holder of an authorization token proxies every request in lieu of
delegating.  I don't know how viable proxying is in the VC use cases.

Given that information, I would like to see an option specifying that
verified credentials MUST NOT be used as authorizations unless they support
attenuated delegation (I believe the OAuth term is sub-scope
re-delegation.) and that any such system SHOULD support revocation.

If you don't support delegation, people will be forced to share access
tokens.  The result will be loss of an audit trail and the likelihood that
they will share more permissions than necessary.  The result is a less
secure system that is harder to use.

--------------
Alan Karp


On Mon, Jun 21, 2021 at 12:52 PM Manu Sporny <msporny@digitalbazaar.com>
wrote:

> Hi all, Here are some of the proposals that we didn't get to on the call
> last
> week. We'll be processing them this week (these are all proposals that have
> been circulated on the mailing list, I'm just summarizing them here):
>
> PROPOSAL: Implementations SHOULD support authorization delegation by using
> technologies such as GNAP and Authorization Capabilities.
>
> PROPOSAL: Implementations MUST support authorization delegation by using
> technologies such as GNAP and Authorization Capabilities.
>
> PROPOSAL: Implementations are informally urged to support authorization
> delegation. Implementations MAY support other authorization mechanisms,
> especially ones that support authorization delegation.
>
> PROPOSAL: Implementations MUST support OAuth2 for the /credentials/verify
> endpoint. Implementations MAY support other authorization mechanisms for
> the
> /credentials/verify endpoint.
>
> We will be running these proposals tomorrow to come to some decisions wrt.
> the
> direction of the authorization aspect of the work... after we process a few
> PRs and issues.
>
> -- manu
>
> --
> Manu Sporny - https://www.linkedin.com/in/manusporny/
> Founder/CEO - Digital Bazaar, Inc.
> News: Digital Bazaar Announces New Case Studies (2021)
> https://www.digitalbazaar.com/
>
>
>
>
Received on Monday, 21 June 2021 20:48:22 UTC

This archive was generated by hypermail 2.4.0 : Monday, 21 June 2021 20:48:27 UTC