Re: PROPOSALs for VC HTTP API call on 2021-06-22

On 6/21/21 4:47 PM, Alan Karp wrote:
> I asked a number of people expert in capability systems if delegation is 
> necessary to have a viable system.  They concluded it was unless every 
> holder of an authorization token proxies every request in lieu of 
> delegating.  I don't know how viable proxying is in the VC use cases.

It's not very viable, IMHO.

Also, please refrain from "I talked to experts and they said X." without
linking to the discussion. Too much of our industry does the whole "deference
to authority" thing, when what we need to be doing is building from first
principles and allowing everyone to reason about the path forward. Yes, expert
opinion is useful, but being able to do the reasoning yourself is better.

> Given that information, I would like to see an option specifying that 
> verified credentials MUST NOT be used as authorizations unless they
> support attenuated delegation (I believe the OAuth term is sub-scope 
> re-delegation.) and that any such system SHOULD support revocation.

Ok, I will put that on the list of proposals:

PROPOSAL: Verifiable Credentials MUST NOT be used as authorizations unless
attenuated delegation is supported. Such a system SHOULD support revocation.

> If you don't support delegation, people will be forced to share access 
> tokens.  The result will be loss of an audit trail and the likelihood that
>  they will share more permissions than necessary.  The result is a less 
> secure system that is harder to use.

Agreed, but I'm not sure everyone gets that yet in this community.

I'm interested to see how the discussion between you and David Chadwick
proceeds. I think it will be enlightening to the community.

-- manu

-- 
Manu Sporny - https://www.linkedin.com/in/manusporny/
Founder/CEO - Digital Bazaar, Inc.
News: Digital Bazaar Announces New Case Studies (2021)
https://www.digitalbazaar.com/

Received on Tuesday, 22 June 2021 19:48:14 UTC