W3C home > Mailing lists > Public > public-credentials@w3.org > June 2021

Re: PROPOSALs for VC HTTP API call on 2021-06-22

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Thu, 24 Jun 2021 13:22:00 -0400
To: public-credentials@w3.org
Message-ID: <a83eca33-f9eb-8cf5-f2c3-24a763cd54b6@digitalbazaar.com>
On 6/24/21 12:57 PM, Alan Karp wrote:
> That has been my concern all along, but I believe the complexity is 
> manageable if we carefully define which fields of a VC must and must not
> be used when creating a permission token.

This requires people to understand the nuances... and this thread is a good
example of very informed people not grasping the nuances, complexity, and
dangers of what's being proposed.

Good technology shouldn't require a tremendous amount of explanation to
prevent harmful uses. If we are going to support authorization models being
expressed as VCs, we are going to end up with a lot of people mis-using the

In other words, VCs-as-permission-tokens are a foot-gun[1]... we should warn
against that use and instead nudge people towards using other capability
systems that are designed to address the use cases (OAuth/RAR, GNAP/RAR,
ZCAPs, etc.)

VCs-as-attribute-based-permission-tokens are a really dangerous idea.

-- manu


Manu Sporny - https://www.linkedin.com/in/manusporny/
Founder/CEO - Digital Bazaar, Inc.
News: Digital Bazaar Announces New Case Studies (2021)
Received on Thursday, 24 June 2021 17:22:34 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:25:16 UTC