On 6/24/21 12:57 PM, Alan Karp wrote: > That has been my concern all along, but I believe the complexity is > manageable if we carefully define which fields of a VC must and must not > be used when creating a permission token. This requires people to understand the nuances... and this thread is a good example of very informed people not grasping the nuances, complexity, and dangers of what's being proposed. Good technology shouldn't require a tremendous amount of explanation to prevent harmful uses. If we are going to support authorization models being expressed as VCs, we are going to end up with a lot of people mis-using the technology. In other words, VCs-as-permission-tokens are a foot-gun[1]... we should warn against that use and instead nudge people towards using other capability systems that are designed to address the use cases (OAuth/RAR, GNAP/RAR, ZCAPs, etc.) VCs-as-attribute-based-permission-tokens are a really dangerous idea. -- manu [1]https://news.ycombinator.com/item?id=17393292 -- Manu Sporny - https://www.linkedin.com/in/manusporny/ Founder/CEO - Digital Bazaar, Inc. News: Digital Bazaar Announces New Case Studies (2021) https://www.digitalbazaar.com/Received on Thursday, 24 June 2021 17:22:34 UTC
This archive was generated by hypermail 2.4.0 : Thursday, 24 June 2021 17:22:45 UTC