On Thu, Jun 24, 2021 at 11:05 AM Nikos Fotiou <fotiou@aueb.gr> wrote:
> I don't understand why an OAuth/RAR token is different from a VC. At least
> to
> me the example here
> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-rar-05#section-7 is
> very similar to a VC. Moreover, AFAIU, OAuth/RAR does not consider
> delegation
> hence Kyle's example cannot be implemented using OAuth/RAR (and this leads
> me
> to the question, why do we need delegation in VCs?)
Which kind of VC are you referring to? A claims VC, e.g., Alice has passed
her driver's test, or a permission VC, e.g., this token grants permission
to drive this specific car. Typically, you don't know who will verify a
claims VC, e.g., any traffic cop, but you do know for a permissions VC, the
car.
Delegating a claim depends on policy. It doesn't make sense to allow Alice
to delegate her driver's license, but Alice may wish to delegate her
position as manager to Bob while she is on vacation.
It always makes sense to allow attenuated delegation of permissions.
Alice, with permission to read and write a particular file, may want Bob to
be able to read it. If she can't delegate that subset of her permissions,
she will have to share whatever credential, e.g., OAuth access token, she
uses. In that case, Bob gets permissions Alice would rather he not have,
and there is no way to know which requests were made by Bob and not Alice.
--------------
Alan Karp