On Thu, Jun 24, 2021 at 11:05 AM Nikos Fotiou <fotiou@aueb.gr> wrote: > I don't understand why an OAuth/RAR token is different from a VC. At least > to > me the example here > https://datatracker.ietf.org/doc/html/draft-ietf-oauth-rar-05#section-7 is > very similar to a VC. Moreover, AFAIU, OAuth/RAR does not consider > delegation > hence Kyle's example cannot be implemented using OAuth/RAR (and this leads > me > to the question, why do we need delegation in VCs?) Which kind of VC are you referring to? A claims VC, e.g., Alice has passed her driver's test, or a permission VC, e.g., this token grants permission to drive this specific car. Typically, you don't know who will verify a claims VC, e.g., any traffic cop, but you do know for a permissions VC, the car. Delegating a claim depends on policy. It doesn't make sense to allow Alice to delegate her driver's license, but Alice may wish to delegate her position as manager to Bob while she is on vacation. It always makes sense to allow attenuated delegation of permissions. Alice, with permission to read and write a particular file, may want Bob to be able to read it. If she can't delegate that subset of her permissions, she will have to share whatever credential, e.g., OAuth access token, she uses. In that case, Bob gets permissions Alice would rather he not have, and there is no way to know which requests were made by Bob and not Alice. -------------- Alan Karp
Received on Thursday, 24 June 2021 20:39:46 UTC