RE: PROPOSALs for VC HTTP API call on 2021-06-22

AFAIU there is no such thing “kind of VC”. Whether the claims included in a VC are “properties”, or “permissions” is a conceptual/higher layer thing. Also I don’t understand why “Alice delegates to Bob” is translated into “Alice issues a VC to Bob” (Kyle’s example). This makes things complicated. IMHO that should translate into “Alice asks her issuer to generate a VC for Bob”, e.g., “Alice the manager asks her company to generate a manager VC for Bob while she is on vacation”, “Alice the file owner asks cloud storage X to generate a “read access” VC for Bob”.


In any case, my point is that Manu wrote that “it's so complicated (and thus dangerous) to use VCs as permissions tokens” and suggested OAuth/RAR as an alternative. But I really don’t see any difference between a RAR token and a VC. Note also that OAuth/RAR does not support “attenuated delegation of permissions”, at least the way you describe them.





From: Alan Karp <> 
Sent: Thursday, June 24, 2021 11:39 PM
To: Nikos Fotiou <>
Cc: Manu Sporny <>; W3C Credentials CG (Public List) <>
Subject: Re: PROPOSALs for VC HTTP API call on 2021-06-22


On Thu, Jun 24, 2021 at 11:05 AM Nikos Fotiou < <>> wrote:

I don't understand why an OAuth/RAR token is different from a VC. At least to
me the example here
 <> is
very similar to a VC. Moreover, AFAIU, OAuth/RAR does not consider delegation
hence Kyle's example cannot be implemented using OAuth/RAR (and this leads me
to the question, why do we need delegation in VCs?)


Which kind of VC are you referring to?  A claims VC, e.g., Alice has passed her driver's test, or a permission VC, e.g., this token grants permission to drive this specific car.  Typically, you don't know who will verify a claims VC, e.g., any traffic cop, but you do know for a permissions VC, the car. 


Delegating a claim depends on policy.  It doesn't make sense to allow Alice to delegate her driver's license, but Alice may wish to delegate her position as manager to Bob while she is on vacation.  


It always makes sense to allow attenuated delegation of permissions.  Alice, with permission to read and write a particular file, may want Bob to be able to read it.  If she can't delegate that subset of her permissions, she will have to share whatever credential, e.g., OAuth access token, she uses.  In that case, Bob gets permissions Alice would rather he not have, and there is no way to know which requests were made by Bob and not Alice.

Alan Karp

Received on Thursday, 24 June 2021 21:18:32 UTC