- From: Alan Karp <alanhkarp@gmail.com>
- Date: Thu, 24 Jun 2021 21:44:35 -0700
- To: Nikos Fotiou <fotiou@aueb.gr>
- Cc: Manu Sporny <msporny@digitalbazaar.com>, "W3C Credentials CG (Public List)" <public-credentials@w3.org>
- Message-ID: <CANpA1Z0in_hqW9iQn02751E-scM+EZhvQcZvzFsvzEaH88Xatg@mail.gmail.com>
On Thu, Jun 24, 2021 at 2:18 PM Nikos Fotiou <fotiou@aueb.gr> wrote: > AFAIU there is no such thing “kind of VC”. Whether the claims included in > a VC are “properties”, or “permissions” is a conceptual/higher layer thing. > Also I don’t understand why “Alice delegates to Bob” is translated into > “Alice issues a VC to Bob” (Kyle’s example). This makes things complicated. > IMHO that should translate into “Alice asks her issuer to generate a VC for > Bob”, e.g., “Alice the manager asks her company to generate a manager VC > for Bob while she is on vacation”, “Alice the file owner asks cloud storage > X to generate a “read access” VC for Bob”. > You are correct. I proposed that such a distinction is needed when someone suggested using VCs as authorization tokens. You have described the two ways to do delegation of permission tokens. If they are certificates, Alice can create one herself, an approach described in several places including zcap-ld. If they are opaque, such as OAuth bearer tokens, Alice must ask her issuer to create one for Bob, a process called "token exchange" in the OAuth world. > > > In any case, my point is that Manu wrote that “it's so complicated (and > thus dangerous) to use VCs as permissions tokens” and suggested OAuth/RAR > as an alternative. But I really don’t see any difference between a RAR > token and a VC. Note also that OAuth/RAR does not support “attenuated > delegation of permissions”, at least the way you describe them. > I don't either. I view RAR as a means to describe which permissions token to give out. That's why it doesn't bother me that RAR doesn't support attenuated delegation of permissions. -------------- Alan Karp
Received on Friday, 25 June 2021 04:45:09 UTC