W3C home > Mailing lists > Public > public-credentials@w3.org > June 2021

RAR and attenuated delegation (was: Re: PROPOSALs for VC HTTP API call on 2021-06-22)

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Fri, 25 Jun 2021 09:11:49 -0400
To: "W3C Credentials CG (Public List)" <public-credentials@w3.org>
Message-ID: <a4d3995c-95d1-02d0-694d-bfbe3d413309@digitalbazaar.com>
On 6/25/21 12:44 AM, Alan Karp wrote:
>> In any case, my point is that Manu wrote that “it's so complicated (and 
>> thus dangerous) to use VCs as permissions tokens” and suggested
>> OAuth/RAR as an alternative. But I really don’t see any difference
>> between a RAR token and a VC. Note also that OAuth/RAR does not support
>> “attenuated delegation of permissions”, at least the way you describe
>> them.
> 
> I don't either.  I view RAR as a means to describe which permissions token
> to give out.  That's why it doesn't bother me that RAR doesn't support
> attenuated delegation of permissions.

I'm almost certainly wrong to suggest OAuth/RAR as a solution, then. :)

I don't know much about RAR -- it was raised on the last VC HTTP API call as,
at least -- what I interpreted as, a solution to the delegation and attenuated
delegation use cases.

I read the RAR spec from top to bottom last week, and I can see how RAR
/could/ be used for delegation and attenuated delegation... but failed to find
the specs that defined how to do delegation and attenuated delegation with
RAR. So, I thought I'd wait for Justin's presentation to understand what the
story there is today and how the VC HTTP API could benefit from it.

If the answer is "there is no concrete attenuated delegation story for RAR",
then I fail to see why it's being proposed as a solution for the attenuated
delegation use cases.

To put this in perspective, ZCAPs have a mechanism and vocabulary to do
attenuated delegation (that's implemented and in use by multiple Encrypted
Data Vault implementations):

https://github.com/digitalbazaar/ezcap#usage

It's that sort of functionality that I was expecting to come with OAuth/RAR...
is there a spec I'm missing wrt. delegation and/or attenuated delegation with
OAuth/RAR?

-- manu

-- 
Manu Sporny - https://www.linkedin.com/in/manusporny/
Founder/CEO - Digital Bazaar, Inc.
News: Digital Bazaar Announces New Case Studies (2021)
https://www.digitalbazaar.com/
Received on Friday, 25 June 2021 13:12:12 UTC

This archive was generated by hypermail 2.4.0 : Friday, 25 June 2021 13:12:13 UTC