- From: Manu Sporny <msporny@digitalbazaar.com>
- Date: Fri, 25 Jun 2021 09:11:49 -0400
- To: "W3C Credentials CG (Public List)" <public-credentials@w3.org>
On 6/25/21 12:44 AM, Alan Karp wrote: >> In any case, my point is that Manu wrote that “it's so complicated (and >> thus dangerous) to use VCs as permissions tokens” and suggested >> OAuth/RAR as an alternative. But I really don’t see any difference >> between a RAR token and a VC. Note also that OAuth/RAR does not support >> “attenuated delegation of permissions”, at least the way you describe >> them. > > I don't either. I view RAR as a means to describe which permissions token > to give out. That's why it doesn't bother me that RAR doesn't support > attenuated delegation of permissions. I'm almost certainly wrong to suggest OAuth/RAR as a solution, then. :) I don't know much about RAR -- it was raised on the last VC HTTP API call as, at least -- what I interpreted as, a solution to the delegation and attenuated delegation use cases. I read the RAR spec from top to bottom last week, and I can see how RAR /could/ be used for delegation and attenuated delegation... but failed to find the specs that defined how to do delegation and attenuated delegation with RAR. So, I thought I'd wait for Justin's presentation to understand what the story there is today and how the VC HTTP API could benefit from it. If the answer is "there is no concrete attenuated delegation story for RAR", then I fail to see why it's being proposed as a solution for the attenuated delegation use cases. To put this in perspective, ZCAPs have a mechanism and vocabulary to do attenuated delegation (that's implemented and in use by multiple Encrypted Data Vault implementations): https://github.com/digitalbazaar/ezcap#usage It's that sort of functionality that I was expecting to come with OAuth/RAR... is there a spec I'm missing wrt. delegation and/or attenuated delegation with OAuth/RAR? -- manu -- Manu Sporny - https://www.linkedin.com/in/manusporny/ Founder/CEO - Digital Bazaar, Inc. News: Digital Bazaar Announces New Case Studies (2021) https://www.digitalbazaar.com/
Received on Friday, 25 June 2021 13:12:12 UTC