- From: Kim Hamilton <kimdhamilton@gmail.com>
- Date: Sun, 27 Jun 2021 18:22:17 -0700
- To: Manu Sporny <msporny@digitalbazaar.com>
- Cc: public-credentials@w3.org
- Message-ID: <CAFmmOzdYoZg_ar0xE-2c8WJ1bW+StMhLTZtDFYESt5hQ_OmDhQ@mail.gmail.com>
+1, Kyle’s explanations and examples are fantastic. Reading this next: https://kyledenhartog.com/delegation-in-verifiable-credentials/ On Thu, Jun 24, 2021 at 10:15 AM Manu Sporny <msporny@digitalbazaar.com> wrote: > On 6/24/21 12:35 PM, Kyle Den Hartog wrote: > > Agreed, when it comes to the number of checks that occur it's much > greater > > because of the delegation. With that in mind, looking at the semantics > only > > of the system VCs in my opinion weren't optimally designed for permission > > tokens. This difference between the two requires that an implementation > > that wants to support both claims tokens and permissions tokens has to > > grapple with the different mental model that arise when trying to stuff > > these things together. This introduces additional complexity. > Additionally > > it leads to weird statements that are being made where it's difficult to > > tell if the VC is behaving like a claims token or a permissions token. > > Yes, exactly this. Exactly what Kyle states above is the reason why it's so > complicated (and thus dangerous) to use VCs as permissions tokens. > > This is one of the primary reasons that we separated out the Authorization > Capabilities work from the Verifiable Credentials work. Things get really > complicated when you start mixing authz/authn/claims/permissions into a > Verifiable Credential. Just because you can do it doesn't mean you should. > > Much of the complexity that gets created in such a system that mixes all > those > concepts together goes away when you clearly separate claims tokens from > permissions tokens. > > I suggest that folks take a look at Kyle's post to see how intractable the > problem becomes when you don't do proper separation of concerns and depend > on > attributes to convey permissions: > > https://kyledenhartog.com/example-authz-with-VCs/ > > -- manu > > -- > Manu Sporny - https://www.linkedin.com/in/manusporny/ > Founder/CEO - Digital Bazaar, Inc. > News: Digital Bazaar Announces New Case Studies (2021) > https://www.digitalbazaar.com/ > > >
Received on Monday, 28 June 2021 01:22:41 UTC