Re: The dangers of using VCs as permission tokens from Daniel Hardman on 2021-06-28 (public-credentials@w3.org from June 2021)

From: Daniel Hardman <daniel.hardman@gmail.com>
Date: Mon, 28 Jun 2021 09:57:19 +0200
To: Alan Karp <alanhkarp@gmail.com>
Cc: Kim Hamilton <kimdhamilton@gmail.com>, Manu Sporny <msporny@digitalbazaar.com>, "W3C Credentials CG (Public List)" <public-credentials@w3.org>
Message-ID: <CACU_chkTB1iK-5W29kdRsd=Xm2argzJUnKJh2C6CMURsAGiocg@mail.gmail.com>

The use case that Kyle describes around delegation seems reasonable -- but
I don't agree with the article's suggestion about how this would/could be
modeled with VCs. The complexity of VCs as a delegation mechanism is not an
inherent characteristic of VCs, but rather a characteristic of the wrong VC
schemas. In other words, Kyle's critique might be better summarized as, "If
you attempt to adapt complex VCs that weren't built for delegation to a
simple delegation problem, you get a lot of baggage that makes it easy to
make mistakes." Cue Alan's comment about confusion...

My conclusion would be: "Don't use complex VC schemas to delegate along the
lines of the model Kyle warned against."

We had a deep discussion about whether or not to use VCs as OCAPs,
facilitated by the chairs of the CCG. I suggest that if we want to explore
this topic further, we allocate proper time and focus to it again, rather
than touching on it in smaller, less contextualized increments.

--Daniel

Received on Monday, 28 June 2021 07:57:43 UTC