Re: Any Good use case of PAM (Privileged account Management) using Vcs from Drummond Reed on 2021-11-08 (public-credentials@w3.org from November 2021)

From: Drummond Reed <drummond.reed@evernym.com>
Date: Sun, 7 Nov 2021 16:40:37 -0800
To: Bob Wyman <bob@wyman.us>
Cc: sethi shivam <sethishivam27@gmail.com>, "W3C Credentials CG (Public List)" <public-credentials@w3.org>
Message-ID: <CAAjunnaJgSCYAPW0dg8yLXc3frHhLHVbfQ9PPGZth3o4r2ei9g@mail.gmail.com>

"One should delegate rights, not credentials." Perfectly put, Bob.

BTW, one *can* use a special class of VCs to delegate rights. There are
several efforts to define such delegation models—see this discussion of
Zcaps <https://kyledenhartog.com/comparing-VCs-with-zcaps/> from Kyle Den
Hartog and the ToIP Authentic Chained Data Container
<https://wiki.trustoverip.org/display/HOME/ACDC+%28Authentic+Chained+Data+Container%29+Task+Force>
(ACDC) Task Force.

Best,

=Drummond

On Sun, Nov 7, 2021 at 11:17 AM Bob Wyman <bob@wyman.us> wrote:

> Sethi,
> You asked: "I want to give Access of a machine to my Colleague by sharing
> VC of (Privileged account) ."
>
> Delegating the rights associated with a VC is sometimes quite reasonable
> and may be supported, however, delegating the right to use an existing VC
> should not be supported. In commonly understood terms, it might sometimes
> be reasonable for me to delegate to you the right to act on my behalf, but
> it is never reasonable to delegate to you the right to "be" me. If you take
> an action, based on rights which were originally delegated to me, the fact
> that it was you, not me, who acted, should be discoverable, even if I
> approve of your actions. A common example of this is when someone uses a
> "Power of Attorney," to sign a contract. When they do, they typically sign
> documents with their own names and an annotation "on behalf of," "for," or
> "by power of attorney," they don't forge the signature of the one who
> granted the power of attorney.
>
> One should delegate rights, not credentials.
>
> bob wyman
>
>
> On Sat, Nov 6, 2021 at 7:48 PM sethi shivam <sethishivam27@gmail.com>
> wrote:
>
>> Hi Team ,
>>
>> Is it possible that we can give our Vcs to someone for a particular
>> period of time .
>>
>> Like I am on vacation and I want to give Access of a machine to my
>> Colleague by sharing VC of (Privileged account) .
>>
>> and my second question is :
>>
>> Is there any good enterprise level use-case of managing Privileged
>> accounts using Vcs .
>>
>> I am just trying to explore PIM-PAM use cases with Vcs
>> PIM = Privileged Identity management
>>
>> Today we have many tools like Cyberark , beyondTrust
>>
>>
>> Best Regards
>> Sethi Shivam
>>
>

Received on Monday, 8 November 2021 00:41:02 UTC