Re: Verifiable Credentials as Authorization Anti-Pattern (was Re: Funded Deployments of Verifiable Credentials - framework for meta-credentials) from Manu Sporny on 2022-09-08 (public-credentials@w3.org from September 2022)

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Thu, 8 Sep 2022 15:54:24 -0400
To: W3C Credentials CG <public-credentials@w3.org>
Message-ID: <CAMBN2CRLU-Fhf-gfg-b440B2PFS6SRr9oTagOLsba601Gv-77Q@mail.gmail.com>

On Thu, Sep 8, 2022 at 3:32 PM David Chadwick
<d.w.chadwick@truetrust.co.uk> wrote:
> I am asserting that with an appropriate schema a VC can be specified to be a capability.

Ok, good, let's go down that path. In order to do that, we would have to:

1. Change the current specification, or define a new specification and
add a new VC type called "Capability" (so we can tell a capability
apart from a regular VC).

2. We would need to add properties for "resource" and "action" (at the
very least).

3. We would also need to add properties to designate parentCapability,
invoker, caveats, and pointers to capability chains.

4. We would have to define new normative cryptographic verification
rules that are substantially different from how you verify VCs (for
DI, JWT-VC, etc.). Remember, you can delegate and chain capabilities,
and the capability isn't valid unless you also validate the capability
chain, and the way you do that is different from the way you validate
VCs. We would have to specifically make VC-based (DI/JWT-VC/etc.)
verification illegal (because the danger is that someone does that, a
regular VC Verifier gives you a "signature is valid" without checking
the capability chain, which it has no idea how to do).

5. We'd have to also figure out what it means to "present" a
capability and create language that tries to explain that "presenting
a capability" is really "invoking it"... which will probably require
us to redefine how presentation works, but only for this very specific
type of Capability VC.

These are just the specification problems that I can think of at this
moment, nevermind the developer confusion that will be created by
trying to embed a security model that is quite different from a VC,
into a VC.

How do you suggest we address at least the problems above, David?

-- manu

--
Manu Sporny - https://www.linkedin.com/in/manusporny/
Founder/CEO - Digital Bazaar, Inc.
News: Digital Bazaar Announces New Case Studies (2021)
https://www.digitalbazaar.com/

Received on Thursday, 8 September 2022 19:55:13 UTC