Re: Verifiable Credentials as Authorization Anti-Pattern (was Re: Funded Deployments of Verifiable Credentials - framework for meta-credentials) from Steve Capell on 2022-09-08 (public-credentials@w3.org from September 2022)

From: Steve Capell <steve.capell@gmail.com>
Date: Fri, 9 Sep 2022 06:07:53 +1000
To: David Chadwick <d.w.chadwick@truetrust.co.uk>
Cc: public-credentials@w3.org
Message-Id: <BB815C97-63BB-41DF-BF0F-E4AC301964EC@gmail.com>

David C said 

“ I am asserting that with an appropriate schema a VC can be specified to be a capability.”

Dave L said 

“ This is the core problem with trying to shoehorn authorizations into VCs. “

I offer this 

With appropriate changes, you can always take several different “things” and turn them into one “do-any-thing” - but in my 20 years as an enterprise architect I’ve never once seen that strategy pay off.  It’s always better to have a dozen nimble and loosely coupled systems, each doing one thing well, that it is to try to shoe-horn them all into an ERP or CRM based configuration monster.

So my instinctive sympathies certainly lie with Dave L

Kind regards 

Steven Capell
Mob: 0410 437854

> On 9 Sep 2022, at 5:32 am, David Chadwick <d.w.chadwick@truetrust.co.uk> wrote:
> 
> 
> 
> On 08/09/2022 19:49, Manu Sporny wrote:
>> On Thu, Sep 8, 2022 at 2:31 PM David Chadwick
>> <d.w.chadwick@truetrust.co.uk> wrote:
>>> Thus I conclude that the whole confused deputy argument for why capabilities are better than credentials is a spurious one.
>> David, you seem to be re-defining the precise language Alan is using
>> to describe the problem and the solution with your own definitions
>> (which are ill defined). The terms he is using have formal definitions
>> in computer science, some of which can be found here:
>> 
>> https://en.wikipedia.org/wiki/Confused_deputy_problem
>> https://en.wikipedia.org/wiki/Ambient_authority
>> https://en.wikipedia.org/wiki/Capability-based_security
>> https://en.wikipedia.org/wiki/Object-capability_model
>> 
>> You need to assert that either:
>> 
>> 1) Your solution binds an unforgeable reference to a resource with the
>> operation to be performed (and thus IS a capability),
> I am asserting that with an appropriate schema a VC can be specified to be a capability.
> 
> Kind regards
> 
> David
> 
>>  or
>> 2) It doesn't do #1, but addresses the confused deputy and ambient
>> authority problems in some other way.
>> 
>> So, let's start there, are you arguing for a non-capabilities based
>> system to be expressed using Verifiable Credentials? If so, how are
>> you solving for (at the very least) ambient authority and confused
>> deputy?
>> 
>> -- manu
>>

Received on Thursday, 8 September 2022 20:08:09 UTC