Re: Funded Deployments of Verifiable Credentials - framework for meta-credentials from Alan Karp on 2022-09-08 (public-credentials@w3.org from September 2022)

From: Alan Karp <alanhkarp@gmail.com>
Date: Thu, 8 Sep 2022 14:58:40 -0700
To: Dave Longley <dlongley@digitalbazaar.com>
Cc: Steve Magennis <steve.e.magennis@gmail.com>, David Chadwick <d.w.chadwick@truetrust.co.uk>, "W3C Credentials CG (Public List)" <public-credentials@w3.org>
Message-ID: <CANpA1Z0e49U-awLe6g=1DCuY_XvdWds-iemDArnrn7ZzLabG3Q@mail.gmail.com>

On Thu, Sep 8, 2022 at 8:48 AM Dave Longley <dlongley@digitalbazaar.com>
wrote:

> In my view, the confused deputy happens when the deputy (or the
> verifier here in VC parlance) doesn't fully know what the issuer
> actually authorized -- because the authorization doesn't designate
> *what* it's for, it only states some power that the subject has to act
> on *something*. That means that the deputy is left to figure out what
> that something is on their own -- or to dangerously accept whatever
> the presenter says it should be.
>

I think that's backward, at least in Norm Hardy's example.  The invoker
specifies "what," and the API specifies what permissions are needed.  The
deputy has no choice but to use its own permissions.

>
> At the end of the day we'd have to ask ourselves if taking this
> approach was worth whatever the benefits are vs. just using a simpler
> model to represent delegatable authorization capabilities.


I agree.

--------------
Alan Karp

Received on Thursday, 8 September 2022 21:59:03 UTC