Re: Funded Deployments of Verifiable Credentials - framework for meta-credentials

On Tue, Sep 13, 2022 at 12:23 AM David Chadwick <
david.chadwick@crosswordcybersecurity.com> wrote:

> So in summary what are you saying is that with VCs, the confused deputy
> can occur if the implementation has a design flaw and allows it (by merging
> multiple operations into one combined request to the PDP - which I would
> call an implementation bug) and that least privileges are violated if the
> user provides more claims than are needed.
>
Using claims VCs allows the deputy to specify that the user's claim should
be used when accessing a resource specified by the user.  That removes the
cause of the confused deputy, but I don't understand how that could work.
The user would have to pass the signed claims VC to the deputy, but then
the deputy could use that claim anywhere for any purpose, effectively
impersonating the user.

The other problem then is what permissions the claim authorizes.  In
general, claims are specifying things such as identity, role, or attributes
of the holder.  The PDP uses that authentication to find the set of
permissions the holder has, which is typically a lot.  For example, it may
include all permissions the user has at the resource server.  That means
the deputy could specify a different resource than the one the user did.
If the claim grants very few permissions, say to a single resource, then
you have a capability.

> So I think in the end we have concluded that confused deputy cannot occur
> with VCs if the implementation is not flawed. And I am sure you will agree
> that confused deputy can occur with capabilities if the implementation is
> flawed.
>
True, but you have to work really hard to create a confused deputy with
capabilities.

--------------
Alan Karp

>