On 13/09/2022 17:55, Alan Karp wrote:
On Tue, Sep 13, 2022 at 12:23 AM David Chadwick <david.chadwick@crosswordcybersecurity.com> wrote:

So in summary what are you saying is that with VCs, the confused deputy can occur if the implementation has a design flaw and allows it (by merging multiple operations into one combined request to the PDP - which I would call an implementation bug) and that least privileges are violated if the user provides more claims than are needed.

Using claims VCs allows the deputy to specify that the user's claim should be used when accessing a resource specified by the user.  That removes the cause of the confused deputy, but I don't understand how that could work.  The user would have to pass the signed claims VC to the deputy

Yes that is exactly how it does work!


, but then the deputy could use that claim anywhere for any purpose, effectively impersonating the user.

Not so for two reasons

a) proof of possession. The VC contains the public key of the user and the VP contains the user's signature for PoP on a nonce provided by the deputy along with the deputy's name. So the deputy is not able to pass the VP to anyone else, nor prove possession to a third party of the VC because it cannot put the third party's nonce into the VP and sign it.

b) the user should only provide their VCs to trusted RPs (PEPs/Deputies). We are building the TRAIN trust infrastructure precisely for this purpose.


The other problem then is what permissions the claim authorizes.  In general, claims are specifying things such as identity, role, or attributes of the holder.  The PDP uses that authentication to find the set of permissions the holder has, which is typically a lot.

You cannot say that. The permissions are whatever the RP wants them to be for the particular claims. The RP sets the PDP's policy.


For example, it may include all permissions the user has at the resource server.  That means the deputy could specify a different resource than the one the user did.

Not so because the PEP/deputy is a trusted component of the RP.


If the claim grants very few permissions, say to a single resource, then you have a capability.

Brilliant. So if a VC with a specific claim is a capability, we do not need another standard to define the syntax of a capability. The VC DM will do nicely.


So I think in the end we have concluded that confused deputy cannot occur with VCs if the implementation is not flawed. And I am sure you will agree that confused deputy can occur with capabilities if the implementation is flawed.

True, but you have to work really hard to create a confused deputy with capabilities. 

This has been a very long conversation but I think we have finally agreed upon the resolutions

Kind regards

David


--------------
Alan Karp