Verifiable Credentials and (relationship-based) access control

There has been some discussions about the (un)suitability of VCs for implementing access control. I would like to share with you our experience with a recent project where we implemented access control for digital twins.  You can find a high level description of what we have done here

We used a type of access control known as relationship-based access control, also used by Google ( This paradigm has two properties that make it suitable for use with VCs: 

A) Objects of access control are explicitly defined (e.g., "Company A has "can access" relationship with Device A)
B) Delegations can be defined as part of the authorization model (e.g., An "employee of a company" can access a device, is she has "authorized" relationship with the company and the company has "can access" relationship with the device.

So in our system we created a new type of VC that includes "the relationships that the subject id has with objects".

One of the challenges we faced was related to the discussion that Oliver Terbu raised some time ago and it was about validating verifiable presentations.  Imagine that Alice creates a VP that includes two VCs, one issued by the device owner to Company A assigning it the "can access" relationship (with Device A), and another issued by Company A to Alice, assigning her the "authorized" relationship (with Company A): the signature of the VP should be validated using  the public key that corresponds to the subject id of the latter VC (i.e., Alice). Nevertheless, AFAIU, there is no way to "signal" that to verifier even though this is a typical "chain of trust". We created an ad-hoc solution, but we wish there as there something more generic and interoperable.

I would love to hear your feedback.


Received on Monday, 18 September 2023 13:32:50 UTC