- From: Alan Karp <alanhkarp@gmail.com>
- Date: Mon, 18 Sep 2023 11:10:04 -0700
- To: Nikos Fotiou <fotiou@aueb.gr>
- Cc: public-credentials@w3.org
- Message-ID: <CANpA1Z2hk=uY2dX138VsnqNHLV8rYNFpYkkqRt25q2gt9b7W8w@mail.gmail.com>
On Mon, Sep 18, 2023 at 6:37 AM Nikos Fotiou <fotiou@aueb.gr> wrote: > Hi, > There has been some discussions about the (un)suitability of VCs for > implementing access control I'm afraid I am responsible for much of the confusion. The problem I've been talking about arises when you want to use a VC as a capability, something that represents a specific permission on a specific object, which is what zcap-ld does. In that case, the requirements for a claims VC and a permissions VC are quite different. There is no reason VCs can't be used for various other forms of access control, such as Role or Attribute based. The VC is just making a claim that the presenter has some property, which is what VCs are designed for. That being said, I believe that using VCs for the kinds of access control it is suitable for, e.g., relationship-based access control, is still a mistake because you are leaving yourself vulnerable to confused deputy attacks. -------------- Alan Karp On Mon, Sep 18, 2023 at 6:37 AM Nikos Fotiou <fotiou@aueb.gr> wrote: > Hi, > There has been some discussions about the (un)suitability of VCs for > implementing access control. I would like to share with you our experience > with a recent project where we implemented access control for digital > twins. You can find a high level description of what we have done here > https://medium.com/@excid/relation-based-access-control-using-verifiable-credentials-d8e542a0ce1 > > We used a type of access control known as relationship-based access > control, also used by Google (https://research.google/pubs/pub48190/). > This paradigm has two properties that make it suitable for use with VCs: > > A) Objects of access control are explicitly defined (e.g., "Company A has > "can access" relationship with Device A) > B) Delegations can be defined as part of the authorization model (e.g., An > "employee of a company" can access a device, is she has "authorized" > relationship with the company and the company has "can access" relationship > with the device. > > So in our system we created a new type of VC that includes "the > relationships that the subject id has with objects". > > One of the challenges we faced was related to the discussion that Oliver > Terbu raised some time ago and it was about validating verifiable > presentations. Imagine that Alice creates a VP that includes two VCs, one > issued by the device owner to Company A assigning it the "can access" > relationship (with Device A), and another issued by Company A to Alice, > assigning her the "authorized" relationship (with Company A): the signature > of the VP should be validated using the public key that corresponds to the > subject id of the latter VC (i.e., Alice). Nevertheless, AFAIU, there is no > way to "signal" that to verifier even though this is a typical "chain of > trust". We created an ad-hoc solution, but we wish there as there something > more generic and interoperable. > > I would love to hear your feedback. > > Best, > Nikos > > >
Received on Monday, 18 September 2023 18:10:22 UTC