- From: Bob Wyman <bob@wyman.us>
- Date: Thu, 21 Aug 2025 14:41:43 -0400
- To: Alan Karp <alanhkarp@gmail.com>
- Cc: "W3C Credentials CG (Public List)" <public-credentials@w3.org>
- Message-ID: <CAA1s49XBVsGhJuQrJURTKLo91o9tF6piJJrE0w8ZQ1orPGAq+Q@mail.gmail.com>
When addressing Composed Delegations, you say: > Composable: Dave needs to be able to get one permission from Alice, > another from Bob and use them both in the same API call. Imagine that Bob and Alice both have Q,U, and D privileges in respect to object X. Alice delegates Q and U to Dave. Bob Delegates U and D to Dave. Neither Bob nor Dave are aware that the other had delegated privileges to Dave. Now, Dave needs to do something to X that requires both U and D. Are you really comfortable with letting him combine the Q from Alice with the D from Bob? Doing this would allow Dave to do something that neither Bob nor Alice intended him to do. In fact, both Bob and Alice might be very surprised to learn that Dave had, in fact, done that thing. bob wyman On Thu, Aug 21, 2025 at 1:49 PM Alan Karp <alanhkarp@gmail.com> wrote: > I have followed a variety of access control systems off and on for some 30 > years, including the recent discussion on this list of the use of OAuth 2.0 > and 2.1. I have concluded that many, if not all of them, suffer from being > based on use cases that are too simple. > > In an attempt to address that problem, I've constructed a bunch of use > cases <https://alanhkarp.com/UseCases.pdf> that I think capture all the > hazards an access control system must address. Comments, criticisms, and > corrections will be appreciated and resented in equal measure. > > -------------- > Alan Karp >
Received on Thursday, 21 August 2025 18:42:01 UTC