- From: Daniel Hardman <daniel.hardman@gmail.com>
- Date: Thu, 21 Aug 2025 15:32:24 -0600
- To: Bob Wyman <bob@wyman.us>
- Cc: Alan Karp <alanhkarp@gmail.com>, "W3C Credentials CG (Public List)" <public-credentials@w3.org>
- Message-ID: <CACU_chkYyjb7GoESTDY4fHtVGkVjfuqj_SuJjW8dPNojWS=0QA@mail.gmail.com>
> > Are you really comfortable with letting him combine the Q from Alice with > the D from Bob? Doing this would allow Dave to do something that neither > Bob nor Alice intended him to do. In fact, both Bob and Alice might be very > surprised to learn that Dave had, in fact, done that thing. > It seems to me that delegators MUST never assume that the only authority possessed by their delegate is authority that they, themselves granted. There are two sub-cases: 1. *The authorities held by delegators are disjoint*. Alice has authority over IT systems at Acme; Bob has authority over physical facilities. These two authorities don't overlap. Dave needs both physical access and IT access to accomplish a task. From Alice's IT perspective, physical facilities authority is out of scope and undefined. She MUST never make assumptions about its state (other than the assumption that questions in that domain are someone else's problem) when she makes decisions. 2. *The authorities held by delegators overlap*. Alice has authority over IT system and physical facilities at Acme; Bob has authority just over physical facilities. When Alice makes a decision about how to delegate to Dave, and she chooses NOT to give Dave physical facilities access, is she making the assumption that Dave will not get that access from Bob? And if so, is that assumption justified? I think the answer in case #2 must be that Alice may need to do work to actively protect herself, because access control systems can't predict Alice's preference and therefore must be permissive enough for Alice to prefer either answer. If she wants her refusal to grant physical facilities access to be treated as a signal to enforce that lack of access, she--not the access control system--must proactively make it so by querying whether Dave already has the other authority via Bob (if yes, refuse to grant IT access because she is trying to prevent the combination; if no, tell Bob that she has refused to grant access and ask him to do the same). If, on the other hand, Alice wants her refusal to grant access to mean that Dave's access to physical facilities is not actively denied, but is rather undefined in her mind, then she has to do nothing. The access control system doesn't work according to Alice's intentions at a human level -- only according to the question of whether Dave holds the right grants. --Daniel >
Received on Thursday, 21 August 2025 21:32:41 UTC