- From: Alan Karp <alanhkarp@gmail.com>
- Date: Thu, 21 Aug 2025 14:43:27 -0700
- To: Bob Wyman <bob@wyman.us>
- Cc: "W3C Credentials CG (Public List)" <public-credentials@w3.org>
- Message-ID: <CANpA1Z2fQ+3jvGBO6L3cgKFdDQa8Gfa6MRMDjQrnc=70u+RQsw@mail.gmail.com>
On Thu, Aug 21, 2025 at 11:41 AM Bob Wyman <bob@wyman.us> wrote: > When addressing Composed Delegations, you say: > >> Composable: Dave needs to be able to get one permission from Alice, >> another from Bob and use them both in the same API call. > > > Imagine that Bob and Alice both have Q,U, and D privileges in respect to > object X. Alice delegates Q and U to Dave. Bob Delegates U and D to Dave. > Neither Bob nor Dave > I think you mean Alice > are aware that the other had delegated privileges to Dave. Now, Dave needs > to do something to X that requires both U and D. Are you really > comfortable with letting him combine the Q from Alice with the D from Bob? > Doing this would allow Dave to do something that neither Bob nor Alice > intended him to do. In fact, both Bob and Alice might be very surprised to > learn that Dave had, in fact, done that thing. > > You could also ask if Alice's delegation to Dave violates some policy. Policy is a topic I chose to avoid. If you want policy enforcement, you'll have to mediate delegations in some way. However, you still need to deal with credential sharing to get around blocked delegations. -------------- Alan Karp On Thu, Aug 21, 2025 at 11:41 AM Bob Wyman <bob@wyman.us> wrote: > When addressing Composed Delegations, you say: > >> Composable: Dave needs to be able to get one permission from Alice, >> another from Bob and use them both in the same API call. > > > Imagine that Bob and Alice both have Q,U, and D privileges in respect to > object X. Alice delegates Q and U to Dave. Bob Delegates U and D to Dave. > Neither Bob nor Dave are aware that the other had delegated privileges to > Dave. Now, Dave needs to do something to X that requires both U and D. Are > you really comfortable with letting him combine the Q from Alice with the D > from Bob? Doing this would allow Dave to do something that neither Bob nor > Alice intended him to do. In fact, both Bob and Alice might be very > surprised to learn that Dave had, in fact, done that thing. > > bob wyman > > > > On Thu, Aug 21, 2025 at 1:49 PM Alan Karp <alanhkarp@gmail.com> wrote: > >> I have followed a variety of access control systems off and on for some >> 30 years, including the recent discussion on this list of the use of OAuth >> 2.0 and 2.1. I have concluded that many, if not all of them, suffer from >> being based on use cases that are too simple. >> >> In an attempt to address that problem, I've constructed a bunch of use >> cases <https://alanhkarp.com/UseCases.pdf> that I think capture all the >> hazards an access control system must address. Comments, criticisms, and >> corrections will be appreciated and resented in equal measure. >> >> -------------- >> Alan Karp >> >
Received on Thursday, 21 August 2025 21:43:44 UTC