- From: Alan Karp <alanhkarp@gmail.com>
- Date: Thu, 21 Aug 2025 15:11:06 -0700
- To: Pryvit NZ <kyle@pryvit.tech>
- Cc: Daniel Hardman <daniel.hardman@gmail.com>, Bob Wyman <bob@wyman.us>, "public-credentials (public-credentials@w3.org)" <public-credentials@w3.org>
- Message-ID: <CANpA1Z35-kXkQVPy9p1KB0oxHLhzX_oCh=1mjo0fpd_RzJ2y_g@mail.gmail.com>
And then you need a policy to know if Alice is allowed to restrict what someone else can do. My point is that you can come up with scenarios that require arbitrarily complex policies. I think that's a discussion that goes beyond the fundamental hazards that an access control system needs to deal with, but I'm flexible. Should I add a use case that involves enforcement of an arbitrary policy? -------------- Alan Karp On Thu, Aug 21, 2025 at 2:54 PM Pryvit NZ <kyle@pryvit.tech> wrote: > Could Alice also explicitly declare scopes she doesn’t want to delegate > within her own capabilities such that the enforcement layer can recognize > Bob has violated the permissions Alice set and as such fail safely? > > There is a tradeoff here in that it will make the verification policy > logic more complicated so maybe this is still best handled at the issuance > step. > > -Kyle > > > > > On Fri, Aug 22, 2025 at 9:33 AM, Daniel Hardman <daniel.hardman@gmail.com > <On+Fri,+Aug+22,+2025+at+9:33+AM,+Daniel+Hardman+%3C%3Ca+href=>> wrote: > > Are you really comfortable with letting him combine the Q from Alice with >> the D from Bob? Doing this would allow Dave to do something that neither >> Bob nor Alice intended him to do. In fact, both Bob and Alice might be very >> surprised to learn that Dave had, in fact, done that thing. >> > > It seems to me that delegators MUST never assume that the only authority > possessed by their delegate is authority that they, themselves granted. > There are two sub-cases: > > 1. *The authorities held by delegators are disjoint*. Alice has authority > over IT systems at Acme; Bob has authority over physical facilities. These > two authorities don't overlap. Dave needs both physical access and IT > access to accomplish a task. From Alice's IT perspective, physical > facilities authority is out of scope and undefined. She MUST never make > assumptions about its state (other than the assumption that questions in > that domain are someone else's problem) when she makes decisions. > > 2. *The authorities held by delegators overlap*. Alice has authority over > IT system and physical facilities at Acme; Bob has authority just over > physical facilities. When Alice makes a decision about how to delegate to > Dave, and she chooses NOT to give Dave physical facilities access, is she > making the assumption that Dave will not get that access from Bob? And if > so, is that assumption justified? > > I think the answer in case #2 must be that Alice may need to do work to > actively protect herself, because access control systems can't predict > Alice's preference and therefore must be permissive enough for Alice to > prefer either answer. If she wants her refusal to grant physical facilities > access to be treated as a signal to enforce that lack of access, she--not > the access control system--must proactively make it so by querying whether > Dave already has the other authority via Bob (if yes, refuse to grant IT > access because she is trying to prevent the combination; if no, tell Bob > that she has refused to grant access and ask him to do the same). If, on > the other hand, Alice wants her refusal to grant access to mean that Dave's > access to physical facilities is not actively denied, but is rather > undefined in her mind, then she has to do nothing. The access control > system doesn't work according to Alice's intentions at a human level -- > only according to the question of whether Dave holds the right grants. > > --Daniel > >>
Received on Thursday, 21 August 2025 22:11:23 UTC