Re: Access Control from Bob Wyman on 2025-08-21 (public-credentials@w3.org from August 2025)

From: Bob Wyman <bob@wyman.us>
Date: Thu, 21 Aug 2025 18:12:27 -0400
To: Alan Karp <alanhkarp@gmail.com>
Cc: "W3C Credentials CG (Public List)" <public-credentials@w3.org>
Message-ID: <CAA1s49V5KJLz2NA04EtRPnRuOh9CqT1tO4c8eupTxNc7MODPqQ@mail.gmail.com>

Alan Karp wrote:

> "Policy is a topic I chose to avoid."


How is "policy" distinguished from access control?

bob wyman


On Thu, Aug 21, 2025 at 5:43 PM Alan Karp <alanhkarp@gmail.com> wrote:

> On Thu, Aug 21, 2025 at 11:41 AM Bob Wyman <bob@wyman.us> wrote:
>
>> When addressing Composed Delegations, you say:
>>
>>> Composable: Dave needs to be able to get one permission from Alice,
>>> another from Bob and use them both in the same API call.
>>
>>
>> Imagine that Bob and Alice both have Q,U, and D privileges in respect to
>> object X. Alice delegates Q and U to Dave. Bob Delegates U and D to Dave.
>> Neither Bob nor Dave
>>
>
> I think you mean Alice
>
>
>> are aware that the other had delegated privileges to Dave. Now, Dave
>> needs to do something to X that requires both U and D. Are you really
>> comfortable with letting him combine the Q from Alice with the D from Bob?
>> Doing this would allow Dave to do something that neither Bob nor Alice
>> intended him to do. In fact, both Bob and Alice might be very surprised to
>> learn that Dave had, in fact, done that thing.
>>
>> You could also ask if Alice's delegation to Dave violates some policy.
> Policy is a topic I chose to avoid.
>
> If you want policy enforcement, you'll have to mediate delegations in some
> way.  However, you still need to deal with credential sharing to get around
> blocked delegations.
>
> --------------
> Alan Karp
>
>
> On Thu, Aug 21, 2025 at 11:41 AM Bob Wyman <bob@wyman.us> wrote:
>
>> When addressing Composed Delegations, you say:
>>
>>> Composable: Dave needs to be able to get one permission from Alice,
>>> another from Bob and use them both in the same API call.
>>
>>
>> Imagine that Bob and Alice both have Q,U, and D privileges in respect to
>> object X. Alice delegates Q and U to Dave. Bob Delegates U and D to Dave.
>> Neither Bob nor Dave are aware that the other had delegated privileges to
>> Dave. Now, Dave needs to do something to X that requires both U and D. Are
>> you really comfortable with letting him combine the Q from Alice with the D
>> from Bob? Doing this would allow Dave to do something that neither Bob nor
>> Alice intended him to do. In fact, both Bob and Alice might be very
>> surprised to learn that Dave had, in fact, done that thing.
>>
>> bob wyman
>>
>>
>>
>> On Thu, Aug 21, 2025 at 1:49 PM Alan Karp <alanhkarp@gmail.com> wrote:
>>
>>> I have followed a variety of access control systems off and on for some
>>> 30 years, including the recent discussion on this list of the use of OAuth
>>> 2.0 and 2.1.  I have concluded that many, if not all of them, suffer from
>>> being based on use cases that are too simple.
>>>
>>> In an attempt to address that problem, I've constructed a bunch of use
>>> cases <https://alanhkarp.com/UseCases.pdf> that I think capture all the
>>> hazards an access control system must address.  Comments, criticisms, and
>>> corrections will be appreciated and resented in equal measure.
>>>
>>> --------------
>>> Alan Karp
>>>
>>

Received on Thursday, 21 August 2025 22:12:46 UTC