- From: Alan Karp <alanhkarp@gmail.com>
- Date: Thu, 21 Aug 2025 17:33:47 -0700
- To: Bob Wyman <bob@wyman.us>
- Cc: "W3C Credentials CG (Public List)" <public-credentials@w3.org>
- Message-ID: <CANpA1Z0xZ9+B=TjdGjz_DTmERB5dAAS-eOVWibVDPP65Uu97Dg@mail.gmail.com>
On Thu, Aug 21, 2025 at 3:12 PM Bob Wyman <bob@wyman.us> wrote: > Alan Karp wrote: > >> "Policy is a topic I chose to avoid." > > > How is "policy" distinguished from access control? > Policy decides who gets which permissions when. Access control is how those permissions are represented and used. For example, an ACL is an access control mechanism that represents permissions but it says nothing about how those permissions get assigned. -------------- Alan Karp On Thu, Aug 21, 2025 at 3:12 PM Bob Wyman <bob@wyman.us> wrote: > Alan Karp wrote: > >> "Policy is a topic I chose to avoid." > > > How is "policy" distinguished from access control? > > bob wyman > > > On Thu, Aug 21, 2025 at 5:43 PM Alan Karp <alanhkarp@gmail.com> wrote: > >> On Thu, Aug 21, 2025 at 11:41 AM Bob Wyman <bob@wyman.us> wrote: >> >>> When addressing Composed Delegations, you say: >>> >>>> Composable: Dave needs to be able to get one permission from Alice, >>>> another from Bob and use them both in the same API call. >>> >>> >>> Imagine that Bob and Alice both have Q,U, and D privileges in respect to >>> object X. Alice delegates Q and U to Dave. Bob Delegates U and D to Dave. >>> Neither Bob nor Dave >>> >> >> I think you mean Alice >> >> >>> are aware that the other had delegated privileges to Dave. Now, Dave >>> needs to do something to X that requires both U and D. Are you really >>> comfortable with letting him combine the Q from Alice with the D from Bob? >>> Doing this would allow Dave to do something that neither Bob nor Alice >>> intended him to do. In fact, both Bob and Alice might be very surprised to >>> learn that Dave had, in fact, done that thing. >>> >>> You could also ask if Alice's delegation to Dave violates some policy. >> Policy is a topic I chose to avoid. >> >> If you want policy enforcement, you'll have to mediate delegations in >> some way. However, you still need to deal with credential sharing to get >> around blocked delegations. >> >> -------------- >> Alan Karp >> >> >> On Thu, Aug 21, 2025 at 11:41 AM Bob Wyman <bob@wyman.us> wrote: >> >>> When addressing Composed Delegations, you say: >>> >>>> Composable: Dave needs to be able to get one permission from Alice, >>>> another from Bob and use them both in the same API call. >>> >>> >>> Imagine that Bob and Alice both have Q,U, and D privileges in respect to >>> object X. Alice delegates Q and U to Dave. Bob Delegates U and D to Dave. >>> Neither Bob nor Dave are aware that the other had delegated privileges to >>> Dave. Now, Dave needs to do something to X that requires both U and D. Are >>> you really comfortable with letting him combine the Q from Alice with the D >>> from Bob? Doing this would allow Dave to do something that neither Bob nor >>> Alice intended him to do. In fact, both Bob and Alice might be very >>> surprised to learn that Dave had, in fact, done that thing. >>> >>> bob wyman >>> >>> >>> >>> On Thu, Aug 21, 2025 at 1:49 PM Alan Karp <alanhkarp@gmail.com> wrote: >>> >>>> I have followed a variety of access control systems off and on for some >>>> 30 years, including the recent discussion on this list of the use of OAuth >>>> 2.0 and 2.1. I have concluded that many, if not all of them, suffer from >>>> being based on use cases that are too simple. >>>> >>>> In an attempt to address that problem, I've constructed a bunch of use >>>> cases <https://alanhkarp.com/UseCases.pdf> that I think capture all >>>> the hazards an access control system must address. Comments, criticisms, >>>> and corrections will be appreciated and resented in equal measure. >>>> >>>> -------------- >>>> Alan Karp >>>> >>>
Received on Friday, 22 August 2025 00:34:05 UTC