Re: Access Control from Bob Wyman on 2025-08-22 (public-credentials@w3.org from August 2025)

From: Bob Wyman <bob@wyman.us>
Date: Thu, 21 Aug 2025 21:00:21 -0400
To: Alan Karp <alanhkarp@gmail.com>
Cc: "W3C Credentials CG (Public List)" <public-credentials@w3.org>
Message-ID: <CAA1s49UAgXWwpv3uNyQCa48w4rEXrn6LN=OK5sSO6J54Zo+o3Q@mail.gmail.com>
So, if policy determines "how those permissions get assigned," but not the
permissions themselves, then I assume that the following use cases would
not involve policy:

After following some written policy guidelines, Alice delegates to Bob, but
the delegated permissions she provides are constrained to work:

   - Only for the two-weeks that she's out on vacation.
   - Only between the hours of 6pm and 9am during weekdays which are
   workdays.
   - Only if Bob has received a complimentary delegation from Dave. (i.e.
   composition required)
   - Only if Bob can't compose Alice's delegation with any other
   delegation. (i.e Bob can't do anything Alice couldn't do.)
   - Only a maximum of three times
   - Only a maximum of three times during any 24-hour period
   - Only while the intrusion detection system is reporting a suspected
   intruder.
   - Only when the outside temperature is above 99 degrees.
   - Only if Bob's continued employment by Alice's employer can be
   confirmed.
   - Only if Bob uses the permissions to manipulate one or more of an
   enumerated list of objects.
   - etc.


bob wyman






On Thu, Aug 21, 2025 at 8:34 PM Alan Karp <alanhkarp@gmail.com> wrote:

> On Thu, Aug 21, 2025 at 3:12 PM Bob Wyman <bob@wyman.us> wrote:
>
>> Alan Karp wrote:
>>
>>> "Policy is a topic I chose to avoid."
>>
>>
>> How is "policy" distinguished from access control?
>>
>
> Policy decides who gets which permissions when.  Access control is how
> those permissions are represented and used.
>
> For example, an ACL is an access control mechanism that represents
> permissions but it says nothing about how those permissions get assigned.
>
> --------------
> Alan Karp
>
>
> On Thu, Aug 21, 2025 at 3:12 PM Bob Wyman <bob@wyman.us> wrote:
>
>> Alan Karp wrote:
>>
>>> "Policy is a topic I chose to avoid."
>>
>>
>> How is "policy" distinguished from access control?
>>
>> bob wyman
>>
>>
>> On Thu, Aug 21, 2025 at 5:43 PM Alan Karp <alanhkarp@gmail.com> wrote:
>>
>>> On Thu, Aug 21, 2025 at 11:41 AM Bob Wyman <bob@wyman.us> wrote:
>>>
>>>> When addressing Composed Delegations, you say:
>>>>
>>>>> Composable: Dave needs to be able to get one permission from Alice,
>>>>> another from Bob and use them both in the same API call.
>>>>
>>>>
>>>> Imagine that Bob and Alice both have Q,U, and D privileges in respect
>>>> to object X. Alice delegates Q and U to Dave. Bob Delegates U and D to
>>>> Dave. Neither Bob nor Dave
>>>>
>>>
>>> I think you mean Alice
>>>
>>>
>>>> are aware that the other had delegated privileges to Dave. Now, Dave
>>>> needs to do something to X that requires both U and D. Are you really
>>>> comfortable with letting him combine the Q from Alice with the D from Bob?
>>>> Doing this would allow Dave to do something that neither Bob nor Alice
>>>> intended him to do. In fact, both Bob and Alice might be very surprised to
>>>> learn that Dave had, in fact, done that thing.
>>>>
>>>> You could also ask if Alice's delegation to Dave violates some policy.
>>> Policy is a topic I chose to avoid.
>>>
>>> If you want policy enforcement, you'll have to mediate delegations in
>>> some way.  However, you still need to deal with credential sharing to get
>>> around blocked delegations.
>>>
>>> --------------
>>> Alan Karp
>>>
>>>
>>> On Thu, Aug 21, 2025 at 11:41 AM Bob Wyman <bob@wyman.us> wrote:
>>>
>>>> When addressing Composed Delegations, you say:
>>>>
>>>>> Composable: Dave needs to be able to get one permission from Alice,
>>>>> another from Bob and use them both in the same API call.
>>>>
>>>>
>>>> Imagine that Bob and Alice both have Q,U, and D privileges in respect
>>>> to object X. Alice delegates Q and U to Dave. Bob Delegates U and D to
>>>> Dave. Neither Bob nor Dave are aware that the other had delegated
>>>> privileges to Dave. Now, Dave needs to do something to X that requires both
>>>> U and D. Are you really comfortable with letting him combine the Q from
>>>> Alice with the D from Bob? Doing this would allow Dave to do something that
>>>> neither Bob nor Alice intended him to do. In fact, both Bob and Alice might
>>>> be very surprised to learn that Dave had, in fact, done that thing.
>>>>
>>>> bob wyman
>>>>
>>>>
>>>>
>>>> On Thu, Aug 21, 2025 at 1:49 PM Alan Karp <alanhkarp@gmail.com> wrote:
>>>>
>>>>> I have followed a variety of access control systems off and on for
>>>>> some 30 years, including the recent discussion on this list of the use of
>>>>> OAuth 2.0 and 2.1.  I have concluded that many, if not all of them, suffer
>>>>> from being based on use cases that are too simple.
>>>>>
>>>>> In an attempt to address that problem, I've constructed a bunch of use
>>>>> cases <https://alanhkarp.com/UseCases.pdf> that I think capture all
>>>>> the hazards an access control system must address.  Comments, criticisms,
>>>>> and corrections will be appreciated and resented in equal measure.
>>>>>
>>>>> --------------
>>>>> Alan Karp
>>>>>
>>>>
Received on Friday, 22 August 2025 01:00:40 UTC