- From: Manu Sporny <msporny@digitalbazaar.com>
- Date: Wed, 30 Jul 2025 11:59:51 -0400
- To: Alan Karp <alanhkarp@gmail.com>
- Cc: W3C Credentials CG <public-credentials@w3.org>
On Wed, Jul 30, 2025 at 11:29 AM Alan Karp <alanhkarp@gmail.com> wrote: > I've read several papers/specs over the past few months where agentic AI systems are using VCs for permissions. I believe this choice is a mistake for reasons that I have articulated several times. Yes, it's a mistake. At present, this is the statement we have in the VC spec about using VCs for authorization: https://www.w3.org/TR/vc-data-model-2.0/#authorization ... which literally says: "Authorization is not an appropriate use for this specification". :) What we need to do is get the Authorization Capabilities spec onto the standards track, because that's what these agentic AI systems should be using to do delegated actions on behalf of their controllers... that Verified Bots stuff that Cloudflare is doing is something along these lines (so all isn't hopeless). > There are so many of these projects from so many organizations that there's no way I can explain the issues to them one by one. Is there something the VC standards group can do? Speaking from a practical point of view -- no, not right now, because we have too many other higher priority items that need to get done. The only thing that solves that are more people volunteering to do work around authorization capabilities and push that work forward, and unless that happens, we'll just see another wave of well-meaning-but-misguided young developers misusing authentication technology for authorization use cases. I have suggested to W3C that they create a security technologies group that can move the Data Integrity and ZCAP stuff forward, but they'd need to hire more staff and the budget just isn't there to do that right now. So, we're left with where we are right now -- the folks that get specs done will have to get the higher priority ones done and when those are done, move the authorization capability stuff forward. No one likes that plan, but realistically, that's where we are right now without more volunteers (on the CCG/VCWG side) and funding (on the W3C side). All that said, I completely understand and empathize with your frustration, Alan... I'm in the same boat as you. We can't engage with everyone that mixes up authentication with authorization and tries to use VCs for both of those things. -- manu -- Manu Sporny - https://www.linkedin.com/in/manusporny/ Founder/CEO - Digital Bazaar, Inc. https://www.digitalbazaar.com/
Received on Wednesday, 30 July 2025 16:00:31 UTC