- From: Dave Longley <dlongley@digitalbazaar.com>
- Date: Tue, 1 Dec 2015 18:10:42 -0500
- To: Tony Arcieri <bascule@gmail.com>, "msporny@digitalbazaar.com" <msporny@digitalbazaar.com>
- Cc: Web Payments IG <public-webpayments-ig@w3.org>, Credentials CG <public-credentials@w3.org>
On 12/01/2015 04:08 PM, Tony Arcieri wrote: > I was unable to attend this teleconference, but there was one > objection I would like to raise: > > RESOLUTION: There is a significant difference between user-centric > and service-centric architectures when it comes to verifiable > claims. > > I strongly oppose this resolution, and believe this sort of thinking > is both deeply rooted in ambient authority systems and is the source > of confused deputy problems in multi-principal interactions where > one of the principals is the user. > > A credential system which can securely solve 3+ principal > interactions is by necessity dealing with the relationships between > the user, service A, and service B (and potentially services C, D, > and E) First, to avoid confusion, the "credentials" we're discussing when we talk about verifiable claims are "identity credentials", not "authorization credentials". A verifiable claim is a non-repudiable statement about an identity. You can use such a claim to authenticate an identity; the decision as to whether or not an identity should be authorized to take some action or access some service is a separate concern. So, here we're talking about an identity credentials ecosystem where entities (eg: people) can collect verifiable claims about themselves, aggregate them into digital identities as they see fit, and then decide to share them as they see fit. This is different from an authorization credentials system, for example, where services want to restrict access to certain resources. Of course, a verifiable claims technology can be used to provide the identity and authentication piece for such a system, but it would not directly provide the authorization or delegation mechanism. To give an example of a verifiable claim use case: A user visits a website ("consumer") to apply for a job. On their job application, they are given the opportunity to offer proof that they received an appropriate degree from a publicly accredited school and that they are a US citizen. In a service-centric system, the consumer may be registered with a number of universities that the user can choose to be redirected to in order to obtain some kind of authentication token. The consumer may also be registered with a US government website -- and then redirect the user to that site for them to obtain an authentication token. Each of these operations may also involve some other shared "identity provider" (like a social web service) that the user must use to authenticate against each of those websites in order to obtain their authentication token. In this system, the consumer may need to be tightly integrated with some number of university systems. The university must implement some kind of "identity provider" service for the user. The university is also fully aware of the consumer of the user's credentials and is in the middle of the relationship. The government site acts in the same way, and the social web identity provider acts similarly in that it is aware of the services the user is interacting with. As a result of this architecture, the user has no choice but to fracture their identities across multiple identity providers. They have no ability to create cohesive digital identities in a way that they can reason about. They also do not have strong control over their own information. If they employ a shared identity provider service to help them manage authenticating, they lose privacy, as they must share every site they interact with. They have no ability to privately share their claims with the consumer. In a user-centric system, the user will visit the university website independently and be given a verifiable claim that they store with some agent, device, or service that helps them manage their claims. They will do the same for the US government website. They can then provide those claims to the consumer without those other websites involving themselves in the transaction. The consumer can still verify the authenticity of the claims made and decide if they trust the parties that made them. The user is free to choose whatever agent, device, or service they want in order to help them provide, manage, and aggregate their claims for them; switching this agent out will have no effect on the trust between the consumer and the issuers of the claims. If the user elects to use an online service to aggregate their claims, that service does not need to be made aware of with whom they share their claims; sharing can be browser-mediated. I think these two architectures have significant differences that impact people's choices and ability to create, control, and manage their own digital identities. > > I would argue that if a credential system is inflexible to the point > it is unable to model both the authority of human principals > (vicariously via their user agents) and service principals, that is > in fact a failure of the design/expressiveness of the credential > system, and in no way a desirable property. Could you describe a scenario that you believe cannot be modelled by the architecture presented? > > I would cite Macaroons as a system sufficiently flexible and > expressive enough to cover both cases: > > http://static.googleusercontent.com/media/research.google.com/en//pubs/archive/41892.pdf I think Macaroons would be a fantastic technology to explore using as the authorization piece of the puzzle; as a replacement for OAuth. Macaroons are an authorization and authorization-delegation tool. They do not provide identity or authentication. In fact, they are intentionally designed to operate at a different layer of abstraction. They provide a place for an identity + authentication mechanism to insert itself in order to "discharge caveats". For example, verifiable claims technology could be employed to discharge Macaroon caveats, authenticating the user of a Macaroon. Alternatively, a service-centric identity credentials mechanism could be used, but it would bring with it the drawbacks stated above. From my point of view, user-centric verifiable claims technologies and Macaroons would complement each other quite nicely; they do not compete. With verifiable claims technology people can control their identities and how they present themselves to websites. With Macaroons, services can control and delegate authorization to access resources. By combining both technologies, services can limit authorization to resources based on whether or not people have provided the appropriate verifiable claims. People can delegate access to resources by attenuating Macaroons with caveats that require further verifiable claims. These two technologies are more decentralized than their predecessors and they seem to complement one another quite well. -- Dave Longley CTO Digital Bazaar, Inc. http://digitalbazaar.com
Received on Tuesday, 1 December 2015 23:11:07 UTC