Re: Credentials Task Force proposal

On 11/06/2015 08:12 PM, Tony Arcieri wrote:
> On Friday, November 6, 2015, Dave Longley <dlongley@digitalbazaar.com
> <mailto:dlongley@digitalbazaar.com>> wrote:
>>
>> We could use these credentials in conjunction with macaroon
>> caveats (which seems to be one of the primary use cases for
>> caveats). In other words, these technologies can complement each
>> other (which is what I believe you were alluding to, so we're in
>> agreement).
>
>
> I would argue the same problems can be solved by Macaroons alone, but
> it seems this WG is looking more for a meta-standard than a
> one-size-fits-all solution to bless.

The way I could see macaroons working with the proposed Credentials CG
solution would be to put third party caveats on macaroons that would
list a set of Identity Credentials that are required to gain
authorization. Then, instead of contacting a service to obtain these
credentials, the target site could make a `navigator.credentials` API
request for the desired credentials. Once retrieved, the macaroon(s) can
be verified.

This has a number of benefits; one of which is that it helps enhance
privacy by not allowing the target site to "probe" for identity
information, rather, user interaction for consent is required (unless
automatic consent has been specifically granted to a particular target
site). Some other benefits derive from the ability to attenuate the
macaroon according the desired verifiable attributes of an entity -- not
strongly tying them to any particular service that may happen to
provide/assert them.

Perhaps this approach could still be modelled as a set of first party
caveats -- but that's in the details.


-- 
Dave Longley
CTO
Digital Bazaar, Inc.
http://digitalbazaar.com

Received on Monday, 9 November 2015 17:24:38 UTC