- From: Dave Longley <dlongley@digitalbazaar.com>
- Date: Mon, 9 Nov 2015 12:24:13 -0500
- To: Tony Arcieri <bascule@gmail.com>
- Cc: "public-webpayments-ig@w3.org" <public-webpayments-ig@w3.org>
On 11/06/2015 08:12 PM, Tony Arcieri wrote: > On Friday, November 6, 2015, Dave Longley <dlongley@digitalbazaar.com > <mailto:dlongley@digitalbazaar.com>> wrote: >> >> We could use these credentials in conjunction with macaroon >> caveats (which seems to be one of the primary use cases for >> caveats). In other words, these technologies can complement each >> other (which is what I believe you were alluding to, so we're in >> agreement). > > > I would argue the same problems can be solved by Macaroons alone, but > it seems this WG is looking more for a meta-standard than a > one-size-fits-all solution to bless. The way I could see macaroons working with the proposed Credentials CG solution would be to put third party caveats on macaroons that would list a set of Identity Credentials that are required to gain authorization. Then, instead of contacting a service to obtain these credentials, the target site could make a `navigator.credentials` API request for the desired credentials. Once retrieved, the macaroon(s) can be verified. This has a number of benefits; one of which is that it helps enhance privacy by not allowing the target site to "probe" for identity information, rather, user interaction for consent is required (unless automatic consent has been specifically granted to a particular target site). Some other benefits derive from the ability to attenuate the macaroon according the desired verifiable attributes of an entity -- not strongly tying them to any particular service that may happen to provide/assert them. Perhaps this approach could still be modelled as a set of first party caveats -- but that's in the details. -- Dave Longley CTO Digital Bazaar, Inc. http://digitalbazaar.com
Received on Monday, 9 November 2015 17:24:38 UTC