Re: Credentials Task Force proposal

Perhaps a tad relevant to the discussion, but this may offer some insights:
does anyone here have this report? (GBP @,000 is not cheap - I wonder):
http://research.greyspark.com/assets/GreySpark-Infographic-Capital-Markets-Use-Cases1.pdf

--

CRYPTOGRAPHIC SECURITY  |  IDENTITY  |  LEGAL & COMPLIANCE

ARIE Y. LEVY-COHEN
BLOCKCHAIN ADVISOR | SPEAKER | W3C i-EXPERT
ECONOMICS | FINANCE | DISTRIBUTED LEDGER TECH
P: *917.692.6999*

On Mon, Nov 9, 2015 at 12:24 PM, Dave Longley <dlongley@digitalbazaar.com>
wrote:

> On 11/06/2015 08:12 PM, Tony Arcieri wrote:
>
>> On Friday, November 6, 2015, Dave Longley <dlongley@digitalbazaar.com
>> <mailto:dlongley@digitalbazaar.com>> wrote:
>>
>>>
>>> We could use these credentials in conjunction with macaroon
>>> caveats (which seems to be one of the primary use cases for
>>> caveats). In other words, these technologies can complement each
>>> other (which is what I believe you were alluding to, so we're in
>>> agreement).
>>>
>>
>>
>> I would argue the same problems can be solved by Macaroons alone, but
>> it seems this WG is looking more for a meta-standard than a
>> one-size-fits-all solution to bless.
>>
>
> The way I could see macaroons working with the proposed Credentials CG
> solution would be to put third party caveats on macaroons that would
> list a set of Identity Credentials that are required to gain
> authorization. Then, instead of contacting a service to obtain these
> credentials, the target site could make a `navigator.credentials` API
> request for the desired credentials. Once retrieved, the macaroon(s) can
> be verified.
>
> This has a number of benefits; one of which is that it helps enhance
> privacy by not allowing the target site to "probe" for identity
> information, rather, user interaction for consent is required (unless
> automatic consent has been specifically granted to a particular target
> site). Some other benefits derive from the ability to attenuate the
> macaroon according the desired verifiable attributes of an entity -- not
> strongly tying them to any particular service that may happen to
> provide/assert them.
>
> Perhaps this approach could still be modelled as a set of first party
> caveats -- but that's in the details.
>
>
> --
> Dave Longley
> CTO
> Digital Bazaar, Inc.
> http://digitalbazaar.com
>
>

Received on Monday, 9 November 2015 19:05:35 UTC