2D/ Putting the Fun into Functional Authorization Models / Charles Cunningham

From IIW

Session 1D

Putting the Fun into Functional Authorization Models


Session Convener: Charles Cunningham

Notes-taker(s):


Tags / links to resources / technology discussed, related to this session:


Authorization Capabilities, OCaps, UCAN, ZCAP-LD, CACAO, ReCap


Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:


Focusing on capability models which have emerged from the SSI space, and which specifically allow attenuated and offline delegation (delegation without communication with the resource owner/controller). We did a simple comparative analysis of features and characteristics with the aim of determining if (and to what degree) they can be used together within the same delegation chain. Major distinctions include:

  • fully-embedded parent delegations (zcap-ld and others) vs. hash-linked parent delegations (ucan and cacao), is a major complicating factor in interleaving different formats within the same chain
  • All formats share a substantial amount of characteristics, due to their mutual aim of fulfilling the concepts of authorisation capabilities in a PKI backed manner
  • ZCAP-LD has the most flexible format and signing possibilities
  • UCAN and CACAO are specific to ecosystems based on IPLD


Additionally, several good suggestions were made for best practices

  • Encryption of the parent chain to the verifier, when delegation happens, to prevent a delegatee from knowing the permissions of parent delegators
  • Minimizing the number of network calls to improve performance and reduce attack surface (implicitly advocates for fully embedded delegations)
  • Online delegation (where delegation requires token exchange with the resource controller) has certain characteristics which can be desirable in specific situations (gives resource owner full knowledge of delegations, makes tokens opaque to delegatees to reduce information leakage, allows for hiding implementation details of the verification process, allows for secret-key (e.g. HMAC) based verification)
Retrieved from "https://iiw.idcommons.net/index.php?title=2D/_Putting_the_Fun_into_Functional_Authorization_Models_/_Charles_Cunningham&oldid=24579"