Replies: 1 comment
-
On June 22, 2021 11:03 PM @acoburn wrote on Gitter:
I think one has to step back and ask he question: how does the client know that it wants to authenticate using Credentials to a Pod? The Solid use case is that an App is following links - which can jump between documents located on various pods, the way web pages can link between html pages located across web servers - and doing so it may arrive on a resource that returns a 401. At this point how would the client know that Credentials are even the right thing to present? Why not use a WebID or a keyId? (see Use Case and Requirements: Minimal Credentials Disclosure). This problem is then answered very simply by allowing the Access Control Rules to be readable, as recommended in issue 189. This is especially unproblematic for access control rules that don't list individuals but instead list general properties that are required, as for example rules that reuquire a proof of age, or proof of payment to be satisfied. More complex use cases requiring privacy can also be dealt with as explained in the comment to issue 189.
A client may have all these VCs, but before it can present them it needs to know if any of them are required, or even if the server is legally allowed to require them. So we need an Access Control resource (ACR) per Resource as explained above. The use cases can then be covered by allowing ACRs to contain rules that describe those use cases. I showed how that could be done for age and nationality for example in issue 135 opened in November 2020. For credentials this could be done using the proposal in issue 176: on Trusting Certain issuers of identity from which I take the following definitions: wac:hasCredentialIssuer owl:propertyChainAxiom ( wac:holdsCredential vc:issuer ). And we can use it to define a class of EU Citizens for example, by for example specifying those that have credentials :euCitizen rdf:type owl:Class ;
owl:equivalentClass [
rdf:type owl:Restriction ;
owl:onProperty wac:hasCredentialIssuer ;
owl:someValuesFrom <https://data.eu/memberStates#members> .
] . And then of course we can create an authorization in the ACR such as <#authorization2>
a acl:Authorization;
acl:agentClass :euCitizens;
acl:mode acl:Read, acl:Write; # has Read/Write access to the collection
acl:accessTo <https://health.info/covid19/>. This is obviously just a sketch, but it shows that we have all the tools we need to answer @acoburn's use case in a declarative way that uses the benefits of Linked Data to its advantage. |
Beta Was this translation helpful? Give feedback.
-
Half the session for 2021-06-09 and 3/4 of the session for 2021-06-16 were spent on considering some apparent need for UMA like functionality. In order to evaluate that claim we need
I expressed doubt about this, given that those standards are pushed by groups that have explicitly made it their starting point to not use any of the Semantic Web tools, which means that they are trying to build something while missing one of the most important tools available.
So we should start here by collecting some of the user stories that reveal the problem, and also start sketching out some of the answers that can be given.
On June 22, 2021 11:03 PM @acoburn wrote on Gitter in answer to this question that:
I think this is a better place to have a thoughtful discussion than on Gitter.
Beta Was this translation helpful? Give feedback.
All reactions