[Openid-specs-ab] SIOP, Trust Frameworks, and SSI/Open Source

Tom Jones thomasclinganjones at gmail.com
Mon May 17 16:49:06 UTC 2021

Yes, that is my level zero. So attribute based access control is what you
dislike. This is the very place where a did pseudonym can work if we can
overcome the addressing issues. Which are blocking right now.

thx ..Tom (mobile)

On Mon, May 17, 2021, 9:36 AM David Chadwick <
d.w.chadwick at verifiablecredentials.info> wrote:

> On 17/05/2021 17:18, Tom Jones wrote:
> The Zero trust part says that i do not trust any message that i receive
> until i have had the opportunity to vet it to the level of assurance that
> is appropriate for the transaction. That vetting may be included in the
> session ID or some other evaluation, but some process does occur on every
> message received.
> this I do agree with. But in my mental model, a RP is contacted by a
> stranger who wants to access one of its protected resources. The RP returns
> its policy to the stranger (which sets out which VCs containing which
> identity attributes it wants from which issuers) and the stranger returns a
> VP. The RP verifies that the VP belongs to the stranger, and that issuers
> it trusts have certified the various identity attributes of the stranger.
> So now the RP can apply an ABAC policy/PDP to grant access to the stranger
> using the validated attributes of the stranger.
> The RP can repeat this for each resource it owns, i.e. zero trust for each
> different resource access request,  by assigning different policies to each
> resource. In this way least privileges can be implemented as the stranger
> does not need to provide all the attributes on the initial login request
> (which they do with SAML (and OIDC?), as this leads to maximal privileges).
> Kind regards
> David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20210517/379ad8cd/attachment.html>

More information about the Openid-specs-ab mailing list