Bearer credentials with caveats for distributed authorization

I ran into an interesting authorization scheme recently called “Macaroons” (because, it seems, cookies are no longer good enough.)

It’s a bearer certificate scheme with very useful properties. You have the certificate, but a number of additional requirements can be attached, one by one. One can, for example, attach additional restrictions and pass it on to someone else. However, if the original restrictions included one that only this person can use the certificate, the resulting certificate would be useless; one can only add, but never remove, restrictions (“caveats”).

Playground:

The original paper from Google:

Rust implementation:

The video I saw from the guy who implemented it in Rust (currently unavailable for bandwidth reasons):
https://air.mozilla.org/rust-meetup-february-2017-02-09/

UPDATE I found a working copy of the above video:

The slides for the video:

8 Likes