Re: a few thoughts about zcaps from Manu Sporny on 2021-04-04 (public-credentials@w3.org from April 2021)

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Sun, 4 Apr 2021 09:09:00 -0400
To: public-credentials@w3.org
Message-ID: <1823b2bb-a954-6de6-defb-20b3a7271ae2@digitalbazaar.com>

On 4/3/21 2:39 PM, Nikos Fotiou wrote:
> I was reading zcaps draft, as well as related work, mostly macaroons 
> (https://research.google/pubs/pub41892/).

Hi Nikos, attempts at responding to your concerns below...

> Something that I found confusing  about capability documents is that they 
> do not make clear the actions they concern. For example from this 
> https://w3c-ccg.github.io/zcap-ld/#example-1 it is not clear that this is a
> capability for "driving a car".

Yes, that document needs an overhaul and is a bit dated. It's good to get some
of the basics, but still needs to be made more accessible.

For example, I don't think much time is spent on expressing the caveats and
actions... or why one would pick a zcap over a VC... which you get to below.

> From this, it is clear not only the importance of caveats, but also how 
> challenging is to implement and evaluate them correctly, e.g., a caveat can
> only confine a capability you already have.

Yes, the specification needs to be updated and your feedback is very good
feedback.

We are still trying to figure out how to explain these things to people.
Capabilities-based systems are not a new concept; they're decades old at this
point. The challenge has always been in communicating why they're useful and
have a place in modern security systems.

The Encrypted Data Vault work uses zcaps, and it's there that we're trying
hard to explain to developers how to use it:

https://identity.foundation/confidential-storage/#introduction

The documentation is lacking around zcaps, but it's an active area of
development and we're trying very hard to communicate not only the core
technology, but some concrete design patterns around them.

All this to say that you make very good points and we're working on it... and
would love some help if you can spare the time. :)

-- manu

-- 
Manu Sporny - https://www.linkedin.com/in/manusporny/
Founder/CEO - Digital Bazaar, Inc.
blog: Veres One Decentralized Identifier Blockchain Launches
https://tinyurl.com/veres-one-launches

Received on Sunday, 4 April 2021 13:09:17 UTC