Re: VCs - zCaps / OCap a Discussion from Alan Karp on 2021-01-04 (public-credentials@w3.org from January 2021)

From: Alan Karp <alanhkarp@gmail.com>
Date: Mon, 4 Jan 2021 15:34:09 -0800
To: Orie Steele <orie@transmute.industries>
Cc: David Chadwick <D.W.Chadwick@kent.ac.uk>, "W3C Credentials CG (Public List)" <public-credentials@w3.org>
Message-ID: <CANpA1Z16cRzVJOuh8iuGL4quagSK9L2_MQV8O0vjJvJv7e4Obg@mail.gmail.com>

Orie Steele <orie@transmute.industries> wrote:

Digging my way out from the holidays...
>

Welcome back.  I hope Santa was good to you.

>
> However, let me take this opportunity to pull out an example that "works
> today":
>
> {
>   "@context": "https://w3id.org/security/v2",
>   "id": "
> http://localhost:9876/edvs/z19wp9zi7tw4F8qKu74revXhY/documents/z19pgwFikcSTBjbRTbCBKBUB3/zcaps/z1A9djR82X4aCHXmAxDcR5JLL
> ",
>   "invocationTarget": "
> http://localhost:9876/edvs/z19wp9zi7tw4F8qKu74revXhY/documents/z19pgwFikcSTBjbRTbCBKBUB3
> ",
>   "invoker":
> "did:key:z6MksVScCyr9ygGpHv6g6NKhqXm8zJFiEZfhnMxagwkC8xNv#z6MksVScCyr9ygGpHv6g6NKhqXm8zJFiEZfhnMxagwkC8xNv",
>   "allowedAction": "read",
>   "parentCapability": "
> http://localhost:9876/edvs/z19wp9zi7tw4F8qKu74revXhY/zcaps/documents/z19pgwFikcSTBjbRTbCBKBUB3
> ",
>   "proof": {
>     "type": "Ed25519Signature2018",
>     "created": "2021-01-04T00:58:29Z",
>     "capabilityChain": [
>       "
> http://localhost:9876/edvs/z19wp9zi7tw4F8qKu74revXhY/zcaps/documents/z19pgwFikcSTBjbRTbCBKBUB3
> "
>     ],
>     "jws":
> "eyJhbGciOiJFZERTQSIsImI2NCI6ZmFsc2UsImNyaXQiOlsiYjY0Il19..Moq6U30hJcufrY36Lxy9b1tud9QFnuSsSzK1of0wNZwxqzgf-L9y0vJ0UtWzjgeVN2mHjWsvKCYsfnKctlPcDw",
>     "proofPurpose": "capabilityDelegation",
>     "verificationMethod":
> "did:key:z6MktCi29iAwUiVDaewSStHVW5qhBxZTGXBFXM9YD9RisbFn#z6MktCi29iAwUiVDaewSStHVW5qhBxZTGXBFXM9YD9RisbFn"
>   }
> }
>
> I'm confused because all the domain names are the same.  It looks like you
have to send every delegation you create to some central place.  I think
it's important to make clear which locations must be the same and which can
be different.  For example, must the invocation target be at the same
location as the parent capability?  Also, the unguessable strings in your
URLs are all the same.  That didn't confuse me, but still ...

Is there a reason the proof isn't just a copy of the
delegator's capability?  Doing it that way enables delegation when there is
less than full connectivity, or are the days when you have to worry about
connectivity behind us?

--------------
Alan Karp

Received on Monday, 4 January 2021 23:34:33 UTC