[zcap-spec] Request for Clarification (Is it "what" or "why?" and cross-matching) from Bob Wyman on 2023-03-04 (public-credentials@w3.org from March 2023)

From: Bob Wyman <bob@wyman.us>
Date: Sat, 4 Mar 2023 16:18:32 -0500
To: "W3C Credentials CG (Public List)" <public-credentials@w3.org>
Message-ID: <CAA1s49VuNPay3EoM=PfZnxSxBJPOv-ZYS08JKsrB3BYWEx3KVw@mail.gmail.com>

After reading Authorization Capabilities for Linked Data v0.3 (ZCAP-LD)
<https://w3c-ccg.github.io/zcap-spec/>, I am somewhat puzzled that it was
necessary to create new language to describe "capabilities," given that the
W3C already has the Open Digital Rights Language (ODRL)
<https://www.w3.org/TR/odrl-model/>and, it seems to me that the description
of "rights" and "capabilities" are both instances of the same problem, or
at least that the two problems are very similar. So, I'm wondering: Was a
profile of ODRL considered as an option for describing capabilities? If so,
why was ODRL rejected?

Also, I'm a bit confused by the "who" vs. "what" distinction offered in the
spec. (Note: I understand why capabilities are superior to ACLs.) My issue
is with the meaning of "what," which seems to be better described as "why"
(i.e. "by what authority"). I would have said that the "what" is that
capability or right whose exercise might be permitted, by some "who," for
some value of "why." What am I not understanding?

I think I could understand ZCAP-LD better if I understood how it would work
in an application which requires the assignment to actors of permissions or
capabilities based on the actors' claimed attributes, rather than based on
their identifiers. (i.e. sort of like an ACL, but different.) Such
requirements arise in a variety of applications which include Dating apps,
Fediverse instance-finders, employment candidate search systems,
cloud-computing host selection, etc.

Can you give me some idea of how capabilities might be used in the simple
system described below:

Bob and Alice use a dating service. Bob is a 69 year-old male and wishes to
connect with, and be visible to, only females between the age of 65 and 75.
On the other hand, Alice is a 20 year-old female and wishes to connect
with, and be visible to, only males between the ages of 19 and 25. Only if
Alice's attributes match Bob's constraints and Bob's attributes match
Alice's constraints, will Bob be able to exercise the capabilities of
either reading Alice's profile or contacting her.

In practice, if Bob requests a list of those others with whom he is
permitted to exercise the "read" or "contact" capabilities, the system
would do a "cross-match." It would first search the database for all
profiles whose attributes matched Bob's constraints. Then, it would filter
out any search results whose constraints were not satisfied by Bob's
attributes.

If their profiles were encoded as shown below, neither Bob nor Alice would
be able to either read the other's profile or contact them since Bob is
"too old" for Alice.

```json
/* Note: For simplicity, constraints are represented as queries*/
{
    "name": "bob",
    "gender": "male",
    "age": "69",
    "capability": {
        "action": ["read", "contact"],
        "constraint": "gender == female AND (age >= 65 OR age <= 75)"
        },
    "profile": "...",
    }
}
{
    "name": "alice",
    "gender": "female",
    "age": "20",
    "capability": {
        "action": ["read", "contact"],
        "constraint": "gender == male AND (age >= 19 OR age <= 25)"
        },
    "profile": "...",
    }
}
```

Thanks in advance for any help you may be able to provide. Also, please
forgive me if I've asked a stupid question.

bob wyman

Received on Saturday, 4 March 2023 21:18:58 UTC