- From: Alan Karp <alanhkarp@gmail.com>
- Date: Sun, 5 Mar 2023 19:16:08 -0800
- To: Bob Wyman <bob@wyman.us>
- Cc: Manu Sporny <msporny@digitalbazaar.com>, "W3C Credentials CG (Public List)" <public-credentials@w3.org>
- Message-ID: <CANpA1Z27XMsoASJbYHHQEMeCFoDmRn5POQ7VE9BEzUFCAg66zg@mail.gmail.com>
On Sun, Mar 5, 2023 at 6:37 PM Bob Wyman <bob@wyman.us> wrote: > A capability system would do this differently. Bob would present his >> credentials, such as age and gender, and get back a capability authorizing >> search with caveats limiting what he can find. The return values would >> include a capability to read Alice's profile. Notice the difference? Any >> authorization is done up front in order to get a capability. That >> capability is then used to make a request. > > I think I now understand. Instead of including proofs with a request to > "use Alice's 'read profile capability," Bob would provide his credentials > as part of a request for a "read profile capability" for Alice's profile. > Proofs are presented when requesting a capability, not when using one. Is > that correct? > Correct. But, that leaves me confused about Manu's statement: > >> (READ, " >> https://docs.google.com/presentation/d/vYm4GDBZARndSKu-pMBC4RZTp5_WkAewggLo1623vnHd/edit >> ", >> did:key:z6MkqvajY2zUw866mQyY2LRwdPXKov1Q48Hw8RWxnKd1AeEt) >> And whomever can do a digital signature as that did:key will learn the >> secret of life. >> >> *That's a capability that requires cryptographic proofof some kind when >> access to the document is requested. The requirementof a cryptographic >> proof is called a "caveat"* -- that is, "You can >> access X, as long as you meet requirements Y." > > > Is this saying that the cryptographic proof is required when the > capability is used, or that a new capability will be issued if the > cryptographic proof is provided? > Manu was referring to a certificate capability system. The certificate is created with a public key, did:key in this case. You must prove knowledge of the corresponding private key to use the certificate as a capability. -------------- Alan Karp On Sun, Mar 5, 2023 at 6:37 PM Bob Wyman <bob@wyman.us> wrote: > A capability system would do this differently. Bob would present his >> credentials, such as age and gender, and get back a capability authorizing >> search with caveats limiting what he can find. The return values would >> include a capability to read Alice's profile. Notice the difference? Any >> authorization is done up front in order to get a capability. That >> capability is then used to make a request. > > I think I now understand. Instead of including proofs with a request to > "use Alice's 'read profile capability," Bob would provide his credentials > as part of a request for a "read profile capability" for Alice's profile. > Proofs are presented when requesting a capability, not when using one. Is > that correct? > > But, that leaves me confused about Manu's statement: > >> (READ, " >> https://docs.google.com/presentation/d/vYm4GDBZARndSKu-pMBC4RZTp5_WkAewggLo1623vnHd/edit >> ", >> did:key:z6MkqvajY2zUw866mQyY2LRwdPXKov1Q48Hw8RWxnKd1AeEt) >> And whomever can do a digital signature as that did:key will learn the >> secret of life. >> >> *That's a capability that requires cryptographic proofof some kind when >> access to the document is requested. The requirementof a cryptographic >> proof is called a "caveat"* -- that is, "You can >> access X, as long as you meet requirements Y." > > > Is this saying that the cryptographic proof is required when the > capability is used, or that a new capability will be issued if the > cryptographic proof is provided? > > bob wyman > >
Received on Monday, 6 March 2023 03:16:33 UTC