On Sun, Mar 5, 2023 at 6:37 PM Bob Wyman <bob@wyman.us> wrote: > A capability system would do this differently. Bob would present his >> credentials, such as age and gender, and get back a capability authorizing >> search with caveats limiting what he can find. The return values would >> include a capability to read Alice's profile. Notice the difference? Any >> authorization is done up front in order to get a capability. That >> capability is then used to make a request. > > I think I now understand. Instead of including proofs with a request to > "use Alice's 'read profile capability," Bob would provide his credentials > as part of a request for a "read profile capability" for Alice's profile. > Proofs are presented when requesting a capability, not when using one. Is > that correct? > Correct. But, that leaves me confused about Manu's statement: > >> (READ, " >> https://docs.google.com/presentation/d/vYm4GDBZARndSKu-pMBC4RZTp5_WkAewggLo1623vnHd/edit >> ", >> did:key:z6MkqvajY2zUw866mQyY2LRwdPXKov1Q48Hw8RWxnKd1AeEt) >> And whomever can do a digital signature as that did:key will learn the >> secret of life. >> >> *That's a capability that requires cryptographic proofof some kind when >> access to the document is requested. The requirementof a cryptographic >> proof is called a "caveat"* -- that is, "You can >> access X, as long as you meet requirements Y." > > > Is this saying that the cryptographic proof is required when the > capability is used, or that a new capability will be issued if the > cryptographic proof is provided? > Manu was referring to a certificate capability system. The certificate is created with a public key, did:key in this case. You must prove knowledge of the corresponding private key to use the certificate as a capability. -------------- Alan Karp On Sun, Mar 5, 2023 at 6:37 PM Bob Wyman <bob@wyman.us> wrote: > A capability system would do this differently. Bob would present his >> credentials, such as age and gender, and get back a capability authorizing >> search with caveats limiting what he can find. The return values would >> include a capability to read Alice's profile. Notice the difference? Any >> authorization is done up front in order to get a capability. That >> capability is then used to make a request. > > I think I now understand. Instead of including proofs with a request to > "use Alice's 'read profile capability," Bob would provide his credentials > as part of a request for a "read profile capability" for Alice's profile. > Proofs are presented when requesting a capability, not when using one. Is > that correct? > > But, that leaves me confused about Manu's statement: > >> (READ, " >> https://docs.google.com/presentation/d/vYm4GDBZARndSKu-pMBC4RZTp5_WkAewggLo1623vnHd/edit >> ", >> did:key:z6MkqvajY2zUw866mQyY2LRwdPXKov1Q48Hw8RWxnKd1AeEt) >> And whomever can do a digital signature as that did:key will learn the >> secret of life. >> >> *That's a capability that requires cryptographic proofof some kind when >> access to the document is requested. The requirementof a cryptographic >> proof is called a "caveat"* -- that is, "You can >> access X, as long as you meet requirements Y." > > > Is this saying that the cryptographic proof is required when the > capability is used, or that a new capability will be issued if the > cryptographic proof is provided? > > bob wyman > >Received on Monday, 6 March 2023 03:16:33 UTC
This archive was generated by hypermail 2.4.0 : Monday, 6 March 2023 03:16:34 UTC