search

decentralized-identity / confidential-storage

Confidential Storage Specification and Implementation
https://identity.foundation/confidential-storage/
Apache License 2.0
78 stars 23 forks source link

PROPOSAL: Authorization Scopes MUST be expressed as ZCAPs encoded as GNAP Structured Scopes #134

Open OR13 opened 3 years ago

OR13 commented 3 years ago

Per our conversations in the WG, we are aware that GNAP supports JSON representations for scopes, and that the only requirement is that they contain a type attribute. We are also aware that zcap-ld makes use of JSON can can include a suitable type attribute.

This proposal is to adopt support for both for the data model associated with authorizations, as separate from the invocation / proof of possession mechanism.

We are currently considering HTTP Signatures as one such mechanism.

OR13 commented 3 years ago

@dlongley @msporny I would like to formalize the "root" / "default" capability that ends in a did document:

{
  "@context": [
    "https://www.w3.org/ns/did/v1",
    {
      "@base": "did:key:z6MkiVubMsUd4FxeApa1yd8YEigVvE5dmr2KWgUaR6CP5kKK"
    }
  ],
  "id": "did:key:z6MkiVubMsUd4FxeApa1yd8YEigVvE5dmr2KWgUaR6CP5kKK",
  "verificationMethod": [
    {
      "id": "#z6MkiVubMsUd4FxeApa1yd8YEigVvE5dmr2KWgUaR6CP5kKK",
      "type": "JsonWebKey2020",
      "controller": "did:key:z6MkiVubMsUd4FxeApa1yd8YEigVvE5dmr2KWgUaR6CP5kKK",
      "publicKeyJwk": {
        "crv": "Ed25519",
        "x": "PBxdXNPcGKPhXwSj6lLId97-9c1_dgYjDLC0sLCRLVI",
        "kty": "OKP"
      }
    },
    {
      "id": "#z6LSscWjDj3WhzBk23JXTYm4Vmh2kAZ69GKXDVhvzpUm4ghz",
      "type": "JsonWebKey2020",
      "controller": "did:key:z6MkiVubMsUd4FxeApa1yd8YEigVvE5dmr2KWgUaR6CP5kKK",
      "publicKeyJwk": {
        "kty": "OKP",
        "crv": "X25519",
        "x": "7MrJ0voGrqpEhvFDZZILphipoIrUA3D-2nc8gGLscB0"
      }
    }
  ],
  "authentication": [
    "#z6MkiVubMsUd4FxeApa1yd8YEigVvE5dmr2KWgUaR6CP5kKK"
  ],
  "assertionMethod": [
    "#z6MkiVubMsUd4FxeApa1yd8YEigVvE5dmr2KWgUaR6CP5kKK"
  ],
  "capabilityInvocation": [
    "#z6MkiVubMsUd4FxeApa1yd8YEigVvE5dmr2KWgUaR6CP5kKK"
  ],
  "capabilityDelegation": [
    "#z6MkiVubMsUd4FxeApa1yd8YEigVvE5dmr2KWgUaR6CP5kKK"
  ],
  "keyAgreement": [
    "#z6LSscWjDj3WhzBk23JXTYm4Vmh2kAZ69GKXDVhvzpUm4ghz"
  ]
}

Yields something like:

{
    "@context": "https://w3id.org/security/v2",
    "id": "https://example.com/edvs",
    "invocationTarget": "https://example.com/edvs",
    "controller": "did:key:z6MkiVubMsUd4FxeApa1yd8YEigVvE5dmr2KWgUaR6CP5kKK",
    "invoker": "did:key:z6MkiVubMsUd4FxeApa1yd8YEigVvE5dmr2KWgUaR6CP5kKK#z6MkiVubMsUd4FxeApa1yd8YEigVvE5dmr2KWgUaR6CP5kKK",
    "delegator": "did:key:z6MkiVubMsUd4FxeApa1yd8YEigVvE5dmr2KWgUaR6CP5kKK#z6MkiVubMsUd4FxeApa1yd8YEigVvE5dmr2KWgUaR6CP5kKK"
  }

I think we need to add type to this, so that it can be requested using GNAP, and also establish a convention for generating the id.

This first capability should IMO be invoked by folks who are trying to create a new vault.