Closed expede closed 2 years ago
expede
commented
2 years ago cc @dholms FYI this is going to include removal of the DHT dependency, and replace it with a point-to-point (e.g. HTTP) protocol. If you have any thoughts on this direction, this is the time! π
expede
commented
2 years ago Added this line to the 0.9 roadmap:
Consider extending my: to all parenthood cases, even specific values (CC @matheus23)
https://github.com/ucan-wg/spec/issues/21#issuecomment-1091400629
ukstv
commented
2 years ago Hey, I might be missing something here, but as far as I understand, UCAN thing is not really a valid JWT, even in this form. You mention mandatory support of did:key. Apparently, it allows using some exotic signature suites like BLS, which can not be really supported in older JWT libraries, as it does not belong to JOSE algorithms (AFAIK!). Do you apply some constraints on the list of available algorithms, like using only ed25519 and RSA did:key, or is the whole backwards compatibility story a bit of a misnomer?
If my basic understanding is correct, then UCAN supports did methods that use JOSE algorithms exclusively. How can it be both compatible with existing JWT tooling and support advanced did methods?
expede
commented
2 years ago @ukstv Technically DID can support any signature scheme, yup! Today we support EdDSA, ECDSA, and RSA only, which are all in JWT. IIRC EdDSA is in a separate JOSE extension IETF spec, but is extremely widely supported in libraries (it's de facto supported).
We should absolutely be explicit about this in the spec. We also don't allow HMAC verification.
A library supporting more methods "off spec" is possible today (we've done proof of concepts with ION, for example), but can't expect that to be compatible with "any" other implementation. The spec if just here to be the line of "what is interoperable".
If there's a good case made, we're open to effectively forking JWT (at which point, we drop the weird multi-section formatting with .s and stuff, trim a few bytes from redundant fields, etc). Using JWT as-is has a few arguments:
expede
commented
2 years ago 
I flipped this to Ready for Review. I think that we're mainly on the same page about the scope of 0.9 from the conversation above, but please do mention anything that should or should not be in here. I think the most controversial things will be:
my: for introduction by parenthoodnb for extensible fieldsOpen to folks flagging typos or nitpicks. VERY open to approvals π
expede
commented
2 years ago left some suggestions to fix typos.
@hugomrdias Thank you for the copy editing πππ
expede
commented
2 years ago @olizilla π thank you very much for fixing the links. The spec likely needs to move to a specialized spec format instead of Markdown. I had trouble getting the W3C one running on my M1, but clearly it's time to just bite the bullet and get it working in a Docker container or something π
expede
commented
2 years ago @dholms if you have a few minutes I'd love a β or any comments!
expede
commented
2 years ago Okay, I'm going to wrap this up like... today. Just integrating the last bit of feedback from @Gozala & @hugomrdias from a call a few weeks back, and agonizing over:
ucan:as: out of the core specSUPER_USER is needed separately from * (and add more rationale to the spec if it is)expede
commented
2 years ago FYI @matheus23 βοΈ
expede
commented
2 years ago @hugomrdias when you get a second, could you give the latest version a skim and check if it hits the points that you had hoped from our call a few weeks ago? I think I covered it all in the call earlier today, and updated this PR's description. Just looking for a quick π / π
Gozala
commented
2 years ago Okay, I'm going to wrap this up like... today. Just integrating the last bit of feedback from @Gozala & @hugomrdias from a call a few weeks back, and agonizing over:
Whether or not to rip ucan:as: out of the core spec If SUPER_USER is needed separately from * (and add more rationale to the spec if it is)
@expede thanks for incorporating all the improvements, new spec is shaping up to be really nice IMO.
I did notice few things with current draft:
with: my:*, can:* is gone now and no equivalent in my: {} had been specified. If I recall correctly plan was to represent it as my: { with: ucan:*, can: * }can: ucan/delegate is still confusing and spec fails to specify why not can: *. If they need to be different I think spec should at least describe how two compare when used with: ucan:β¦ For what itβs worth we pretty much settled on using own did:key:β¦ for ambient authority as itβs credibly verifiable & requires no checks.
I honestly think it is much better model as things can be verified without db lookups. Other things can also map e.g did:key:zAlice:email etc⦠This also removes need for :as: because you can just use with: did:key:zAlice:* can: * to redelegate all that had been delegated to you by Alice
expede
commented
2 years ago @Gozala thanks for the feedback! π
with: my:, can: is gone now and no equivalent in my: {} had been specified. If I recall correctly plan was to represent it as my: { with: ucan:, can: }
Yeah π― agreed βΒ I noticed this late Friday π I've been playing with a few ideas for it since we need it in the AWAKE spec as well. I hope to have something concrete today. Current thinking is something like this:
We have two orthogonal factors: selection by scheme (ucan:*:<scheme> or similar), and selection by owner (ucan:as:<did>:<resource> or similar). These need to get combined in some cases, for example to say "all DNS records owned by Alice". In AWAKE we currently added a as: field (similar to the my: field), but I think for ownership it's probably cleaner as a URI. I'll have a proposal shortly.
I still think can: ucan/delegate is still confusing and spec fails to specify why not can: *. If they need to be different I think spec should at least describe how two compare when used with: ucan:β¦
Fair! I'll expand the reasoning in the spec.
For what itβs worth we pretty much settled on using own did:key:β¦ for ambient authority as itβs credibly verifiable & requires no checks.
This is exactly the solution space from the above ucan:as comment. We definitely need something for this use case. I think that what you're describing is what as: does βΒ we may be talking past each other on what these do.
On did:key:zAlice:* βΒ I don't think that we can use the did: scheme directly, and will likely need a prefix like ucan:as:<did>, because of how the existing did URI scheme works (i.e. you cannot write did:key:zAlice:* with DID v1.0, and may conflict with other DID subschemes). You won't have enough enough flexibility beyond "everything", or clarity of "resources for this DID" versus "control of the DID document itself". Prefixing this with ucan:as: or similar gives us full control over the semantics of the subschemes.
For what itβs worth we pretty much settled on using own did:key:β¦ for ambient authority as itβs credibly verifiable & requires no checks.
Can you expand on this? Based on my reading of this, you would still need to check which resources are ambiently owned by Alice, unless that resource was self-authorizing (e.g. the data lists Alice as its owner directly on it). You'll need to find the resource outside of the UCAN at some stage. Do you perhaps mean prefixing the owner of every resource, and treating it as a null pointer if that doesn't resolve to a resource owned by them in the real world? (Which sounds equivalent, but I could totally be missing something)
Gozala
commented
2 years ago @expede I have evaluated changes required to switch from "my:*" schema to "my" field in our implementation and I'm afraid I'm arriving to conclusion that this idea may have been a bad one. I feel bad for pushing for it without evaluating it first, but maybe it is not too late to reconsider ? Here are some of my the unstructured thoughts about it:
canIssue(capability, issuer): boolean hook to make that configurable.canIssue(cap, iss) => cap.with === iss, implying that only owner of the did can issue capabilities for that did.my:* as one that actor can issue, instead it has my(iss): cap[] hook which is used to expand my:* forms and then select matches from it.my:wnfs://....
my: schemaexpede
commented
2 years ago @Gozala
but maybe it is not too late to reconsider ?
I've been waiting for your review exactly for this reason π
I think signaling whether capability is owned by iss or not should be left out of spec that way ucanto can use it's did matching logic while other implementations may embrace my: schema
I'd love to dig into this more, because I'm having a hard time piecing together how the validation and rooted authority would work in this version. A sync call may be the fastest way to iterate on some ideas, but let me know! I'll ping you on Discord.
expede
commented
2 years ago @Gozala several your comments seems to be on old code βΒ not sure what's happening there. For example:
35
Change Log πͺπͺ΅
Added π₯
[ ] Revocation specStaying the same, see comment: https://github.com/ucan-wg/spec/pull/55#discussion_r844809873my:...URI with"my"parenthood fieldCARv2Agnostic collectionsRemoved π€
"with": "dns:*")Move Out of Core Spec πͺ
[x] Consider extendingmy:to all parenthood cases, even specific values (CC @matheus23)"with": "ucan:uri:dns")Resolves π οΈ