-
Notifications
You must be signed in to change notification settings - Fork 18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
What does delegation with empty attenuations imply ? #129
Comments
I have end up abusing this here https://github.com/web3-storage/specs/pull/7/files although perhaps something a bit more explicit would be a better option |
@Gozala we need this for cases like AWAKE, where you prove that you have access to some capabilities without delegating them while still authenticating that it's not a replay |
From your WIP spec:
If I'm reading it correctly, you actually need it to delegate all of its authority to the key service, and in the example it delegates none. I think you'd need to do something like your second example:
I not sure that you can use the certificate chain directly like this to rotate keys if you want to actually disallow the previous key. A malicious agent with a stolen key could just not include the rotation in their chain, and keep using the old key. Revocation is fundamentally stateful, which is why systems most DID systems like ION and Ceramic use "anchoring" in external systems to form the source of truth for rotation. @matheus23 came up with something similar recently for WNFS, which I'll adapt here to your DID management system.
Here, the action only allowed is to rotate the key to another specific key. This doesn't have to go to web3.storage per se, but can also be gossiped around directly. Anchoring in this model does require checking if known delegations using a previous key were valid at that time. Since Alice above knows the certificates that she delegated, and can register a sorted Merkle tree of those. This is public, signed information that does not have to live in a single location (w.g. can be distributed on a DHT). This does push the active key check outside of the certificate chain, but I'm fairly certain from looking at previous attempts with chained certificate that this is unavoidable. |
Going to move this to your PR :) |
I probably need to clarify this if it was not clear in the writup. During rotation service can decide whether to revoke capabilities granted to an old key or not. If rotation was due to compromise it can issue regular UCAN revocation so validation with old embedded chain will fail because delegation there would be revoked. However in most cases rotation will be just a custom and no revocation would be desired, in that case service will rotate key without revoking the previous one. This way delegations with old key would still continue to work until one of them is revoked. Does this make sense ? |
@Gozala that totally makes sense! If I have the old key around, can I continue to use it to generate new UCANs? (i.e. strictly "inflationary" key membership) |
Back to the original question
Seems like it has a specific meaning, might be worth including it in the spec. |
Good feedback — can do! Aside, but while we're thinking about the 1.0, if the other way around makes more sense, we could discuss flipping the delegation semantics. (I don't think that we need to, just signalling that it has come up before) Right now UCAN requires explicit "reexporting" of capabilities, which makes the intention extremely clear at the top-level. It also makes doing multiple resource/ability pairs straightforward. The "other" way is to add caveats at each level, so you only include updates. Typically this makes it less clear how to union capabilities together (e.g. you're usually taking the intersection, so need special constructs for unions). You typically end up passing around separate credentials per resource/ability pair. |
Closing this. Answer here is clear to the question, what I was looking for instead is covered in #131 |
Following delegation is valid according to the specification
Intuitively one would think it is meaningless, nothing was delegated from one agent to the other. However it seems like a waste to not use this short form for something more useful perhaps delegation of all current and future capabilities it may poses. Seem very useful for delegating all capabilities from stable to the one under rotation
The text was updated successfully, but these errors were encountered: