Authorization Capabilities for Linked Data (ZCAP-LD
for
short) provides a
secure way for linked data systems to grant and express authority
utilizing the
object capability model.
Capabilities are represented as linked data objects which are signed
with
Linked Data Proofs.
ZCAP-LD supports delegating authority to other entities
on the network by chaining together capability documents.
"Caveats" may be attached to capability documents which may be used to
restrict the scope of their use, for example to restrict the actions
which may be used or providing a mechanism by which the capability may
be later revoked.
This specification is currently being drafted to be considered as a work item for the Community Credentials Group.
This document is being based off of a paper from Rebooting Web of Trust. In the early stages of this document some ideas may be better described in that paper than yet in this specification.
This document does not cover a specific method for delivering ZCAP-LD invocations to an object, though something like the inbox property and associated delivery mechanisms from Linked Data Notifications and ActivityPub is one possible system. However there is nothing about ZCAP-LD that is specific to HTTP; for example, both capabilities and invocations could be stored on a blockchain or a distributed hash table.
One of the first questions that is usually asked about using Object Capabilities for authorization is: "How are Capabilities different from Access Control Lists?". Fundamentally, Access Control Lists are about authority by identity whereas Object Capabilities are about authority by possession.
Authority by identity is the process of giving access to a resource to a specific entity based on their identity. These processes typically ask the question: "Who are you?"
Authority by possession is the process of giving access to a resource to any entity that possesses something, like a key. These processes typically ask the question: "Do you have a key that fits this lock?"
This document doesn't explain why Access Control Lists lead to a variety of security issues or why Object Capabilities provide stronger security guarantees. For those that would like to learn more about these topics, Capability Myths Demolished and ACLs Don't provide a deeper exploration into the benefits of Object Capabilities.
Much of modern computing security infrastructure relies on "who is doing something" using access control lists. For example, our friend Alyssa P. Hacker has a car, and she would like to drive it In the access control list world, the car itself may scan Alyssa's face, determine that Alyssa is the driver, and say "Welcome Alyssa, you are now free to drive." Talking cars are appealing and fun, but Alyssa may run into challenges when she would like to allow others to drive her car.
Fortunately, there is another paradigm that is even more familiar to the car scenario, but less familiar in the context of computing, despite providing some superior properties and a greater degree of safety: object capabilities. Object capabilities focus not on "who" is performing an action, but upon "what" source of authority permits an action to occur. As it turns out, Alyssa does not have a talking and face-scanning car, she has a car that accepts a car key. The car may have no memory of Alyssa whatsoever, but as long as Alyssa holds the kind of key that enables her to drive the car, she can drive the car. Capabilities are very similar to this car metaphor, and we can encode this same idea in ZCAP-LD. The following document delegates authority from the car (who always has authority over itself) to Alyssa so that she may drive:
{ "@context": ["https://w3id.org/security/v2", "https://autopower.example/"], "id": "https://whatacar.example/a-fancy-car/proc/7a397d7b", // Since this is the first delegated capability, the parentCapability // points to the target this capability will operate against // (in this case, Alyssa's Car) "parentCapability": "https://whatacar.example/a-fancy-car", // We are granting authority specifically to one of Alyssa's // cryptographic keys (not to be confused with the car // key metaphor!) "invoker": "https://social.example/alyssa#key-for-car", // Finally we sign this object with cryptographic material from // Alyssa's Car's capabilityDelegation field, and using the // capabilityDelegation proofPurpose. "proof": { "type": "Ed25519Signature2018", "created": "2018-02-13T21:26:08Z", "capabilityChain": [ "https://whatacar.example/a-fancy-car" ], "jws": "eyJhbGciOiJFZERTQSIsImI2NCI6ZmFsc2UsImNyaXQiOlsiYjY0Il19..lfAFjrWE-4RxhL0gtzSMRX72NR9SRDgaMmkjPA4if0ERbw4R2bnts5sAs8OyhAlbFzBAKOqrFk57AYqwSR2vCw", "proofPurpose": "capabilityDelegation", "verificationMethod": "https://example.com/i/alice/keys/1" } }
Turning on this car and driving into the sunset is as easy as invoking the capability to do so:
{"@context": ["https://example.org/zcap/v1", "https://autopower.example/"], "id": "urn:uuid:ad86cb2c-e9db-434a-beae-71b82120a8a4", "action": "Drive", "proof": { "type": "RsaSignature2016", // A linked data document can be an invocation if it has a // proofPurpose of capabilityInvocation and links to the capability // chain it is invoking "proofPurpose": "capabilityInvocation", "capability": "https://whatacar.example/a-fancy-car/proc/7a397d7b", "created": "2016-02-08T17:13:48Z", "creator": "https://social.example/alyssa/#key-for-car", "signatureValue": "..."}}
Alyssa lives with her roommate and long-time friend Ben Bitdiddle. While they're living together, she'd like that he be able to drive her car too. Capabilities support delegation, so she could delegate a new capability to Ben giving him full authority, not unlike going to the hardware store and having them copy the car key. But Alyssa knows that she and Ben will probably not be roommates forever, and she feels no need for him to be able to drive her car once they are not, so she would like to have the option to revoke his authority. In the world of object capabilities, this is entirely possible by adding a "caveat" that permits future revocation. We can imagine this to be like a new car key that has a remote destruction mechanism: Alyssa can press a button that she has, a wire burns out inside the car key, and the car key will not be usable anymore. Alyssa generates a new capability document that points at the capability she has, adding the caveat:
{"@context": ["https://example.org/zcap/v1", "https://autopower.example/"], "id": "https://social.example/alyssa/caps#79795d78", // Pointing up the chain at the capability from which Alyssa was // initially gained authority "parentCapability": "https://whatacar.example/a-fancy-car/proc/7a397d7b", // Alyssa grants authority specifically to one of Ben's // cryptographic keys "invoker": "https://chatty.example/ben/#key-33", // Alyssa adds a caveat: Ben can drive her car, unless she flips // the bit at this url "caveat": [ {"type": "ValidWhileTrue", "uri": "https://social.example/alyssa/ben-can-still-drive"}], // Finally Alyssa signs this object with the key she was granted // authority with "proof": { "type": "RsaSignature2016", "proofPurpose": "capabilityDelegation", "created": "2017-03-28T06:01:25Z", "creator": "https://social.example/alyssa/#key-for-car", "signatureValue": "..."}}
Alyssa hands the car key to Ben, and Ben marks the car key in such a way that reminds him that it's specifically to drive Alyssa's car. Several months pass and Ben receives a message from Alyssa asking if he might enjoy joining her at an award ceremony her university is holding. Alyssa is already at the university and is getting a ride to the venue, so she suggests Ben drive her car and meet her there. Ben invokes his capability, the car performs all relevant checks on the capability (including that the proof/signature is valid and applicable, and that the caveat is still valid), and off Ben drives.
Ben arrives at the fancy award venue, where there is valet parking. The Valet approaches wearing the nametag "Lem E. Driveit" and asks for a key to park the car. Ben remembers he has heard some stories about valets going on joyrides and isn't sure if they're true, but decides there's no need to take the risk: he can use his capability to create a new, further restricted capability which he can delegate to Lem. This new car key has the caveat that it can be used to drive up to 5 kilometers, but no more:
{"@context": ["https://example.org/zcap/v1", "https://autopower.example/"], "id": "https://chatty.example/ben/caps#2cdea8c1", "parentCapability": "https://social.example/alyssa/caps#79795d78", "invoker": "https://lem.example/#key-bf36", // Ben adds this caveat: this capability can be used to drive the // car, but not for more than 5 kilometers "caveat": [ {"type": "DriveNoMoreThan", // Alyssa's gauge currently says 123854 kilometers driven, // so this is only 5 km more than the current value "kilometers": 123859}], // Finally Ben signs this object with the key he was granted // authority with "proof": { "type": "RsaSignature2016", "proofPurpose": "capabilityDelegation", "created": "2017-06-13T19:15:03Z", "creator": "https://chatty.example/ben/#key-33", "signatureValue": "..."}}
(It probably doesn't matter to this scenario, but since it is derived from the car key that Ben holds, it also has the same caveat that it will also be remote destructed by Alyssa along with Ben's car key should she press the relevant button.)
We can see from the above example that using an object capability system such as ZCAP-LD can give us some additional power around delegating and restricting the scope of capabilities. But object capabilities provide improved safety characteristics over Access Control Lists which may make them frequently better choices (for more details, see the paper ACLs Don't). Object capability systems are in general more robust against:
Object capabilities are less vulnerable to these kinds of attacks because capabilities are an encoding of "the principle of least authority" in software development practice. ZCAP-LD helps bring the power of capabilities to the web, providing specific and directed grants of authority.
A root zcap looks like this:
{ "@context": [ "https://w3id.org/zcap/v1" ], "id": "urn:zcap:root:https%3A%2F%2Fexample.com%2Ffoo", "controller": "did:key:example", "invocationTarget": "https://example.com/foo" }
A root zcap MUST have an `@context` field that is a string with the value `https://w3id.org/zcap/v1`. This field makes zcaps JSON-LD compatible, but does not mean that any other JSON-LDisms are permitted. In other words, zcaps are JSON-based, and the JSON has been chosen carefully such that it can be interpreted properly as JSON-LD as well. Other JSON-LD representations that deviate from the JSON expression of a zcap are not permitted.
By enabling JSON-LD compatibility, DI proofs (Data Integrity Proofs, formerly known as Linked Data proofs) are used instead of JOSE-based signatures. This helps keep zcap sizes small by eliminating the need to encapsulate zcaps via base64 encoding. This is particularly important for expressing capability chains [TODO: link to capability chains], where ancestor zcaps would be base64-encoded N+1 times where N is the length or position in the chain. If neither of these approaches were used, a novel signature encapsulation mechanism would have to be invented to get the same benefits; instead, reuse of existing work is preferred.
Additionally, JSON-LD compatibility enables CBOR-LD to be used to express zcaps — further reducing size via semantic compression. [Note: [See invoking a root zcap section]. When invoking a root zcap, a capability invocation proof is added, not to the root zcap itself, but rather to another document that is acceptable to an API. This means that no additional contexts (especially cryptosuite contexts) ever need to be added to a root zcap. Further work on the Data Integrity 1.0 spec could alleviate the need for additional cryptosuite contexts entirely.]
A root zcap MUST have an `id` that is a string that expresses a URN. This ID can always be dereferenced by the verifier system if it is a valid root zcap for a particular endpoint. The ID of a root zcap SHOULD [Note: this should become a MUST if it covers all use cases, to keep things simple] have the following format:
urn:zcap:root:${encodeURIComponent(invocationTarget)}
This format makes it clear that the identifier is for the root zcap for the root invocation target, `invocationTarget`.
A root zcap MUST have an `invocationTarget` that is a string that expresses a URI. The invocation target identifies where the zcap may be invoked, and identifies the target object for which the root zcap expresses authority.
A root zcap MUST have a `controller` that is a string or an array of strings that each express a URI that identifies a controller for the root zcap. The controller (or controllers) may take any actions with the invocation target (that are supported by the verifier) by invoking the root zcap. The controller (or controllers) may create delegated zcaps from the root zcap [TODO: link to delegated zcap section].
Note: A root zcap MUST NOT have any other fields.
A root zcap can be invoked by referencing only its ID because the verifier can (and MUST) always dereference the zcap locally using a trusted dereferencing mechanism. This is because a root zcap does not have a capability delegation proof; it is the root of trust for a capability chain [TODO: link to capability chains].
There can be multiple ways to invoke a root zcap; these include 1) by using an HTTP signature in an HTTP request, and 2) by attaching an LD capability invocation proof to a document. The verifier will decide which of these methods is acceptable and what other information must be signed (in the case of an HTTP signature) or what documents may be submitted with attached capability invocation proof(s).
When invoking a root zcap using an HTTP signature, a capability-invocation header must be included that identifies the root zcap by ID (via an `id` parameter) and the capability action that is being invoked (via an `action` parameter). The request URL identifies the intended invocation target, which must either match the invocation target in the root zcap, or, if the verifier allows it, have the root zcap's invocation target as a prefix. The capability action must be an action that is expected (supported) by the verifier at the request URL. The capability action SHOULD be read or write. The key used to create the HTTP signature must be either 1) the private key paired with a verification method that matches the controller of the root zcap or 2) a verification method that is controlled by the controller of the root zcap — and authorized for the purpose of `capabilityInvocation`.
When invoking using a DI proof, a capability invocation proof must be attached to a document that is acceptable by the API, as defined by the specific API being accessed. The capability invocation proof MUST include the intended `invocationTarget`, the root zcap ID in the `capability` property, and the action to be taken in the `capabilityAction` property. The same controller rules apply as in the HTTP signature case.
It is expected that only verification systems will dereference root
zcaps from their IDs. One model for new HTTP APIs is to store a
controller value with every resource at the base of a hierarchy,
for instance, store controller `X` for the collection
`https://foo.example/collections/123`. When the root zcap for this
collection is invoked or referenced via a delegated zcap invocation,
the verifier can look up the `controller` property (or receive it from
another system in some kind of decentralized setup) for that
resource and include it in a "dynamically dereferenced" root zcap.
In other words, the verifier sees the root zcap ID
`urn:zcap:root:
{ "@context": [ "https://w3id.org/zcap/v1" ], "id": "urn:zcap:root:https%3A%2F%2Ffoo.example%2Fcollections%2F123", // populated via a database or external system call "controller": "did:key:example", "invocationTarget": "https://foo.example/collections/123" }
A delegated zcap looks like this:
{ "@context": [ "https://w3id.org/zcap/v1", "https://w3id.org/security/suites/ed25519-2020/v1" ], "id": "urn:uuid:cdc77118-6bfa-11ec-aceb-10bf48838a41", "parentCapability": "urn:zcap:root:https%3A%2F%2Fexample.com%2Ffoo", "controller": "did:key:example", "invocationTarget": "https://example.com/foo", "expires": "2021-11-03T18:33:51Z", "allowedAction": [ "write", "read" ], "proof": { "type": "Ed25519Signature2020", "created": "2021-10-27T18:33:51Z", "verificationMethod": "did:key:z6MkfWKcvBiKCfNgz5UUGseNt37t4dguEvFgJ9XvX2UV6zB9#z6MkfWKcvBiKCfNgz5UUGseNt37t4dguEvFgJ9XvX2UV6zB9", "proofPurpose": "capabilityDelegation", "capabilityChain": [ "urn:zcap:root:https%3A%2F%2Fexample.com%2Ffoo" ], "proofValue": "z3t9BCQyF21MDVYmLKc9zbLreqx4wBtQnUsd5aqyoWS5FfhapRz7QjPNLcgKAornUVmJR4ZjbGpuxRFnffxX1ZjtF" } }
A delegated zcap is different from a root zcap primarily in that it has a `parentCapability`, an expiration date-time, and a capability delegation proof (found in proof). It is also different from a root zcap in that all delegated zcaps in a chain [link to capability chains] must be fully provided to the verifier when invoking a delegated zcap, so that the verifier is not required to dereference them other than via the provided chain. Note: A verifier may still need to query a database for delegated zcaps to perform revocation checks by ID. However, a verifier MUST NOT be required to perform network requests or database queries to dereference delegated zcaps by ID when verifying the capability chain [link to capability chains], prior to inspecting it for potential revocations.
A delegated zcap MUST have an `@context` field with an array where the first value is the zcapld context and any subsequent values identify context(s) used to define vocabulary terms used in the capability delegation proof. [Note: Maximum array size should be defined in the spec along with rationale].
A delegated zcap MUST have an `id` that is a string that expresses a URI. The id SHOULD have the format:
urn:uuid:
Using this format enables CBOR-LD to perform compression on the ID value, and reduces correlation risk by making the ID semantically opaque.
A delegated zcap MUST have a `parentCapability` that is a string that expresses the ID of the parent zcap. The parent zcap may be another delegated zcap or the root zcap. A verifier MUST ensure that a delegated zcap was created by a controller of its parent capability by checking its capability delegation proof.
A delegated zcap can only be invoked by submitting the entire zcap. A delegated zcap MUST have a capability delegation proof which MUST contain the delegation chain.
[target for link to capability chains]
A capability delegation chain MUST be an array that includes the root zcap using its ID (i.e., by reference only, not embedded) and every other delegated zcap in its ancestry must be referenced by ID except for the parent delegated zcap, which MUST be fully embedded. This ensures that delegated zcaps are of minimal size (other delegated zcaps in the chain are never repeated) and that every delegated zcap can be dereferenced directly from the chain without ever having to hit a network resource or similar. The capability delegation chain is ordered; the first entry MUST be the root zcap's ID and any other entries must be in the order of delegation from least recent to most recent.
A verifier MUST limit the length of the capability chain to prevent long chain attacks. A verifier SHOULD limit the length of the capability chain to 10. [exposition on why 10 / link to security section].
A root zcap MUST have an `invocationTarget` that is a string that expresses a URI. The invocation target identifies where the zcap may be invoked. A verifier MUST ensure that the `invocationTarget` either matches the `invocationTarget` in the parent capability or, if invocation target attenuation [link] is permitted, that it has the `invocationTarget` from the parent capability as a prefix. A prefix is defined as a base URI and parent path (and optional query) (i.e., `/`-delimited and `?`/`&`-delimited) [more rigorous definition].
A delegated zcap MUST have a `controller` that is a string or an array of strings that each express a URI that identifies a controller for the delegated zcap. The controller (or controllers) may take any allowed actions [link] with the invocation target (that are supported by the verifier) by invoking the delegated zcap. The controller (or controllers) may create delegated zcaps from the delegated zcap. Note: As with other data model sections in W3C specs, every property of a zcap should be called out in its own subsection along with the rules for the property.
A delegated zcap MUST have an `expires` field that expresses an XSD date-time Note: The JavaScript `new Date().toISOString()` code can produce such a date representation, though it is preferred to remove millisecond precision via `new Date().toISOString().slice(0, -5) + 'Z'`.
A verifier MUST ensure that an invoked delegated zcap has not expired. A verifier MUST ensure that a delegated zcap's expiration date-time is not less restrictive than its parent capability's expiration date-time, if present. Note: a root zcap does not have an expiration date-time.
A verifier SHOULD ensure that an invoked delegated zcap does not have an expiration date-time that is more than three months in the future. [TODO: exposition on why 3 months?] This is because a verifier MUST store revoked zcaps [link to revocation] until they expire, to prevent their use. A delegated zcap with an expiration date that is unreasonably far into the future will have to be stored for an unreasonable period of time to prevent its invocation. There are other mitigation strategies here, such as considering all zcaps delegated from a particular controller as revoked, or full key revocation.
Delegated zcaps MUST have expiration date-times to support good security hygiene practices and because zcaps support decentralized delegation. In order to revoke a zcap, it must be submitted to the verifier's revocation endpoint for the associated invocation target. If a delegated zcap has been lost or misplaced, it MUST eventually expire to avoid undesirable access.
A delegated zcap MAY have an `allowedAction` field that is a string or an array of strings that each express an action that the controller of the zcap may take when invoking the capability. A verifier MUST ensure that the `allowedAction` field in a delegated zcap is not less restrictive than the parent's capability, if present.
A delegated zcap MUST have a `proof` field that is an object or an array of objects that each express a DI proof. At least one of these proofs MUST be a zcap capability delegation proof. [TODO: more details on this proof]
A capability delegator (one who creates a delegated zcap) may attenuate authority by setting a more restrictive expiration date-time, a more restrictive invocation target (via URL path- or query-based attenuation), or a greater limit on the allowed actions. Taken together, the API that a verifier manages access is expected to have the flexibility required to model all desired authorization models.
Note: The `@context` / vocab-based caveats have been removed and replaced with:
A verifier will accept delegations (and invocations) where a suffix has been added to the parent zcap's invocation target (invoked zcap's invocation target). The suffix MUST start with `/` or `?` if the invocation target prefix has no `?`, and with `&` otherwise. This allows for fully customizable attenuations via HTTP API path and query parameters. For example, a ZCAP that can be invoked at `https://foo.example/bars/123` can be delegated with an attenuation such that the delegated ZCAP has an invocation target of `https://foo.example/bars/123/bazzes/456`. This could be further delegated and attenuated with a ZCAP with an invocation target of `https://foo.example/bars/123/bazzes/456?day=tuesday` and then again with `https://foo.example/bars/123/bazzes/456?day=tuesday&hour=12`.
Just like with root zcaps, there can be multiple ways to invoke a delegated zcap; two are the same as with root zcaps and are defined with the differences described below:
When invoking a delegated zcap using an HTTP signature, a capability-invocation header must be included that includes the full delegated zcap in a `capability` parameter by serializing it to JSON, gzipping the result, and then base64url-encoding the gzipped JSON.
When invoking using a DI proof, the `capability` property must express the full delegated zcap.
TODO: Add section on revocation, detailing what verifiers MUST/SHOULD
do to provide revocation endpoints for zcaps. A root invocation
target SHOULD have a `/zcaps/revocations` subpath, where a root zcap of
`urn:zcap:root:
TODO: Detail algorithm for validation process: https://github.com/digitalbazaar/zcapld/blob/4386185f784f552d6eaeb2c3c82959cb2e09762e/lib/CapabilityProofPurpose.js#L85
TODO: Detail how revocation works: Any controller in the chain of a
delegated zcap may post that zcap to:
`
proofPurpose
to indicate
that this proof is intended to grant authority to the invoker
entities on the capability.
ZCAP-LD capabilities are encoded through a chain of linked data
documents, granting authority to a target, possibly restricted through
"caveats".
Authority starts with the target (which always has authority to invoke
itself) and extends to further invoker
entities along
the chain.
Each capability document granting authority must be signed off with a
proof by an entity which has previously been granted authority on the
chain.
Any caveat applied by a parent in the chain applies to its descendants.
The target's json-ld document is a kind of "special" capability document implicitly granting authority to itself. But why? Surely in most protocols, such as when objects are sending invocations over HTTP POST requests, any target that wants to self-modify could do so internally without an explicit invocation process. But in some systems such as blockchains, there is no "internal" state, so explicitly doing an invocation to change behavior is still useful.
Another reason is that it simplifies the invocation algorithm: as we delegate authority to the first non-target entity, we do so using the target's cryptographic authority. If this authority can be used to grant capabilities, it may as well be able to be used to invoke them as well.
Every capability document, except for the target, MUST have:
id
parentCapability
, which links to the target if this is
the first delegated capability on the chain, or otherwise links to
another capability document
proof
field, which MUST sign the document with
Linked Data Proofs
by cryptographic material which has already been granted authority
on the chain (either being cryptographic material from the
capabilityDelegation
property of the target, or from
an invoker
previously granted authority on the chain.
Every capability document, except for the target, MAY have:
invoker
, which links to one or more instances of
cryptographic material (such as public keys) being granted authority
to use this capability
Why don't all child capabilities require a invoker property? The reason is that it is perfectly reasonable for an entity which has authority to a capability to give an attenuated capability to itself to be used in a specific context.
Capabilities are not structured around "who has access" to something but rather holding onto a capability for a particular use, and in order to avoid confused deputy and ambient authority problems, in general objects should not hold on to a "bucket" of capabilities which grant them authority, but hold on to them within specific contexts for specific purposes. In general, when an object is granted a capability, it is important that it know for what specific purpose it has been granted that capability so that it does not become confused and use it in the wrong scenario. This is not unlike how in computer programs a procedure called with specific arguments understands for what the meaning of those arguments are and for what they may be used.
A capability document that is not the target MUST also have a
parentCapability
property which either points at the
target or another capability document.
A series of capability chained together in this way is called a
"capability chain" and is how delegation of capabilities are
handled in ZCAP-LD.
New keys MAY be granted authority to use this capability through
the associated invoker
property.
Every capability document MAY add restrictions on the way the
capability may be used by adding to the caveat
property.
Capabilities inherit the restrictions from all caveat
properties of their parents, and MAY add new caveats in addition to
those of their parents.
The meaning of caveats are determined by their type
and whatever other properties they have.
Due to the way they are interpreted at invocation type by the target,
some mutual understanding of terminology must be understood between
the entity adding a caveat and the target evaluating (or any other
parties observing) the invocation.
A capability may be enacted through the process of invocation.
In the context of ZCAP-LD, an invocation consists of a linked data
object which MUST have a proof
property with a value
containing:
proofPurpose
of capabilityInvocation
capability
property which links to the
capability document that grants authority to invoke this capability
invoker
field from the
capability chain.
An invocation SHOULD have an id
(which may also serve as a
nonce).
Any other properties are considered arguments to the invocation.
Each capability document accrues granted authority in the chain, which
is used to both authorize further capability delegation and may be used
to invoke the capability chain.
The capability document that is invoked's chain is recursively traversed
up along the previousCapability
document until the target is
found (the root document that has no previousCapability
property).
The target's capabilityDelegation
cryptographic material is
marked in the initial set of authority.
The capability chain is then traversed from this root target back down
through each delegated capability all the way to the invoked capability
document leaf, validating while restricting and delegating authority:
proof
field of this capability document is checked for a
valid proof with a proofPurpose
of
capabilityDelegation
where the creator
of the
proof is cryptographic material in the currently authorized set.
invoker
field is added
to the currently authorized set.
At this point, the invocation is considered valid and any relevant action may be performed. (This does not guarantee that a specific result will occur, merely that the invocation itself is valid; a invocationTarget could in evaluating the invocation encounter invalid input and return or raise an error, for instance.)
Since invocations are themselves linked data documents, it is possible for an invocation to refer to an invocation as an argument. For this reason it is critical that mechanisms for accepting invocations be sure which invocation is being performed. For example, a mechanism that accepts ZCAP-LD capabilities as JSON-LD documents will likely have no trouble telling which invocation is being performed since that will be the "top" of the framed document. However, a mechanism which accepted N-Quads would need additional information supplied perhaps in the headers in order to be able to determine the "root" of the invocation.
Actions are a common way to direct behavior of an invocation.
Targets are free to choose their own mechanisms for directing
behavior, but MAY support the action
property on
invocations as one common behavioral direction technique.
The action
property points to a URI as a form of
vocabulary to determine which action is being performed.
For example, a capability to a file storage system may allow
for both reading and writing files, and a user could choose
to set the action
to
https://datastore.example/WriteFile
as an argument on their invocation.
The Verifiable Credentials Data Model provides a powerful vocabulary for correlating information and presenting correlated information in a secure way. This can be used to make claims about some subject, to present credential certifying you are qualified to do some thing, or so on. This is useful for gathering and presenting information that can be reasoned about. Indeed, this maps nicely to "the real world", as humans tend to be "correlation/reasoning machines". For example, Eva Lu Ator is hoping to hire a system administrator and may check for a college diploma, past work history, or recommendations from known entities considered qualified to judge competency to fulfill the role, and all of these can be modeled nicely with the Verifiable Credentials Data Model.
Thus it may be tempting to design a system in which a credential is presented in order to permit or forbid access to some resource. Unfortunately, associating "who is authorized to do what" leads us back to all the problems of access control lists, which we would like to avoid. When returning to our hiring a system administrator example it is easy to imagine how, upon hiring Alice as as a system administrator, Eva would hand Alice a capability to begin administrating her systems. But in considering the previous step where Eva contemplates whether or not to hand Alice that capability seems to pull us right back to correlating information about Alice's identity. (What is Alice's educational background? What is Alice's prior work experience?)
We seem to be in a conundrum. Claims and credentials are forms of correlation that allow us to reason about an entity in our squishy human world, but are unsafe when used as mechanisms to authorize some event to occur within a system. Capabilities are a safe mechanism to model the flow of authority through a system, but there are times when capabilities have not been granted and we need to make a "judgement call" by correlating information about that entity. What should we do?
To pose the question is to see the answer: the right approach is to use each system for what it does best. Use correlation (Verifiable Credentials) in a reasoning system (most commonly human reasoning) as a path to make judgements about whether to hand an entity a specific set of initial capabilities. Use capabilities (ZCAP-LD) as the mechanism to grant and exercise authority through computing systems. To return to our system administrator example, when Alice applies for the job, she submits a series of credentials about her prior work history and degree, and Eva is able to verify that it is Alice's former employers and university which have made these claims. Deciding that Alice is fit for the job, Eva hands Alice her initial capability which grants her authority to administrate the systems in question (with a caveat that allows Eva to revoke that authority at a future date, if appropriate). Alice uses that capability as the initial entry point into administrating the system.
The previous section discussed cases in which correlation (particularly through Verifiable Credentials) is used to grant an initial set of capabilities. This section discusses how correlation may be used to revoke capabilities under certain circumstances, and steps that should be taken to ensure this is done safely.
Capability systems focus on what authority grants that an operation may be performed, not on who is performing the action. In some object capability systems (such as many object capability programming languages) it is not even possible to see what entity is invoking a capability. In the case of ZCAP-LD, it is always possible to inspect an invocation to check which authentication material authorized to invoke the capability is being used in the invocation, and this may permit checking a certain amount of "who" is performing the action, but to focus on the "who" rather than the source of authority would bring us back to the dangers of Access Control Lists.
Nonetheless, there comes a time when correlating information about usage of a resource becomes critical, and this is in mitigating abuse. Even traditional capability systems, in developing solutions to this problem, develop techniques for correlating information about "who" has performed an action. (For example, Horton is one such system for E, though as previously stated, such information can be gleaned already by looking at the invocation and capability chain documents in ZCAP-LD.) The key to permit detecting and mitigating abuse safely in a capability based environment is to treat correlation of who is using a service not as something that is used per-invocation, but as something to be reasoned about to possibly revoke authority. (Astute readers may observe that between the previous section and this section we have defined safe ways to use correlation in conjunction with capabilities: as the entry point and possible termination point, with capabilities powering the machine in-between.)
For example, Alice has granted capabilities (with caveats that permit revocation) to a number of users access to run programs on the systems she is administrating, but someone is using their capability to abuse the system. The system itself performs the invocations as the users call them, but Alice, or a program Alice runs, is able to analyze a log of past invocations called. Having finished the analysis, Alice realizes that the abuse is coming from the invocation of a capability granted to some of Mallet's authentication material, and Alice revokes that capability.