JSON-LD Context file: https://demo.didkit.dev/2022/cacao-zcap/context/v1.json
-This context file is expected to be used in @context following the [[SECURITY-VOCABULARY]] context (https://w3id.org/security/v2). i.e.:
+++ + ++ + ++ + ++ - -Context
++JSON-LD Context file: https://demo.didkit.dev/2022/cacao-zcap/context/v1.json +
++This context file is expected to be used in
+@contextfollowing the +[[SECURITY-VOCABULARY]] context +(https://w3id.org/security/v2). i.e.: +{ "@context": [ "https://w3id.org/security/v2", @@ -108,301 +115,370 @@-Context
], ... } -- - -CACAO-ZCAP Mapping
-- -
- -- - - -CACAO property -Relationship/Value -ZCAP property -Required? -- - -h.t -= -cacaoPayloadType -yes -- - -p.domain -= -proof.domain -yes -- - -p.iss -DID ↔ DID URL -proof.verificationMethod -yes -- - -p.aud -= -invoker -yes -- - -p.version -"1" -– -yes -- - -– -[...] -@context -yes -- - -– -"CacaoZcap2022" -type -yes -- - -– -"CacaoZcapProof2022" -proof.type -yes -- - -p.nonce -= -proof.nonce -yes -- - -p.iat -= -proof.created -yes -- - -p.nbf -= -proof.validFrom -no -- - -p.exp -= -expires -no -- - -p.statement -= -cacaoStatement -no -- - -p.requestId -= -requestId -no -- - -. -CID → -id -no -- - -p.resources[0] -= -invocationTarget -yes -- - -p.resources[0] -URL ↔ ZCAP Root URN -proof.capabilityChain[0] -no -- - -p.resources[1..n-2] -= -proof.capabilityChain[1..n-2] -no -- - -p.resources[n-1] -Object ↔ Data URI -proof.capabilityChain[n-1] -no -- - -s.t -= -proof.cacaoSignatureType -yes -- - - -s.s -bytes ↔ multibase -proof.proofValue -no -- - -id CID UUID mapping
-The CACAO is serialized using [[DAG-CBOR]]. - A SHA-256 hash is computed over this serialization. - The last 16 bytes of the hash (dropping the initial 16) - is used as "pseudo-random" input to a [[RFC4122]] v4 UUID. - This UUID is represented as a URN by prefixing it with "urn:uuid:". - This URN is used as the id of the delegation object.
-- - -issuer-verificationMethod mapping
-The CACAO payload issuer property (
-p.iss) is defined by [[CACAO]] to be a [[DID-PKH]] DID. The proofverificationMethodproperty is expected to be a DID URL resolving to a verification method. - CACAO-ZCAP converts between these two fields by assuming that the issuer DID has a default verification method, that the CACAO signature is created using the verification material of that default verification method, and that the default verification method allows creating a proof of type CacaoZcapProof2022.- - -Root ZCAP mapping
-The first value of the CACAO payload resources array is used as the invocation target URI, that is the value of the zcap delegation's
-invocationTargetproperty. The invocation target URI is encoded into a root zcap URN to become the root capability id. The root zcap URN is constructed as the concatenation of"urn:zcap:root:"withencodeURIComponent(invocationTarget). To transform the root zcap URN to the invocation target URI, the prefix"urn:zcap:root:"is removed and the remaining value is URL-decoded to return the invocation target id.- - -Intermediate ZCAP mapping
-If the proof
-capabilityChainarray / CACAO resources array (p.resources) contain more than two elements, - the intermediate elements are passed through as URIs.- - -Previous ZCAP mapping
-The last value of the proof
-capabilityChainarray / CACAO resources array (p.resources) represents the previous delegation. If the previous delegation is the root delegation, thecapabilityChainarray contains only the root delegation id, as a single value. If the previous delegation is a non-root delegation, the last value of the proofcapabilityChainarray is the previous delegation embedded as an object. The embedded previous delegation is represented in the last value of the CACAO resources array (p.resources) as a [[RFC2397]] Data URI containing the Base64-encoded JSON object serialized with [[RFC8785]] JSON Canonicalization Scheme (JCS).- - -signature-proofValue mapping
-In CACAO, the signature is represented with an IPLD bytes type. In ZCAP and data integrity proofs, the signature is typically represented in a string in the proofValue property of the proof object. CACAO-ZCAP encodes the signature in the proofValue property using [[MULTIBASE]].
-- +Terms
-This document defines the following terms, in the namespace
- -https://demo.didkit.dev/2022/cacao-zcap/#.- - -CacaoZcap2022
-A CACAO interpreted as an authorization capability delegation.
-The
-proofproperty should be an object of type CacaoZcapProof2022. TheinvocationTargetproperty should be the URL to which an entity is being authorized access.-
-- Status
-- unstable
-- Expected properties
-- - type, - parentCapability, - invocationTarget, - expires, - cacaoStatement, - cacaoRequestId, - proof -
-- - -CacaoZcapProof2022
-A data integrity proof over an authorization capability delegation document (CacaoZcap2022), together representing a CACAO.
--
-- Status
-- unstable
-- Expected properties
-- - type, - created, - verificationMethod, - proofPurpose, - proofValue, - domain, - nonce, - capabilityChain, - cacaoPayloadType, - cacaoSignatureType -
-- - -cacaoPayloadType
-CACAO payload format type (CACAO header "t" value). e.g. "eip4361".
--
-- Status
-- unstable
-- Expected type
-- xsd:string
-- - -cacaoSignatureType
-CACAO signature type (CACAO signature "t" value). e.g. "eip191" or "eip1271".
--
-- Status
-- unstable
-- Expected type
-- xsd:string
-- - -cacaoStatement
-CACAO statement (CACAO payload "statement" value).
--
-- Status
-- unstable
-- Expected type
-- xsd:string
-- - -cacaoRequestId
-CACAO request ID (CACAO payload "requestId" value).
--
-- Status
-- unstable
-- Expected type
-- xsd:string
-
| CACAO property | +Relationship/Value | +ZCAP property | +Required? | +
|---|---|---|---|
| h.t | += | +cacaoPayloadType | +yes | +
| p.domain | += | +proof.domain | +yes | +
| p.iss | +DID ↔ DID URL | +proof.verificationMethod | +yes | +
| p.aud | += | +invoker | +yes | +
| p.version | +"1" | +– | +yes | +
| – | +[...] | +@context | +yes | +
| – | +"CacaoZcap2022" | +type | +yes | +
| – | +"CacaoZcapProof2022" | +proof.type | +yes | +
| p.nonce | += | +proof.nonce | +yes | +
| p.iat | += | +proof.created | +yes | +
| p.nbf | += | +proof.validFrom | +no | +
| p.exp | += | +expires | +no | +
| p.statement | += | +cacaoStatement | +no | +
| p.requestId | += | +requestId | +no | +
| . | +CID → | +id | +no | +
| p.resources[0] | += | +invocationTarget | +yes | +
| p.resources[0] | +URL ↔ ZCAP Root URN | +proof.capabilityChain[0] | +no | +
| p.resources[1..n-2] | += | +proof.capabilityChain[1..n-2] | +no | +
| p.resources[n-1] | +Object ↔ Data URI | +proof.capabilityChain[n-1] | +no | +
| s.t | += | +proof.cacaoSignatureType | +yes | +
| s.s | +bytes ↔ multibase | +proof.proofValue | +no | +
+The CACAO is serialized using [[DAG-CBOR]]. A SHA-256 hash is computed over +this serialization. The last 16 bytes of the hash (dropping the initial 16) is +used as "pseudo-random" input to a [[RFC4122]] v4 UUID. This UUID is +represented as a URN by prefixing it with "urn:uuid:". This URN is used as the +id of the delegation object. +
+
+The CACAO payload issuer property (p.iss) is defined by [[CACAO]]
+to be a [[DID-PKH]] DID. The proof
+verificationMethod
+property is expected to be a
+DID URL resolving to
+a verification method.
+CACAO-ZCAP converts between these two fields by assuming that the issuer DID
+has a default verification method, that the CACAO signature is created
+using the
+verification material
+of that default verification method, and that the
+default verification method allows creating a proof of type
+CacaoZcapProof2022.
+
+The first value of the CACAO payload resources array is used as the invocation
+target URI, that is the value of the zcap delegation's
+invocationTarget property. The invocation target URI is encoded
+into a root zcap URN to become the root capability id. The root zcap URN is
+constructed as the concatenation of "urn:zcap:root:" with
+encodeURIComponent(invocationTarget). To transform the root zcap
+URN to the invocation target URI, the prefix "urn:zcap:root:" is
+removed and the remaining value is URL-decoded to return the invocation target
+id.
+
+If the proof capabilityChain array / CACAO resources array
+(p.resources) contain more than two elements, the intermediate
+elements are passed through as URIs.
+
+The last value of the proof capabilityChain array / CACAO
+resources array (p.resources) represents the previous delegation.
+If the previous delegation is the root delegation, the
+capabilityChain array contains only the root delegation id, as a
+single value. If the previous delegation is a non-root delegation, the last
+value of the proof capabilityChain array is the previous
+delegation embedded as an object. The embedded previous delegation is
+represented in the last value of the CACAO resources array
+(p.resources) as a [[RFC2397]] Data URI containing the
+Base64-encoded JSON object serialized with [[RFC8785]] JSON Canonicalization
+Scheme (JCS).
+
+In CACAO, the signature is represented with an +IPLD +bytes type. In ZCAP and data integrity proofs, the signature is +typically represented in a string in the +proofValue +property of the proof object. CACAO-ZCAP encodes the signature in the +proofValue property using [[MULTIBASE]]. +
+
+This document defines the following terms, in the namespace
+https://demo.didkit.dev/2022/cacao-zcap/#.
+
+A CACAO interpreted as an authorization capability delegation. +
+
+The proof property should be an object of type
+CacaoZcapProof2022.
+The invocationTarget property should be the URL to which an entity
+is being authorized access.
+
+A data +integrity proof over an authorization capability delegation document +(CacaoZcap2022), together representing a CACAO. +
++CACAO payload format type (CACAO header "t" value). e.g. "eip4361". +
++CACAO signature type (CACAO signature "t" value). e.g. "eip191" or "eip1271". +
++CACAO statement (CACAO payload "statement" value). +
++CACAO request ID (CACAO payload "requestId" value). +
+