Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for multiple authorities with distinct DIDs #268

Open
Gozala opened this issue Mar 28, 2023 · 0 comments
Open

Support for multiple authorities with distinct DIDs #268

Gozala opened this issue Mar 28, 2023 · 0 comments

Comments

@Gozala
Copy link
Collaborator

Gozala commented Mar 28, 2023

Creating an issue that #267 is attempting to fix.

@alanshaw use case is to accept attestations from a DID other than one passed as authority to a server / validator. However there is also generally a need to recognize and verify signatures from non did:key: principals. I think we could address both cases if we do following:

  1. We already have an option that can be used to resolve did:key principal from other (non did:key)

    https://github.com/web3-storage/ucanto/blob/86332db62d00ca72a989da5640a35a844d111ab9/packages/interface/src/lib.ts#L650-L659
    https://github.com/web3-storage/ucanto/blob/86332db62d00ca72a989da5640a35a844d111ab9/packages/validator/src/lib.js#L544-L557

    These hook could be threaded through the server allowing us to support injecting keys for multiple services e.g. web3.storage and nft.storage. However these hooks alone would not be enough to accept attestations from the various actors for that we need no 2.

  2. We need to be able to pass set of proofs to the server / validator that could authorize specific authorities. There are lot of use cases for that (e.g. worker running may need to have different key from the actual service key in which case service needs to delegate to the worker). To support attestations specifically we could utilize proofs and specifically pass delegations from authority to the principal trusted to do an attestation on it's behalf which would look like:

    Server.create({
   id: w3,
   proofs: [
      await delegate({
         issuer: w3,
         audience: notary,
         capabilities: [{
            can: "ucan/attest",
            with: w3.did()
         }]
      })
   ]
})

    Assuming those are threaded through to the validator we could change verifySession function in the validator to recognize attestations from all the authorized principals and not just authority:

    https://github.com/web3-storage/ucanto/blob/86332db62d00ca72a989da5640a35a844d111ab9/packages/validator/src/lib.js#L581-L597

    In other words we would derive with schema as union of all the DIDs that authority has delegated to so something like

    const dids = config.proofs
   .filter(ucan => ucan.capabilities[0].with === config.authority.with && ucan.capabilities[0].can === 'ucan/attest')
   .map(ucan => Schema.literal(ucan.audience.did()))
const withSchema = Schema.union(dids)

No 2 will ensure that attestations issued by authorized principals are recognized and respected. No 1 will ensure that signature chains could be verified which will be needed if attestation is issued by did principal that isn't did:key.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Gozala