Replies: 5 comments 21 replies
-
@Gozala this is something that's come up a few times from implementers. I'm unclear if it's a good idea for the following reasons:
There is irreducible complexity in here, so we can push that into the user interaction, or into the library. My gut instinct is to always err on the side of making things as flexible for users as possible, and biting the bullet in the library. That said, I'm not the final word on this spec, and am open to discussing this change further! Maybe it's the right tradeoff; it's possible!
This is surprising to me! Tell me more about this. Are you using a full blown constraint solver like SMT, or a hand-rolled mini-matcher?
Tell me more about this? To make sure that we're on the same page, assuming that the relation points upwards, You mad mentioned a confusion a few weeks back about how capabilities are accessed in a chain, and this could potentially be the same thing? UCANs can only access their direct proofs, not proofs-of-proofs down the chain — for security reasons. i.e. they have access to multiples via breadth but not depth. |
Beta Was this translation helpful? Give feedback.
-
Also going to CC @matheus23 to bring his voice in to the conversation. IIRC he has also described a similar idea in the past where we point at specific CIDs (and to which I made the same argument as above about who has to handle the irreducible complexity). Tell me why I'm wrong! 🙏 |
Beta Was this translation helpful? Give feedback.
-
I would like to address some of the notes
I am not sure I agree although maybe we’re thinking about different actors behind “consumer”. I’m thinking of actor that handles invocation, in which case it’s actually less complex because it is told exactly what the proofs are as opposed to having to find that out.
Maybe. Although I do not find to be a compelling argument. Sure code creating derived token has more opportunity to mess up, but then again just the same it could forget to include necessary proofs, in which case UCAN would be invalid and error would be less clear as there could be many paths that failed and the right path would not even be present.
This is the case when user may have two or more capability sets that would have satisfied same claim. It is true, however one could also claim same capability multiple times pointing to different proofs. It would be a lot more verbose, but I’d still argue a lot more clear still.
Fair enough. It would be a lot easier to update validation code than it is to reissue all the malformed tokens produced by invalid issuer code. |
Beta Was this translation helpful? Give feedback.
-
Hand written one. Maybe calling it a constraint solver is overstatement, but it was non trivial code already and introducing relations between specific capabilities is making it even more complicated. It just seems that issuer of the token should be in much better position to link proof chains than validator which otherwise does not really need to hold domain specific logic. |
Beta Was this translation helpful? Give feedback.
-
I do not know if you are wrong, but my primary sentiment is issuer knows what proofs it needs to provide when granting some capability, but it is does not encode that knowledge so validator needs to go and figure on it’s own. To do so it also needs to have more domain knowledge than it otherwise needs. That said, your arguments helped me recognize the fact that improving validator would be a lot easier & cheaper than to cause mass token rotation, so maybe more ambiguity is better. For what it’s worth spec does not stops us from adding extra fields in our capabilities to link to a relevant proofs. |
Beta Was this translation helpful? Give feedback.
-
I am starting to dislike current structure of UCANs in which you have set of capabilities and set of proofs with no direct connections between them. Which requires a constraint solver on the verifier end which may need to explore several routes to before it can conclude if claimed capability is valid.
Above alone had been mild annoyance which resulted in more complicated code, however lately we're running into situations where certain capability e.g
{ can: 'store/add', with: 'did:key:user' }
may require proofs e.g. thatdid
has valid email account expressed with capability{ can: 'access/identify', with: 'did:key:user' }
which in turn depend on two other proofs:did:key:user
claimed to have owned emailuser@email.to
(issued by user DID)did:key:verifier
verified above claim.More simply relation between capabilities A, B, C, D is
Unfortunately at the UCAN level relation between
A
,B
,C
andD
is not captured and is unclear. Lack of that relation is also why we need a constraint solver.What If ?
What if instead of hoisted proofs each capability linked to a proof directly something like
ucan_cid/capability_id
? That would:Beta Was this translation helpful? Give feedback.
All reactions