UCAN v0.9.0 #55
UCAN v0.9.0 #55
Conversation
|
cc @dholms FYI this is going to include removal of the DHT dependency, and replace it with a point-to-point (e.g. HTTP) protocol. If you have any thoughts on this direction, this is the time! π |
expede
force-pushed
the
0.9
branch
2 times, most recently
from
0cb321f
to
f784f03
Compare
|
Added this line to the 0.9 roadmap:
|
|
Hey, I might be missing something here, but as far as I understand, UCAN thing is not really a valid JWT, even in this form. You mention mandatory support of If my basic understanding is correct, then UCAN supports did methods that use JOSE algorithms exclusively. How can it be both compatible with existing JWT tooling and support advanced did methods? |
|
@ukstv Technically DID can support any signature scheme, yup! Today we support EdDSA, ECDSA, and RSA only, which are all in JWT. IIRC EdDSA is in a separate JOSE extension IETF spec, but is extremely widely supported in libraries (it's de facto supported). We should absolutely be explicit about this in the spec. We also don't allow HMAC verification. A library supporting more methods "off spec" is possible today (we've done proof of concepts with ION, for example), but can't expect that to be compatible with "any" other implementation. The spec if just here to be the line of "what is interoperable". If there's a good case made, we're open to effectively forking JWT (at which point, we drop the weird multi-section formatting with
|
| | `att` | `Json[]` | Attenuations | Yes | | ||
|
|
||
| ### 3.2.1 Principals | ||
|
|
||
| The `iss` and `aud` fields describe the token's principals. These can be conceptualized as the sender and receiver of a postal letter. The token MUST be signed with the private key associated with the DID in the `iss` field. Implementations MUST include the [`did:key` method](https://w3c-ccg.github.io/did-method-key/), and MAY be augmented with [additional DID methods](https://www.w3.org/TR/did-core/). | ||
|
|
||
| The underlying key types RSA, ECDSA, and EdDSA MUST be supported. Use of ECDSA is supported but [RECOMMENDED that another key type be preferred](https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm#Security). |
There was a problem hiding this comment.
Would that not be covered by the alg field in the JWT header?
|
I flipped this to Ready for Review. I think that we're mainly on the same page about the scope of 0.9 from the conversation above, but please do mention anything that should or should not be in here. I think the most controversial things will be:
Open to folks flagging typos or nitpicks. VERY open to approvals π |
README.md
Outdated
| A UCAN token MUST be referenced as [CIDv1](https://docs.ipfs.io/concepts/content-addressing/#identifier-formats) with the following configuration: | ||
| * CID Version: `1` | ||
| * Multibase: [`b` base32](https://github.com/multiformats/multibase/blob/master/multibase.csv#L12) | ||
| * Multicodec: [`0x55` raw data](https://github.com/multiformats/multicodec/blob/master/table.csv#L39) |
There was a problem hiding this comment.
Would this explicitly deny using dag-ucan in valid UCANs?
There was a problem hiding this comment.
That's a really good point!
@Gozala: you're proposing the use of dag-json for the deterministic codec, yes? IIRC dag-ucan didn't go forward.
There was a problem hiding this comment.
Would this explicitly deny using dag-ucan in valid UCANs?
It does sound like it would indeed make dag-ucan incompatible with a spec as it uses CBOR encoding with a following schema #67, when possible.
@expede is this intentional ? Otherwise can we either include CBOR variant or at least change wording so that RAW isn't the only valid option.
There was a problem hiding this comment.
@Gozala: you're proposing the use of dag-json for the deterministic codec, yes? IIRC dag-ucan didn't go forward.
I'm not sure I fully understand that question, I think there are couple of things mixed up, so I"ll try to clarify:
- dag-ucan did go forward and it uses CBOR encoding when possible (that is turning that CBOR to JSON and then formatting as JWT produces same signature), and RAW encoding otherwise.
- Idea of introducing dag-ucan multicodec code was dropped in favor of just CBOR because:
- It did not provide a lot of benefit, mostly signaling in links
- And came with tradeoff that required registering new codecs even though it is CBOR with some schema.
- I have been advocating for ucan implementations using
dag-jsonas that would allow them to be representation agnostic (could be encoded in CBOR without signature changes). However that is unrelated to dag-ucan.
There was a problem hiding this comment.
@Gozala There was a previous version that included the dag-ucan multicodec. When that PR was nixed, I dropped its prefix from this document. I just forgot to update this section after dag-json was settled on. I'll add that now π
There was a problem hiding this comment.
@Gozala any concern with limiting it to CIDv1 + base32?
:)
There was a problem hiding this comment.
Some fixes for broken internal links after the great renumbering
I found a couple the old fashioned way when clicking around the rendered version, and used:
$$('a[href^="#"]').filter(el => !document.getElementById(`user-content-${el.getAttribute('href').substring(1)}`)).map(el => el.innerText)
to find the rest. Provided here in case it's handy for future re-numberings. π’πβ¨
README.md
Outdated
| A UCAN token MUST be referenced as [CIDv1](https://docs.ipfs.io/concepts/content-addressing/#identifier-formats) with the following configuration: | ||
| * CID Version: `1` | ||
| * Multibase: [`b` base32](https://github.com/multiformats/multibase/blob/master/multibase.csv#L12) | ||
| * Multicodec: [`0x55` raw data](https://github.com/multiformats/multicodec/blob/master/table.csv#L39) |
There was a problem hiding this comment.
Would this explicitly deny using dag-ucan in valid UCANs?
It does sound like it would indeed make dag-ucan incompatible with a spec as it uses CBOR encoding with a following schema #67, when possible.
@expede is this intentional ? Otherwise can we either include CBOR variant or at least change wording so that RAW isn't the only valid option.
README.md
Outdated
| A UCAN token MUST be referenced as [CIDv1](https://docs.ipfs.io/concepts/content-addressing/#identifier-formats) with the following configuration: | ||
| * CID Version: `1` | ||
| * Multibase: [`b` base32](https://github.com/multiformats/multibase/blob/master/multibase.csv#L12) | ||
| * Multicodec: [`0x55` raw data](https://github.com/multiformats/multicodec/blob/master/table.csv#L39) |
There was a problem hiding this comment.
@Gozala: you're proposing the use of dag-json for the deterministic codec, yes? IIRC dag-ucan didn't go forward.
I'm not sure I fully understand that question, I think there are couple of things mixed up, so I"ll try to clarify:
- dag-ucan did go forward and it uses CBOR encoding when possible (that is turning that CBOR to JSON and then formatting as JWT produces same signature), and RAW encoding otherwise.
- Idea of introducing dag-ucan multicodec code was dropped in favor of just CBOR because:
- It did not provide a lot of benefit, mostly signaling in links
- And came with tradeoff that required registering new codecs even though it is CBOR with some schema.
- I have been advocating for ucan implementations using
dag-jsonas that would allow them to be representation agnostic (could be encoded in CBOR without signature changes). However that is unrelated to dag-ucan.
README.md
Outdated
|
|
||
| _UCAN does not have any special protection against person-in-the-middle (PITM) attacks._ | ||
|
|
||
| Were a PITM attack successfully performed on a UCAN delegation, the proof chain would contain the attacker's DID(s). It is possible to detect this scenario and revoke the relevant UCAN but does require special inspection of the topmost `iss` field to check if it is the expected DID. Therefore, it is strongly RECOMMENDED to only delegate UCANs to agents that are both trusted and authenticated and over secure channels. | ||
|
|
||
| ## 12.4 Why are the superuser and delegation abilities separate? |
There was a problem hiding this comment.
Am I correct in interpreting this as * means all abilities including ones that may be introduced in the future. While ucan/delegate means all abilities that are present in proofs ? If so I think I'm starting to get the distinction, yet I think that could be made more clear.
In other words following capability
{
"with": "owned://did:key:zH3C2AVvLMv6gmMNam3uVAjZpfkcJCwDwnZn6z3wXmqPV/wnfs",
"can": "*"
}Implies that all wnfs:// capabilities of did:key:zH3C2AVvLMv6gmMNam3uVAjZpfkcJCwDwnZn6z3wXmqPV had been delegated even though they aren't listed by did:key:zH3C2AVvLMv6gmMNam3uVAjZpfkcJCwDwnZn6z3wXmqPV.
On the other hand following capability:
{
"with": "ucan:*",
"can": "ucan/DELEGATE"
}implies that all the of the capabilities from all proofs have been (re)delegated.
Confusing bit here is that two either never overlap (in which case I think there's no point in having ucan/delegate) or they do and following capability:
{
"with": "owned://did:key:zH3C2AVvLMv6gmMNam3uVAjZpfkcJCwDwnZn6z3wXmqPV/wnfs",
"can": "ucan/DELEGATE"
}has different semantics from the 1st one (with same with and "can": "*") and implies to select only explicitly delegated "wnfs" capabilities from did:key:zH3C2AVvLMv6gmMNam3uVAjZpfkcJCwDwnZn6z3wXmqPV as opposed to all the "wnfs" capabilities from that actor.
If later is true I think disambiguating between these delegations using different URI schemas seems a lot less confusing to me.
There was a problem hiding this comment.
In other words following capability
[...]
Implies that all wnfs:// capabilities of did:key:zH3C2AVvLMv6gmMNam3uVAjZpfkcJCwDwnZn6z3wXmqPV had been delegated even though they aren't listed by did:key:zH3C2AVvLMv6gmMNam3uVAjZpfkcJCwDwnZn6z3wXmqPV.
On the other hand following capability:
[...]
implies that all the of the capabilities from all proofs have been (re)delegated.
Yup, that's the distinction! ucan/delegate only makes sense in the context of ucan:, in the same way that msg/send does make sense for mailto: but not wnfs:.
I'll add some clarifying text to that effect π
implies that all the of the capabilities from all proofs have been (re)delegated.
Also {with: "ucan:Qm12345:", can: "ucan/delegate"} would delegate from that one UCAN. This is the any (i.e. "any" / whatever happens to be in Qm12345). It may be a lot of power, or very little.
On the other hand, can: "*", that would assert the maximum rights to the resource ("all rights"), which need to be be ownership, or backed up with exactly that from a proof.
Confusing bit here is that two either never overlap (in which case I think there's no point in having ucan/delegate)
Tell me about not having ucan/delegate then? msg/send also doesn't overlaps with CRUD actions, and often resources can use only one or the other.
There was a problem hiding this comment.
Tell me about not having ucan/delegate then? msg/send also doesn't overlaps with CRUD actions, and often resources can use only one or the other.
There are few things that I think contribute to the confusion:
- The
*is a special form (only thing that does not need to be namespaced). It is used also inwithto match anything. However in case ofcanit's semantics change to mean maximum rights to the resource. - It is confusing (and annoying) that
*incanfield can only be used with some protocol schemas and not the other. In turn it creates more opportunities to have invalid UCANs (I'm pretty sure we even have some of those in our system). It is true that not everycanbe used in conjunction with everywith, but given a special form I'd expect it to. - Just like you could use
*in"with": "ucan:*"to match pattern I would expect to do the same incan: "store/*"to match all the capabilities that were delegated namespaces withstore.
In summary it feels composable but it is not and it is not intuitively obvious which things can be used in conjunction and which can't. This adds to complexity which I fear can lead to implementation incompatibilities due to misinterpretation.
It seems more intuitive to capture whether resource refers to explicitly delegated or implicitly owned capabilities in "resource" selector than in ability. I could be convinced that it should be captured in "ability", but even than using any other identifier but * would be far less confusing.
Alternatively encoding "superuser ability" in a different special form might worth considering
There was a problem hiding this comment.
Ok so here is an example of the delegated capabilities
[
{
"with": "owned://did:key:zAlice/wnfs",
"can": "*"
},
{
"with": "owned://did:key:zBob/wnfs",
"can": "ucan/delegate"
}
]So here is what I find unclear about this:
- What happens if Alice delegated just specific
wnfscapabilities as opposed to super user ability ? Is above redelegation invalid or is it just redelegates ones that Alice delegated ? - What happens if Bob delegated "superuser ability" ? Does above UCAN redelegates all the
wnfsabilities from Bob including future ones (which would mean it would be no different from using"can": "*") or does not delegate anywnfsability from Bob ? Or perhaps it implies abilities that were known to "wnfs" at time the delegation occurred (I hope not this one) ?
Update: I am realizing now that can: "*" is reserved only for owned: schema, and "ucan/delegate" for "ucan" schema which would mean above UCAN would be invalid, still I think it illustrates some of the confusion.
There was a problem hiding this comment.
@Gozala I just watched @hugomrdias's UCAN talk from Iceland (which I missed because I was giving a concurrent talk at the same time), and the way he's framing the foo/* capabilities makes a ton of sense. It's a slightly different way of looking at the problem, but I think it's better. I'll make that change π
|
@expede I have evaluated changes required to switch from "my:*" schema to "my" field in our implementation and I'm afraid I'm arriving to conclusion that this idea may have been a bad one. I feel bad for pushing for it without evaluating it first, but maybe it is not too late to reconsider ? Here are some of my the unstructured thoughts about it:
|
I've been waiting for your review exactly for this reason π
I'd love to dig into this more, because I'm having a hard time piecing together how the validation and rooted authority would work in this version. A sync call may be the fastest way to iterate on some ideas, but let me know! I'll ping you on Discord. |
README.md
Outdated
| @@ -338,7 +337,7 @@ The underlying key types RSA, ECDSA, and EdDSA MUST be supported. Use of ECDSA i | |||
|
|
|||
| The `nbf` field is OPTIONAL. When omitted, the token MUST be treated as valid beginning from the Unix epoch. Setting the `nbf` field to a time in the future MUST delay using a UCAN. For example, pre-provisioning access to conference materials ahead of time but not allowing access until the day it starts is achievable with judicious use of `nbf`. | |||
|
|
|||
| The `exp` field MUST be set. If the time is in the past, the token MUST fail validation. | |||
| The `exp` field MUST be set. Following the [principle of least authority](https://en.wikipedia.org/wiki/Principle_of_least_privilege), it is RECOMMENDED to give a timestamp expiry for UCANs. If the token explitely never expires, the `exp` field MUST be set to `null`. If the time is in the past at validation time, the token MUST be treated as expired and invalid. | |||
There was a problem hiding this comment.
Added the option to use an explicit null to the expiry. The other option that we discussed was setting it to super far in the future (e.g. 9999999999), which is roughly what we do today even if it doesn't capture the intention.
We want this field to be fairly salient βΒ no expiry is potentially dangerous and not listing it makes that easy to miss β hence not having it be optional.
README.md
Outdated
|
|
||
| This field being separate is very important. Without the distinction of introduction by parenthood, there exists ambiguity in the capability provenance could be exploited by a malicious user in an unrelated proof, forcing the validly delegated capability to appear as though it has an invalid ownership claim. Separating these capabilities into their own array makes the claimed source of authority explicit. | ||
|
|
||
| ### 3.2.6 Attenuation |
There was a problem hiding this comment.
@matheus23 from the call with @Gozala earlier, it sounds like the ambiguity of "it may be in the chain or in the proofs and we have to handle either" is just less error prone and actually more ergonomic. I realize that this is comes full circle π Please do push back if it's an "over my dead body"
There was a problem hiding this comment.
For more context, in our uses we can tell if capability can be issued by an actor of it has to be delegated, specifically if it matches ${protocol}://${my_did}/* it can be self issued otherwise it needs to be delegated.
That is to say that how you resolve ambiguity may vary and that is also an argument for not prescribing it via spec.
There was a problem hiding this comment.
Ah I see. This is what the previous my/as and now the own scheme are for. You can't use a DID in an arbitrary URI as the host field, nor a * path to mean multiple resources of that type. It depends on the definition of the specific URI.
This proposal merely suggests reformatting that into a safer, more widely compatible form.
| owned://did:key:zH3C2AVvLMv6gmMNam3uVAjZpfkcJCwDwnZn6z3wXmqPV/* | ||
| owned://did:key:zH3C2AVvLMv6gmMNam3uVAjZpfkcJCwDwnZn6z3wXmqPV/dns | ||
| own://did:key:zH3C2AVvLMv6gmMNam3uVAjZpfkcJCwDwnZn6z3wXmqPV/* | ||
| own://did:key:zH3C2AVvLMv6gmMNam3uVAjZpfkcJCwDwnZn6z3wXmqPV/dns |
There was a problem hiding this comment.
We could potentially pull this out into its own spec, as it's not a hard requirement for the core spec.
There was a problem hiding this comment.
@expede This is kind of a thing that we probably would have expressed as follows instead
- Can do anything
did:key:zH3C2AVvLMv6gmMNam3uVAjZpfkcJCwDwnZn6z3wXmqPVcould do
{ can: "*", with: "did:key:zH3C2AVvLMv6gmMNam3uVAjZpfkcJCwDwnZn6z3wXmqPV" }
- Can do same DNS stuff as
did:key:zH3C2AVvLMv6gmMNam3uVAjZpfkcJCwDwnZn6z3wXmqPV
{ can: "*", with: "dns://did:key:zH3C2AVvLMv6gmMNam3uVAjZpfkcJCwDwnZn6z3wXmqPV" }
If expressed as above own: becomes unnecessary, for the same reason as my is unnecessary - if issuer is same ID it can self issue, otherwise it must be delegated from the did.
There was a problem hiding this comment.
@Gozala I see what you're trying to do, but both break the URI schemes which are defined in their own specs. For example, dns://did:key:zH3C2AVvLMv6gmMNam3uVAjZpfkcJCwDwnZn6z3wXmqPV would need to resolve did:key:zH3C2AVvLMv6gmMNam3uVAjZpfkcJCwDwnZn6z3wXmqPV as a DNS host as defined in RFC 4501 and RFC 3986.
The example you give above is not formatted as that, and so a DNS parser would fail ahead of a lookup. What own gives you here is a signal that we're not using the dns: URI scheme. The host authority for DNS is the source authority for resolution, not the owner of the DNS name (you may trust Google's resolver, for instance)
Hosts are also case insensitive in the URI spec, but DIDs are not:
host = IP-literal / IPv4address / reg-name
[...]
Although host is case-insensitive, producers and normalizers should use lowercase for registered names and hexadecimal addresses for the sake of uniformity, while only using uppercase letters for percent-encodings.
And the host is intended to resolve to a IP literal, which DIDs don't do.
If you want to use the user field, not all URIs support it, and the URI ABNF requires a host to be specified for the user (helpful railroad diagram here).
Most DID methods are also resources themselves, where you're maintaining PKs on a DID document. Saying { can: "*", with: "did:<foo>:zH3C2AVvLMv6gmMNam3uVAjZpfkcJCwDwnZn6z3wXmqPV" } for example would imply the ability to update the actual DID document, not the resources accessible or owned by that DID.
There was a problem hiding this comment.
FWIW, Fission has done variants of both of the above in the past, but I've come to realize that once we switched to URI resources, we should probably honour the URIs that we say they are, otherwise there's lots of sharp edges, potential for confusion, attack surface (URI parsing attacks are a thing), and difficulty in reusing existing URI tooling.
README.md
Outdated
| @@ -598,7 +587,6 @@ Revocations MAY be deleted once the UCAN that they reference expires or otherwis | |||
| β β β | |||
| β iss: Alice β β | |||
| β aud: Bob β ββ Alice can revoke | |||
| β my: [X,Y,Z] β β | |||
README.md
Outdated
| | `exp` | `Number` | Expiration UTC Unix Timestamp (valid until) | Yes | | ||
| | `nnc` | `String` | Nonce | No | | ||
| | `fct` | `Json[]` | Facts (asserted, signed data) | No | | ||
| | `my` | `Json[]` | Delegation by parenthood | No | |
README.md
Outdated
| ## 5.2 Top | ||
|
|
||
| The "top" (or "super user") ability MUST be denoted `*/*`. The top ability grants access to all other capabilities for the specified resource, across all possible namespaces. Top corresponds to an "all" matcher, whereas [delegation](#51-ucan-delegation) corresponds to "any" in the UCAN chain. The top ability is useful when "linking" agents by delegating all access to resource(s). This is the most powerful ability, and as such it SHOULD be handled with care. | ||
|
|
||
| ``` | ||
| βββββββββ | ||
| β β | ||
| β */* β | ||
| β β | ||
| ββ²βββ²βββ²β | ||
| β β β | ||
| ββββββββββββββββββββββββββββββ β ββββββββββββββββββββββ | ||
| β β β | ||
| ββββββ΄βββββ ββββββ΄ββββββ βββββ΄ββββ | ||
| β β β β β β | ||
| β msg/* β β crud/* β β ... β | ||
| β β β β β β | ||
| βββ²βββββ²βββ βββ²βββββββ²ββ βββββββββ | ||
| β β β β | ||
| β β β β | ||
| β β β β | ||
| β β β β | ||
| βββββββββββββ΄β βββ΄ββββββββββββββ ββββββββββββ΄βββ βββ΄ββββββββββββββ | ||
| β β β β β β β β | ||
| β msg/send β β msg/receive β β crud/read β β crud/mutate β | ||
| β β β β β β β β | ||
| ββββββββββββββ βββββββββββββββββ βββββββββββββββ βββ²ββββββ²ββββββ²ββ | ||
| β β β | ||
| ββββββββ β ββββββββ | ||
| β β β | ||
| β β β | ||
| ββββββββββββββ΄βββ βββββββββ΄ββββββββ ββββ΄ββββββββββββββ | ||
| β β β β β β | ||
| β crud/create β β crud/update β β crud/destroy β | ||
| β β β β β β | ||
| βββββββββββββββββ βββββββββββββββββ ββββββββββββββββββ | ||
| ``` | ||
|
|
||
| ### 5.2.1 Bottom | ||
|
|
||
| In concept there is a "bottom" ability ("none" or "void"), but it is not possible to represent in an ability. As it is merely the absecnce of any ability, it is not possible to construct a capability with a bottom ability. | ||
|
|
There was a problem hiding this comment.
I realized that we actually do need a top ability for a bunch of linking use cases at Fission (and I believe Bluesky), and that it likely does need to live in the core spec. I had removed it a few days ago after seeing how DAG House is approaching their modelling. This does not alter how they need to think about their abilities at all, and they do not need to adopt */*.
I expanded on the explanation & diagram after explaining the feature to Irakli a few days ago. The syntax is also changed to be consistent with the */* pattern that we see showing up in the wild.
| delegatescheme = "as:" did ":" kind | ||
| kind = "*" / <scheme> | ||
| own = "own://" <did-subject> "/" scheme-scope | ||
| scheme-selector = "*" / <scheme> |
There was a problem hiding this comment.
@expede If I recall correctly you said motivation for the own:// protocol was due to the fact that did:key: can't have paths in them ? However I was unable to find that restriction & was wondering if maybe that is invalid assumption ?
I was also thinking that:
- Query params could probably used to restrict what's delegated from one agent to the other.
own:could be subsumed byucan:did:key:zKeyinstead so we avoid reserving more than one protocol scheme.
There was a problem hiding this comment.
There's two things:
- UCAN isn't restricted to
did:key. As you mention, the DID spec doesn't restrict the path segment, so any DID method can define path segment, breaking the proposed solution - Sure, we could use the
ucan:scheme instead. Any thoughts pro/con on using a subscheme?
Maybe I can borrow you in person while we're in person the next few days. I'll ping you on Discord.
|
@Gozala several your comments seems to be on old code βΒ not sure what's happening there. For example:
|
Lowercase `/PUT` Co-authored-by: Irakli Gozalishvili <contact@gozala.io>
Co-authored-by: Irakli Gozalishvili <contact@gozala.io>
Co-authored-by: Hugo Dias <hugomrdias@gmail.com>
Change Log πͺπͺ΅
Added π₯
[ ] Revocation specStaying the same, see comment: UCAN v0.9.0Β #55 (comment)my:...URI with"my"parenthood fieldCARv2Agnostic collectionsRemoved π€
"with": "dns:*")Move Out of Core Spec πͺ
[x] Consider extendingmy:to all parenthood cases, even specific values (CC @matheus23)"with": "ucan:uri:dns")Resolves π οΈ