-
Notifications
You must be signed in to change notification settings - Fork 95
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Clarify Authorization requirements. #363
Comments
Agreed, we need to rewrite how Authorization is described in the spec and the Editors will need to do that in a rewrite. |
Still waiting on a PR. |
The Authorization section has now gone, and the whole Core Properties section has been reorganised and tidied up since this issue would raised. @Fak3 could you review Verification Methods and Verification Relationships to see if the latest versions goes some way towards answering your questions? |
recommend closing, since the spec has drifted |
Thank you. PR looks good to me |
PR #525 has been merged, closing. |
Authorization of operations performed on behalf of the DID subject is defined in several places in the spec and requirements for implementers are unclear.
Section 5.3.2 defines Authorization as "the mechanism used to state how operations are performed (by controller) on behalf of the DID subject. " - it is unclear which operations it is talking about? Does it include DID Document Update operation performed by DID controller? Or does it include assertion of a statement on behalf of the DID subject? (discussed in 5.4.2 assertionMethod). These two exemplified operations have completely different requirements and such vague definition increases confusion about the whole section.
Then it also say that "Each DID method MUST define how authorization and delegation are implemented, including any necessary cryptographic operations." - why core spec delegates the responsibility to the DID method spec, and at the same time define authorization mechanisms as 5.4.2 assertionMethod? What a DID method spec should say about implementation of assertionMethod and other operations (verification relationships) defined in the core spec?
At the end it also suggests methods that a verifiable data registry could implement to support Authorization and delegation. This increases the confusion further - what role the verifiable data registry has in interpreting behavior of 5.4.2 assertionMethod ? Could assertionMethod be delegated too?
It seems that "Authorization" as defined in this section is very vague and confusing. The whole section 5.3.2 should be somehow reworded and probably reorganized to address the relationship between section 5.4 Verification Relationships, the DID method-specific notion of authorizing of DID controller, interpreting controller property of DID Document, requirements for verifiable data registry, and delegation.
The text was updated successfully, but these errors were encountered: