DIDAuth + Obj. Cap.

From IIW

DIDAuth + Obj.Cap.

Day/Session:Thursday 1G

Convener:Orie Steele & Alan Karp

Notes-taker(s): (1) Orie Steele & (2) Matthew Hailstone

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Hosted by Alan H. Karp and Orie Steele, with notes by Orie Steele and Mathew Hailstone


(1) Notes from Orie Steele:

What is DIDAuth and how is it compatible with Object Capabilities?

We started by defining and describing object capabilities:

A Capability is a Transferable Unforgeable Permission. It can be implemented with unguessable URLS or signed objects.

A Java Program object reference is a capability, it allows for actions on the subject (the object instance).

A stronger implementation of object capabilities involves a digital certificate issued by a public key, for a resource with a set of supported methods:

Issuer: AlicePubKey

Resource: did:dad:0x123

Actions: Read,Write

Signature: 0x456

See attached image or tweet https://twitter.com/OR13b/status/1055540084106190848:

Public key creates a certificate that you give to a colleague that allows them to do work (capability)

Brown block is the delegation

Orange block is the use of that delegation

Object capabilities support Chained Attenuated Delegation.

President > General > Major > Private 

Private does not have rights of president, and does not need to ask him or permission to act.

Its impossible to prevent delegation, so its critical that users or agents be thoughtful and be prepared to take responsibility for the actions of a delegate.  

Its often preferable to be fine grained w.r.t. actions, so that revocation can also be fine grained.

We discussed the security model of a resource domain:




Access Decision

AuthN occurs at Grant NOT at the Use when using object capabilities.

DID AuthZ ~= Object Capabilities (could be!)

DIDAuthN supports mutual authentication in 2 ways:

Simple nonce + challenge signature flow between 2 DIDs (has privacy issues).

Authenticated Encryption (Diffie Helman / Group Key) produces a symmetric key for use.

Some discussion over the validity of NonReputability ( there is no legal protection afforded, the term was created by cryptographers, and may not be helpful, but some people believe it is valuable).

2 Main issues arise when attempting to provide AuthZ for microservices:

Confused Deputy -> https://en.wikipedia.org/wiki/Confused_deputy_problem

Gross Violations of Least Privledge -> https://en.wikipedia.org/wiki/Principle_of_least_privilege

When Object Capabilities are leveraged these issues are addressable within a system for decentralized microservices. ACL or Authentication related approaches are problematic.

Sam Smith mentioned using CurveCP for DIDAuth.



Pelle from UPort mentioned waterken a system for object capabilities:


Also uPort has an OpenID Connect related JWT implementation of Object Capabilities, that might be more compatible with legacy systems.

Alan mentioned https://w3c-ccg.github.io/ocap-ld/

Orie Steele closing thoughts:

I left desiring a concrete implementation of DIDAuth + Object Capabilities potentially built with CurveCP, maintained under https://github.com/decentralized-identity/ and supported by the community. 

We should support both a JWT and DID + JSON LD implementation for both modern P2P and legacy systems.

(2) Notes from Matthew Hailstone:

Object Capabilities / DID-Auth

 What is a capability?

Take your keys and hand them to someone else in order to allow them to drive the car.

Enabling delegation of authorization to do something

 URL with an unguessable string

 Java program

Reference to another object is a type of capability

Public key creates a certificate that you give to a colleague that allows them to do work (capability)

Brown block is the delegation

Orange block is the use of that delegation


Chained attenuated delegation

Do AuthN and AuthZ at every request

4 steps to Access Control

Access Decision (at the resource at the time of the request)

 Two things to protect

Bearer token
Revocation could be like a chain

 Put the revocation on the blockchain and the distributed resource can check the blockchain

 Not revoking the key, but revoking the delegation  



DID uses a key to sign a nonce to another DID

(mutual authentication)

(authenticated encryption - sign cryption)

group key

diffy helman and key exchange

produces a symmetrical key

has the symmetrical key

  hash the plain text

hash the cypher text  

curve CP (daniel bernstein)


SOA identity identification


water ken (ethereum)