XYZ & DID Deep Dive

From IIW

XYZ & DID Deep Dive

Thursday 12B

Convener(s): Justin Richer

Notes-taker(s): Sam Curren

Tags for the session - technology discussed/ideas considered:

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Transactional Authorization.

Oauth has always been a transactional protocol.

Send user to get token, use token they bring back.

Send Tranasction Request

- info about who you are, what you are capable of, etc.

Get Transaction Response

- do your stuff

How you can prove yourself.

Starts in backchannel, as opposed to current practice of starting in the frontchannel with the user.

Can Request interaction with the user if necessary.

Similar mechanisms to Oauth.

Can pass information about the user.

API client is a wallet with access to Verifiable Credentials or similar.

It makes sense for the client to pass information about the user to avoid unnecessary user interaction.

This is Transaction Oriented rather than Resource Oriented.

It isn't about the client.

Like a user interupt, but with allowances for automated responses that may help solve the problem without direct user interaction.

How to prevent unintended data leakage?

This is going to the Auth server, not the resource server.

We will have to be careful to not leak data during that flow.

The transaction is intended to be stateful.

What is a token except the result of a transaction.

Audit trails.

might be a place for ledgers.

We can give it it's own identifier, and refer to it or record it within ledgers or within DIDComm protocols.

Use Verifiable Proofing as part of a user assertion.

We may want to allow multiple user assertions.

Interact can be browser but can also be wallet interaction.

Interact can also be a proof request or a didcomm message.

XYZ intends to generalize already explored patterns with CIBA etc.

XYZ has a looser model for model passing related information.

The resource section has semantic support to describe the resource you are requesting.

Can we bind a DID key (URI ref) to the HTTP Request?

Do ZKPs apply for http request signing? Probably Not.