-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
upload protocol specification #25
Open
Gozala
wants to merge
1
commit into
main
Choose a base branch
from
spec/upload
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
+318
−0
Open
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,318 @@ | ||
# [email protected] protocol | ||
|
||
## Abstract | ||
|
||
This specifiaction defines protocol for _access_ and _store_ services as set of operations in [IPLD Schema][] which can be executed via [UCAN invocation]. This has following implications: | ||
|
||
1. Operations can be encoded as [IPLD][] blocks. | ||
2. Operations can be addressed by a derived, globaly unique, identifiers - [CID][]s. | ||
3. Requests _(containing multiple operations)_ can be efficiently transported using Content Archives ([CAR][]s) omitting redundant blocks (e.g. serivie issued UCANs, proofs that had already been transported). | ||
4. Can work over libp2p or other long lived connections. | ||
|
||
|
||
## Transport | ||
|
||
Protocol is designed with a single HTTP endpoint in mind which client can `POST` requests with arbitrary number of operations packed as a single [CAR][] file. | ||
|
||
|
||
That said specification is not tied to this design choice. Implementation MAY choose to encode operations as HTTP requests targeting different endpoints. Alternatively protocol may be exposed using GraphQL interface. More broadly as long as requests can be parsed into data structures corresponding to [operations](#Operations) transport format should not matter. | ||
|
||
## Requests | ||
|
||
Requests are represented as [UCAN invocation][]s in [IPLD][] encoding. Therefor they: | ||
|
||
1. MAY contain one or more operations _(represented as [capabilities][UCAN capabilities])_. | ||
2. MUST have cryptographic proofs of access. | ||
|
||
|
||
Request is defined as a following `UCAN` type in [IPLD schema][]: | ||
|
||
```ipldsch | ||
type UCAN struct { | ||
capabilities [Capability] | ||
issuer DID | ||
audience DID | ||
expires optional Time | ||
begins optional Time | ||
proofs [&UCAN] | ||
} | ||
|
||
|
||
type Capability union { | ||
-- account access service | ||
| Identify "access/identify" | ||
| Authorize "access/authorize" | ||
| Revoke "access/revoke" | ||
-- storage service | ||
| Add "store/add" | ||
| Remove "store/remove" | ||
} representation inline { | ||
discriminantKey "can" | ||
} | ||
|
||
type DID string -- did:key:pub_key | ||
type Time int -- milliseconds since the UNIX epoch | ||
``` | ||
|
||
## Responses | ||
|
||
Service response is represenented as an IPLD map in which keys are `Operation` [CID][]s (V1 in DAG-CBOR encoding sha-256 multihash and base32 encoding) and values are corresponding responses | ||
|
||
```ipldsch | ||
type Response { CID: &Any } | ||
|
||
-- V1 CID with sha-256 multihash in base32 | ||
-- of DAG-CBOR encoding `Capability` | ||
type CID string | ||
``` | ||
|
||
Operations with no responses are omitted. | ||
|
||
## Operations | ||
|
||
### Identify | ||
|
||
Operation identifies an "account" with a specific [did:key]. Account can be an arbitrary identifier e.g email address, wallet address etc. Serivce MAY associate [did:key] with that account accross sessions e.g. by persisting it. | ||
|
||
|
||
```ipldsch | ||
type Identify struct { | ||
-- did:key:user_pubkey | ||
with DID | ||
-- mailto:[email protected] | ||
as ID | ||
|
||
can "access/identify" | ||
} | ||
|
||
type ID string | ||
``` | ||
|
||
#### Constraints | ||
|
||
Operation MUST be enclosed in a [UCAN][] with a following requirements: | ||
|
||
1. UCAN `issuer` MUST be implicitly or explicitly **trusted** source _(e.g. trusted email verification service)_. | ||
|
||
> Implicitly trusted source implies that issuer DID is in some trusted partner service list. | ||
|
||
1. UCAN `proofs` MUST contain a self-issued UCAN with identical capability. | ||
|
||
> This provides a proof that claimed `ID` owner has access to a private key corresponding to the `DID` | ||
|
||
1. If UCAN `issuer` is not implecitly **trusted** it MUST contain service issued `UCAN` token granting explicit trust. | ||
|
||
|
||
#### Verification Service(s) | ||
|
||
Identity verification service is intentionally decoupled from identification service to enable indpendent services take on job of out of bound verification e.g. send confirmation email to that user MUST click in order to obtain UCAN with `Identify` operation. | ||
|
||
General flow is client self-issues `Identify` UCAN with _trusted verification_ service as an `audience`. Given that UCAN is issued by a DID it MUST be signed by corresponding private key _(which proves clients access)_. Service then performs out of bound verification _(e.g. confirmation email)_ and derives UCAN with exact same capability, but this time client DID as an `audience` and service `DID` as an issuer. Result as a UCAN chain loop proving that: | ||
|
||
1. Client has access to claimed `DID` private key. | ||
2. Service has verified that client has access to claimed `ID` (e.g. email) | ||
|
||
|
||
If _verifier_ is **implicitly trusted** by a service UCAN issued by _verifier_ MAY be used with it. Otherwise verifier MAY obtain **expilicit** trust from service by getting _unrestricted_ UCAN with `Identify` capability and provide that in `proofs` | ||
|
||
```json | ||
{ | ||
"can": "access/identify", | ||
"with": "*", | ||
"as": "*" | ||
} | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. {
"can": "access/identify",
"with": "did:key:zClient..bucket",
"as": "wallet:zke....oueo"
},
{
"can": "store/add",
"with": "did:key:zClient...bucket",
"link": "bag...car1"
} |
||
``` | ||
|
||
> Issuing unrestricted `Identity` capabilties is out of scope for this protocol and probably should include building a trust. | ||
|
||
|
||
#### Invocation | ||
|
||
Please not that `Identify` operation invocation MAY be performed by: | ||
|
||
1. Client as after verification they have UCAN with a proof which they can address our service. | ||
2. Verifier on clients behalf. Instead of returning client a UCAN back it could instead / additionally issue UCAN to a service and pass it on. | ||
3. Any other intermidiery with access to the UCAN. | ||
|
||
#### Verification without services | ||
|
||
Verification service(s) CAN bridge the gap between web3 and web3 systems. In web3 native systems `Identify` UCANs can be self-issued. E.g In wallet base authentification system client MAY identify wallet address via `DID` by issueing first UCAN with DID private key and second via wallet key. | ||
|
||
### Authorize | ||
|
||
Client MAY invoke `Authorize` operation in order to obtain/recover [UCAN][] token from the service for a specific [did:key][] with specificed capabilities. | ||
|
||
```ipldsch | ||
type Authorize struct { | ||
-- did:key:public_key | ||
with DID | ||
can "access/authorize" | ||
capabilities optional [Capability] | ||
|
||
-- Self issued token or delegated one | ||
proof optional &UCAN | ||
} | ||
|
||
type Capability union { | ||
Add "store/add" | ||
Remove "store/remove" | ||
} representation inline { | ||
discriminantKey "can" | ||
} | ||
``` | ||
|
||
#### Constraints | ||
|
||
UCAN with `Authorize` capability MUST be either: | ||
|
||
1. Self-issued _([UCAN][] issuer is the same [did:key][] as DID in `with` field)_ | ||
2. Delegated from self-issued UCAN _(E.g one could give rights to an admin to list capabilities or rotate UCANs)_ | ||
|
||
#### Response | ||
|
||
Service MUST respond with [UCAN][] token containing requested capabilities if following conditions are met: | ||
|
||
1. `Authorize` request is authorized _(is self-issued [UCAN][] or derived from self-issued)_ | ||
2. [did:key][] has requested or greater capabilities. | ||
|
||
Service MAY respond with UCAN containing lesser capabilities than requested, but such a response SHOULD be marked as error and not a success. | ||
|
||
Service MUST NOT respond with greater capabilities than requested, as it MAY lead to leaking capabilities during delegation. | ||
|
||
If `capabilities` field is omited in a request it is up to a service to decide which capabilities to include in the response. | ||
|
||
#### Capabilities | ||
|
||
Service MUST support `Add` and `Remove` capabilities. We may add more capabilities over time. | ||
|
||
##### Add | ||
|
||
Capability to add content (by [CID][]) to a given [did:key][]. | ||
|
||
|
||
```ipldsch | ||
type Add struct { | ||
can "store/add" | ||
-- did:key:pub_key | ||
with DID | ||
-- Maybe be restrited to a specific CID | ||
cid optional &Any | ||
} | ||
``` | ||
|
||
##### Remove | ||
|
||
Capability to remove a content (by [CID][]) to a given [did:key][] | ||
|
||
```ipldsch | ||
type Remove struct { | ||
can "store/add" | ||
-- did:key:pub_key | ||
with DID | ||
-- MAY be restricted to a specific CID | ||
link optional &Any | ||
} | ||
``` | ||
|
||
### Add | ||
|
||
Client MAY add content to a `DID` via request containing `Add` operation. | ||
|
||
```ipldsch | ||
type Add struct { | ||
can "store/add" | ||
-- did:key:user | ||
with DID | ||
link &Any | ||
} | ||
``` | ||
|
||
#### Constraints | ||
|
||
[UCAN][] containing `Add` MUST: | ||
|
||
- Include a proof with service issued `Add` capability. | ||
|
||
|
||
Service MAY restrict [CID][] to specific coders and hashes. | ||
|
||
> In the implementation of [email protected] service we will only accept [CID]s witch [CAR][] code and sha256 multihash digest, so we could derive S3 presigned URLs for client uploads. In the future we may extend support for other types of CIDs. | ||
|
||
|
||
#### Response | ||
|
||
Service MUST respond to `Add` request with `AddResult`. `AddOk` variant represents a receipt that `Add` was completed succefully, which MAY happen if service already has such content available. `Upload` variant is returned with a URL where client should upload content to be added. `QuotaViolation` variant is returned if account associated with [did:key][] has not enough space. | ||
|
||
|
||
```ipldsh | ||
type AddResult union { | ||
Added "ok/add" | ||
Upload "need/upload" | ||
QuotaViolation "error/quota" | ||
} representation inline { | ||
discriminantKey "can" | ||
} | ||
|
||
-- Receipt from service telling it is done. | ||
type AddOk struct { | ||
can "ok/add" | ||
with DID | ||
link &Any | ||
} | ||
|
||
-- S3 presigned URL content should be uploaded to. | ||
type Upload struct { | ||
can "need/upload" | ||
with DID | ||
link &Any | ||
to URL | ||
} | ||
|
||
type QuotaViolation struct { | ||
can "error/quota" | ||
with DID | ||
link &Any | ||
} | ||
|
||
type URL string | ||
``` | ||
|
||
`Add` operation can be in 3 different states: `ok`, `pending`, `error`. Service receiving `Add` request SHOULD record: | ||
|
||
1. `CID` of the content been added. | ||
2. `DID` of content is been added to. | ||
3. `status` of the operation which is either `ok` or `pending` | ||
|
||
|
||
Here is the roughly the steps service is expected to perform | ||
|
||
1. If service has content under different user & this user has necessary space set status to `ok` and reduce space accordingly. | ||
1. If user has content under different [did:key] set status to `ok`. | ||
1. If user has no space and does not has this content in any other [did:key] deny service. | ||
1. If user has space and service has no such content set status to `pending` and return presigned URL. | ||
|
||
|
||
### Remove | ||
|
||
Client MAY remove content from a `DID` via request containing `Remove` operation. | ||
|
||
```ipldsch | ||
type Remove struct { | ||
can "store/add" | ||
-- did:key:user | ||
with DID | ||
link &Any | ||
} | ||
``` | ||
|
||
Remove operation can not fail and has no response. | ||
|
||
[IPLD Schema]:https://ipld.io/docs/schemas/using/authoring-guide/ | ||
[ed25519]:https://ed25519.cr.yp.to/ | ||
[UCAN]:https://whitepaper.fission.codes/access-control/ucan | ||
[did:key]:https://w3c-ccg.github.io/did-method-key/ | ||
[CAR]:https://ipld.io/specs/transport/car/carv1/ | ||
[IPLD]:https://ipld.io/ | ||
[CID]:https://docs.ipfs.io/concepts/content-addressing/ | ||
[UCAN capabilities]:https://github.com/ucan-wg/spec#325-attenuations | ||
[UCAN invocation]:https://github.com/ucan-wg/spec#521-invocation-recipient-validation |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually UCAN spec has separate representation for revocation so we should use that instead of having our separate thing here
https://github.com/ucan-wg/spec/#57-revocation