Support for multiple authorities with distinct DIDs

[Gozala]

Creating an issue that #267 is attempting to fix.

@alanshaw use case is to accept attestations from a DID other than one passed as authority to a server / validator. However there is also generally a need to recognize and verify signatures from non did:key: principals. I think we could address both cases if we do following:

1. We already have an option that can be used to resolve did:key principal from other (non did:key)

   ucanto/packages/interface/src/lib.ts

   Lines 650 to 659 in 86332db

   	/**
   	* A `PrincipalResolver` is used to resolve a key of the principal that is
   	* identified by DID different from did:key method. It can be passed into a
   	* UCAN validator in order to augmented it with additional DID methods support.
   	*/
   	export interface PrincipalResolver {
   	resolveDIDKey?: (
   	did: UCAN.DID
   	) => Await<Result<DIDKey, DIDKeyResolutionError>>
   	}

   
   

   ucanto/packages/validator/src/lib.js

   Lines 544 to 557 in 86332db

   	// Otherwise we try to resolve did:key from the DID instead
   	// and use that to verify the signature
   	else {
   	const verifier = await config.resolveDIDKey(issuer)
   	if (verifier.error) {
   	return verifier
   	} else {
   	return verifySignature(
   	delegation,
   	config.principal.parse(verifier).withDID(issuer)
   	)
   	}
   	}
   	}

   These hook could be threaded through the server allowing us to support injecting keys for multiple services e.g. web3.storage and nft.storage. However these hooks alone would not be enough to accept attestations from the various actors for that we need no 2.

2. We need to be able to pass set of proofs to the server / validator that could authorize specific authorities. There are lot of use cases for that (e.g. worker running may need to have different key from the actual service key in which case service needs to delegate to the worker). To support attestations specifically we could utilize proofs and specifically pass delegations from authority to the principal trusted to do an attestation on it's behalf which would look like:

   Server.create({
      id: w3,
      proofs: [
         await delegate({
            issuer: w3,
            audience: notary,
            capabilities: [{
               can: "ucan/attest",
               with: w3.did()
            }]
         })
      ]
   })

   Assuming those are threaded through to the validator we could change verifySession function in the validator to recognize attestations from all the authorized principals and not just authority:

   ucanto/packages/validator/src/lib.js

   Lines 581 to 597 in 86332db

   	const verifySession = async (delegation, proofs, config) => {
   	// Create a schema that will match an authorization for this exact delegation
   	const attestation = capability({
   	with: Schema.literal(config.authority.did()),
   	can: 'ucan/attest',
   	nb: Schema.struct({
   	proof: Schema.link(delegation.cid),
   	}),
   	})
   	return await claim(
   	attestation,
   	// We omit the delegation otherwise we may end up in an infinite loop
   	proofs.filter(proof => proof != delegation),
   	config
   	)
   	}

   In other words we would derive with schema as union of all the DIDs that authority has delegated to so something like

   const dids = config.proofs
      .filter(ucan => ucan.capabilities[0].with === config.authority.with && ucan.capabilities[0].can === 'ucan/attest')
      .map(ucan => Schema.literal(ucan.audience.did()))
   const withSchema = Schema.union(dids)

No 2 will ensure that attestations issued by authorized principals are recognized and respected. No 1 will ensure that signature chains could be verified which will be needed if attestation is issued by did principal that isn't did:key.