# DWN Notes ## Things to draft proposals for - Encryption - Sync - Files interface - Hooks - Request/Response Model - Closing out a permission ## Things to fix - Remove all the general descriptor props in the Message section and make all directives Interface specific. - `data` will always be **delivered** as a `base64Url` string if present in a Message. - `data` is always held and CID'd as decoded bytes - Make all JW* the dot-delimited string form of the representations. - [JWE compact serialization](https://datatracker.ietf.org/doc/html/rfc7516#section-7.1) - [JWS compact serialization](https://datatracker.ietf.org/doc/html/rfc7515#section-3.1) - Copy UCANN JWT values into Grant descriptors - Add `revocationFor` prop to `PermissionsRevoke` ## Things to consider - should address of serviceEndpoint be a `multiaddr`? ### Schema Corrections - [Signed Data](https://identity.foundation/decentralized-web-node/spec/#signed-data) section of spec states that the value of `attestation.protected` **MUST** be an object. Unless we intend to deviate from the [JWS Spec](https://datatracker.ietf.org/doc/html/rfc7515#section-3.2), the value of `protected` **MUST** be `BASE64URL(UTF8(JWS Protected Header))`. - Correction: >The object MUST include a protected property, and its value MUST be a base64url encoded object composed of the following values ### Answered Questions - in what case would a `CollectionsWrite` message **not** contain data? - never ### Open Questions - In what cases would a `CollectionsWrite` message descriptor not contain a schema? - is `data` either a base64Url string OR a JWE object? or is the JWE object base64'd as well? ## Proposals ### Closure of Permissions Permission closure is the act of the user ending the active lifetime of a PermissionGrant, in a way that must satisfy the following requirements: 1. The permission must be closed so that no further invocations of the permission are possible. 2. All invocations of the permission the user deems valid at time of permission closure must be captured in a way that each invocation can be verified as being a valid invocation when atomically inspected in comparison to the permission closure. Meaning: if one of the user's DWNs receives a message that is associated with a permission that is closed, the DWN must be able to verify the message against the permission closure material to determine true or false whether the message is to be retained as a valid invocation of the permission that was closed. Proposed solution: Because there exists explicit awareness of all messages that are to be captured under the closed permission at time of closure, one should be able to leverage a hash-based structure with which inclusion in the closed set of messages can be verified. One way to do this would be to simply sign over a CID that represents the flat list of CIDs that are being included in the valid permission closure. There may be more elegant data structures, but I am not sure which would deliver a slimmer profile or better characteristics. ```json= { "authorization": { "" } } ``` - `data` with always be a string - when **NOT** encrypted, it will simply be base64Url encoded - when encrypted, it will be a compact JWE ## ENCRYPTED ```json= { "descriptor": { "encryption": "jwe" }, "data": "COMPACT.JWE.FORMETHXBAI" } ``` ## UN-ENCRYPTED ```json= { "descriptor": { }, "data": "THIS_IS_MY_FUN_BASE64URL_STR_THX_4_IT_PLZ" } ``` ```sequence ``` --- # 05/24/2022 - repurpose `objectId` for `PermissionsRevoke` to be the identifier of the `PermissionsRevoke` - add `revocationFor` as a property for `PermissionsRevoke` whose value is the `objectId` of the `PermissionsGrant` that you are revoking ```json= { "descriptor": { "method": "PermissionsGrant", "payload": { "iss": "did:example:alice", "aud": "did:example:bob", "exp": 1575606941, "att": [{ "can": { "method": "CollectionsWrite", "schema": "https://schema.org/MusicPlaylist", }, "conditions": { "encryption": 1, "attestation": 0, "sharedAccess": true } }] }, "signature": "fw547v63bo5687wvwbcqp349vwo876uc3q..." } } ``` ```json= { "descriptor": { "method": "PermissionsRequest" } } { "descriptor": { "method": "PermissionsGrant" } } { "descriptor": { "method": "PermissionsRevoke", "objectId": "" } } ``` ```json= { "inclusionProofType" "inclusionProof" :{ "type": "whateva", "proof": } } ``` ```json= { "descriptor": { "method": "PermissionsGrant", "objectId": "f45wve-5b56v5w-5657b4e-56gqf35v", "grantedFor": "b6464162-84af-4aab-aff5-f1f8438dfc1e", "delegatedFrom": "DANIELS_DOPE_PERMS_HOE" "ability": { "can": { "method": "CollectionsWrite", "schema": "https://schema.org/MusicPlaylist" }, "conditions": { "encryption": 1, "attestation": 0, "sharedAccess": true } } } } ``` ```json= { "descriptor": { "method": "PermissionsGrant", "objectId": "f45wve-5b56v5w-5657b4e-56gqf35v", "grantedFor": "b6464162-84af-4aab-aff5-f1f8438dfc1e", "delegatedFrom": "HENRY" "ability": { "can": { "method": "CollectionsWrite", "schema": "https://schema.org/MusicPlaylist" }, "conditions": { "encryption": 1, "attestation": 0, "sharedAccess": true } } } } ```