TBD

This is an experimental specification and is undergoing regular revisions. It is not fit for production deployment.

Introduction

TBD

Web3 Technology Stack

TBD: SIWE + CACAO + CapGrok description and reference to spec

Terminology

TBD

Data Model

The following sections outlines the data model for this document.

CacaoDelegationHolderBinding2022

When a holder desires to indicate Holder Binding based on a CACAO delegation, they MUST add a holderBinding property to a W3C Verifiable Presentation (VP) that uses the data model described in this specification.

Property Description
type The type property MUST be CacaoDelegationHolderBinding2022.
cacaoDelegation The cacaoDelegation property MUST be a URI. If it is a URI, it is expected that resolution of the URI results in a CACAO serialized as base64url-encoded CARv1 which describes the delegation between the holder and the original subject of the verifiable credentials.

If desired, it is expected that implementers would use the data URI scheme to include the content of the IPLD object directly in the cacaoDelegation property. 

               {
                  "holder": "did:key:1234:...",
                  "holderBinding": {
                     "type": "CacaoDelegationHolderBinding2022",
                     // CACAO serialized as base64url-encoded CARv1
                     "cacaoDelegation": "data:;base64,uOqJlcm9vdHOB2CpY..."
                  },
                  "verifiableCredentials": [
                     {
                        // verifiable credential in JSON-LD form
                        // with Data Integrity Proof
                     }
                  ]
                  ...
                  "proof": {
                     "verificationMethod": "did:key:1234#key-1",
                     "type": "Ed25519Signature2018",
                     "jws": "...", ...
                  }
               }
           
            {
               "holder": "did:key:1234:...",
               "holderBinding": {
                  "type": "CacaoDelegationHolderBinding2022",
                  // CID
                  "cacaoDelegation": "ipfs://bafybeigdyr..."
               },
               "verifiableCredentials": [
                  {
                     // verifiable credential in JSON-LD form
                     // with Data Integrity Proof
                  }
               ]
               ...
               "proof": {
                  "verificationMethod": "did:key:1234#key-1",
                  "type": "Ed25519Signature2018",
                  "jws": "...", ...
               }
            }

Algorithms

The following section outlines the algorithms that are used to generate and validate Holder Binding as described by this document.

Generate Algorithm

The following process, or one generating the exact output, MUST be followed when generating a holderBinding property conformant with this specification.

  1. Let holderBinding be the resulting Object that represents the Holder Binding in the verifiable presentation.
  2. Let verifiableCredentials be the verifiable credentials that are included in the verifialbe presentation which the holder wishes to bind to the verifiable presentation.
  3. Let capabilities be an array of CapGrok that has a targeted action present for each bound verifiable credential using the urn:capability:credentials: namespace. The resource of the targeted action is either the verifiable credential id property, or more generally the fully-qualified verifiable credential type property prepended by the string type:.
  4. Apply the CapGrok algorithm on capabilities to produce a deterministic human-readable statement. Let statement be the resulting statement.
  5. Let payload be an IPLD Object which contains the holder as the aud property and the subject of the verifiable credentials as the iss property.
  6. Include the capabilities in the resources property and statement in the statement property in the payload.
  7. Sign and pack the CACAO and let cacaoDelegation be the serialized base64url-encoded CARv1 containing the CACAO.
  8. Inlcude a type property in the holderBinding Object with the value set to CacaoDelegationHolderBinding2022.
  9. Include the cacaoDelegation property in the holderBinding Object. property.

Validate Algorithm

The following process, or one generating the exact output, MUST be followed when validating a verifiable presentation:

  1. Let verifiableCredentials be the (sub-)set of verifiable credentials in the verifiable presentation the verifier wishes to check the holder binding for.
  2. Let holderBinding be the holderBinding property in the verifiable presentation. If the verifiablePresenation has no holderBinding property, then stop processing, otherwise continue with the next step.
  3. Check if the type in holderBinding equals CacaoDelegationHolderBinding2022. If not, then stop processing, otherwise continue with the next step.
  4. Let cacaoDelegation be the cacaoDelegation property in holderBinding. If there is no such property, then stop processing, otherwise continue with the next step.
  5. Deserialize cacaoDelegation from base64url-encoded CARv1 into a JSON Object and let cacao be the JSON-encoded form of the decoded CACAO.
  6. Verify the signature of cacao according to the CACAO type. If the signature verification failed, stop processing, otherwise continue with the next step.
  7. Let delegator be the iss property in the payload property of cacao and let delegee be the aud property in the payload property of cacao. If these are not present, stop processing, otherwise contineue with the next step.
  8. Check if delegator matches the id property of the credentialSubject properties in the verifiable credentials in verifiableCredentials. If there is no id property in any of the verifiable credentials, stop processing, otherwise continue with the next step.
  9. Check if delegee matches the holder property in the verifiable presentation. If holder is not present, or it doesn't match, stop processing, otherwise continue with the next step.
  10. Let capabilities be the resouces array in the cacao. If not present, stop processing, otherwise continue with the next step.
  11. Let statement be the statement in the cacao. If not present, stop processing, otherwise continue with the next step.
  12. Apply the CapGrok algorithm onto statement and let statementCapGrok be the resulting the statement.
  13. Check if statement in the caaco matches statementCapGrok. If it doesn't match, stop processing, otherwise continue with the next step.
  14. Check if there is at least one CapGrok in capabilities that has an applicable targeted action present for each verifiable credential in verifiableCredentials. A targeted action applies if 1) the resouce of the targeted action matches the id property of the verifiable credential or 2) if any of the fully-qualified array items in type prepended with the String type: in the verifiable credential matches the resource of the targeted action. If there is a verifiable credential that has no applicable targeted action, stop processing, otherwise continue with the next step.
  15. Indicate that the holder binding was successfully validated.

Privacy Considerations

TBD

Security Considerations

There are a number of security considerations that implementers should be aware of when processing data described by this specification. Ignoring or not understanding the implications of this section can result in security vulnerabilities.

While this section attempts to highlight a broad set of security considerations, it is not a complete list. Implementers are urged to seek the advice of security and cryptography professionals when implementing mission critical systems using the technology outlined in this specification.

Write security considerations.

Accessibility Considerations

There are a number of accessibility considerations implementers should be aware of when processing data described in this specification. As with any web standards or protocols implementation, ignoring accessibility issues makes this information unusable to a large subset of the population. It is important to follow accessibility guidelines and standards, such as [[WCAG21]], to ensure all people, regardless of ability, can make use of this data. This is especially important when establishing systems utilizing cryptography, which have historically created problems for assistive technologies.

This section details the general accessibility considerations to take into account when utilizing this data model.

Write accessibility considerations.

Internationalization Considerations

There are a number of internationalization considerations implementers should be aware of when publishing data described in this specification. As with any web standards or protocols implementation, ignoring internationalization makes it difficult for data to be produced and consumed across a disparate set of languages and societies, which would limit the applicability of the specification and significantly diminish its value as a standard.

This section outlines general internationalization considerations to take into account when utilizing this data model.

Write i18n considerations.