Do capabilities support key rotation?

[OR13]

Should invoker be limited to DIDs or DID_URLS ?

See https://github.com/decentralized-identity/confidential-storage/pull/142/files#r541971789

[llorllale]

I favor specifying the invoker to be a DID. I agree we should limit ourselves to one or the other in order to simplify implementations (DID resolver vs DID URL de-referencer).

The semantics around DID verification relationships are well-established.

It allows key rotation.

Allows use cases requiring deactivation (such as a user ending their relationship with a service provider). Edit: although this is still enabled by DID URLs.

There's always did:key for use cases that want to constrain access to a single key.

[DRK3]

Discussed on July 22, 2021 WG call:

• Action item: change the example so the question doesn't come up.
• Use the term "controller" instead of "invoker"
• The value of the controller property should just be a DID.
• Should it be a did:key did? -> Use did:example
• Concerns about using rotating keys from OCAP community

Proposal: leave the ability to do key rotation (by specifying DIDs), until concerns are raised from OCAP community

• Clarify that we're only using DIDs here for the key rotation ability.
• Raise the possible concerns against key rotation in the ZCAP spec.

[dmitrizagidulin]

Addressed by PR #75 (invoker changed to controller, using a DID for controller)