From eb7c9991633ab7e491f103fc052bef08c283519e Mon Sep 17 00:00:00 2001
From: Dmitri Zagidulin <dzagidulin@gmail.com>
Date: Thu, 16 Sep 2021 15:52:44 -0400
Subject: [PATCH 1/3] Add example authorization capabilities for operations.

---
 index.html | 284 +++++++++++++++++++++++++++++++++++++++++++----------
 1 file changed, 230 insertions(+), 54 deletions(-)

diff --git a/index.html b/index.html
index 510bebc..6363fb7 100644
--- a/index.html
+++ b/index.html
@@ -528,12 +528,15 @@ <h2>
 
       <section class="normative">
         <h2>
-  Operations
+  Operations and Authorization Structure
         </h2>
 
         <p>
 Data vaults allow for the classic set of CRUD (Create, Read, Update and Delete)
 operations on its data models.
+All operations performed by an Encrypted Data Vault must carry appropriate
+authorization. This section considers the structure (data model) of
+authorizations in the context of operations they're authorizing.
         </p>
 
         <section class="normative">
@@ -541,18 +544,58 @@ <h3>
     Create Operation
           </h3>
 
-          <ul>
-            <li>
-Create Vault: Creates/provisions an Encrypted Data Vault by specifying a
-<code>DataVaultConfiguration</code> structure. This includes Replication configuration.
-            </li>
-            <li>
-Create Index: Creates an Index for a particular Vault.
-            </li>
-            <li>
-Create Resource (Document or Stream): Creates a Resource in a given Vault.
-            </li>
-          </ul>
+          <section class="normative">
+            <h4>
+              Create Vault
+            </h4>
+
+            <p>
+This operation creates/provisions an Encrypted Data Vault instance by specifying
+a <code>DataVaultConfiguration</code> structure (see the Encrypted Data Vault
+Data Model section). This includes Replication configuration.
+            </p>
+
+<pre class="example highlight"
+  title="Example authorization capability for a Create Vault operation.">
+{
+  "@context": ["https://w3id.org/security/v2"],
+  "allowedAction": "write",
+  // entity on which the operation is performed
+  "invocationTarget": "https://example.com/edvs",
+  // DID used to prove possession (invoke the capability)
+  "controller": "did:example:abcd",
+  "proof": {
+    // ...
+  }
+}
+</pre>
+          </section>
+
+          <section class="normative">
+            <h4>
+              Create Resource
+            </h4>
+
+            <p>
+This operation creates an encrypted resource (a Document with or without an
+associated Stream), in a given vault instance.
+            </p>
+
+<pre class="example highlight"
+  title="Example authorization capability for a Create Resource operation.">
+{
+  "@context": ["https://w3id.org/security/v2"],
+  "allowedAction": "write",
+  // entity on which the operation is performed
+  "invocationTarget": "https://example.com/edvs/z4sRgBJJLnYy/documents",
+  // DID used to prove possession (invoke the capability)
+  "controller": "did:example:abcd",
+  "proof": {
+    // ...
+  }
+}
+</pre>
+          </section>
         </section>
 
         <section class="normative">
@@ -560,18 +603,51 @@ <h3>
     Read Operation
           </h3>
 
-          <ul>
-            <li>
-Read Vault Configuration: Returns the <code>DataVaultConfiguration</code> object
-for a given Vault.
-            </li>
-            <li>
-Read Index: Returns the Index configuration object.
-            </li>
-            <li>
-Read Resource (Document or Stream): Returns the given resource.
-            </li>
-          </ul>
+          <section class="normative">
+            <h4>Read Vault Configuration</h4>
+
+            <p>
+Returns the <code>DataVaultConfiguration</code> object for a given Vault.
+            </p>
+
+<pre class="example highlight"
+  title="Example authorization capability for a Read Vault Config operation.">
+{
+  "@context": ["https://w3id.org/security/v2"],
+  "allowedAction": "read",
+  // entity on which the operation is performed
+  "invocationTarget": "https://example.com/edvs/z4sRgBJJLnYy",
+  // DID used to prove possession (invoke the capability)
+  "controller": "did:example:abcd",
+  "proof": {
+    // ...
+  }
+}
+</pre>
+          </section>
+
+          <section class="normative">
+            <h4>Read Resource (Document or Stream)</h4>
+
+            <p>
+Returns the requested encrypted resource.
+            </p>
+
+<pre class="example highlight"
+  title="Example authorization capability for a Read Resource operation.">
+{
+  "@context": ["https://w3id.org/security/v2"],
+  "allowedAction": "read",
+  // entity on which the operation is performed
+  "invocationTarget": "https://example.com/edvs/z4sRgBJJLnYy/documents/zMbxmSDn2Xzz",
+  // DID used to prove possession (invoke the capability)
+  "controller": "did:example:abcd",
+  "proof": {
+    // ...
+  }
+}
+</pre>
+          </section>
         </section>
 
         <section class="normative">
@@ -579,23 +655,52 @@ <h3>
             Update Operation
           </h3>
 
-          <p class="issue">
-Does an Update Index operation make sense?
-          </p>
+          <section class="normative">
+            <h4>Update Vault Configuration</h4>
 
-          <ul>
-            <li>
-Update Vault Configuration: Modifies the <code>DataVaultConfiguration</code>
-object for a given Vault.
-            </li>
-            <li>
-Update Index: Modifies the Index configuration object.
-            </li>
-            <li>
-Update Resource (Document or Stream): Updates the encrypted resource (note that
-this is a "full replace" operation).
-            </li>
-          </ul>
+            <p>
+              Modifies the <code>DataVaultConfiguration</code> object for a given Vault.
+            </p>
+
+<pre class="example highlight"
+  title="Example authorization capability for an Update Vault operation.">
+{
+  "@context": ["https://w3id.org/security/v2"],
+  "allowedAction": "write",
+  // entity on which the operation is performed
+  "invocationTarget": "https://example.com/edvs/z4sRgBJJLnYy",
+  // DID used to prove possession (invoke the capability)
+  "controller": "did:example:abcd",
+  "proof": {
+    // ...
+  }
+}
+</pre>
+          </section>
+
+          <section class="normative">
+            <h4>Update Resource (Document or Stream)</h4>
+
+            <p>
+Updates the encrypted resource (note that this is a "full replace" operation),
+and any corresponding encrypted indexes.
+            </p>
+
+<pre class="example highlight"
+  title="Example authorization capability for a Read Resource operation.">
+{
+  "@context": ["https://w3id.org/security/v2"],
+  "allowedAction": "write",
+  // entity on which the operation is performed
+  "invocationTarget": "https://example.com/edvs/z4sRgBJJLnYy/documents/zMbxmSDn2Xzz",
+  // DID used to prove possession (invoke the capability)
+  "controller": "did:example:abcd",
+  "proof": {
+    // ...
+  }
+}
+</pre>
+          </section>
         </section>
 
         <section class="normative">
@@ -603,20 +708,91 @@ <h3>
             Delete Operation
           </h3>
 
-          <p class="issue" data-number="114"></p>
+          <section class="normative">
+            <h4>Delete Vault</h4>
 
-          <ul>
-            <li>
-Delete Vault Configuration: Deletes a Vault.
-            </li>
-            <li>
-Delete Index: Deletes an Index.
-            </li>
-            <li>
-Delete Resource (Document or Stream): Deletes the encrypted resource (note that
-a tombstone object should remain behind for replication purposes).
-            </li>
-          </ul>
+            <p class="issue" data-number="21"></p>
+
+            <p>
+Deletes a vault.
+            </p>
+
+<pre class="example highlight"
+  title="Example authorization capability for a Delete Vault operation.">
+{
+  "@context": ["https://w3id.org/security/v2"],
+  "allowedAction": "write",
+  // entity on which the operation is performed
+  "invocationTarget": "https://example.com/edvs/z4sRgBJJLnYy",
+  // DID used to prove possession (invoke the capability)
+  "controller": "did:example:abcd",
+  "proof": {
+    // ...
+  }
+}
+</pre>
+          </section>
+
+          <section class="normative">
+            <h4>Delete Resource (Document with or without an associated Stream)</h4>
+
+            <p class="issue" data-number="20"></p>
+
+            <p>
+Deletes the encrypted resource (note that a tombstone object should remain
+behind for replication purposes).
+            </p>
+
+<pre class="example highlight"
+  title="Example authorization capability for a Delete Resource operation.">
+{
+  "@context": ["https://w3id.org/security/v2"],
+  "allowedAction": "write",
+  // entity on which the operation is performed
+  "invocationTarget": "https://example.com/edvs/z4sRgBJJLnYy/documents/zMbxmSDn2Xzz",
+  // DID used to prove possession (invoke the capability)
+  "controller": "did:example:abcd",
+  "proof": {
+    // ...
+  }
+}
+</pre>
+          </section>
+        </section>
+
+        <section class="normative">
+          <h3>
+            Query Operation
+          </h3>
+
+          <section class="normative">
+            <h4>Query all Resources in a Vault</h4>
+
+            <p>
+              Requests all resources in a vault.
+            </p>
+
+<pre class="example highlight"
+  title="Example authorization capability for a Query All Resources in a Vault operation.">
+{
+  "@context": ["https://w3id.org/security/v2"],
+  "allowedAction": "read",
+  // entity on which the operation is performed
+  "invocationTarget": "https://example.com/edvs/z4sRgBJJLnYy/query",
+  // DID used to prove possession (invoke the capability)
+  "controller": "did:example:abcd",
+  "proof": {
+    // ...
+  }
+}
+</pre>
+          </section>
+
+          <section class="normative">
+            <h4>Query on an Encrypted Index Value</h4>
+
+            <p class="issue" data-number="37"></p>
+          </section>
         </section>
 
         <section class="normative">

From ad4a44795e2d83046b9e12962df3fd2abe53c9ed Mon Sep 17 00:00:00 2001
From: Dmitri Zagidulin <dzagidulin@gmail.com>
Date: Thu, 11 Nov 2021 15:44:56 -0500
Subject: [PATCH 2/3] Update vault crud zCaps, remove others.

---
 index.html | 142 +++++++++++++++++++++--------------------------------
 1 file changed, 56 insertions(+), 86 deletions(-)

diff --git a/index.html b/index.html
index 6363fb7..79971ce 100644
--- a/index.html
+++ b/index.html
@@ -558,14 +558,25 @@ <h4>
 <pre class="example highlight"
   title="Example authorization capability for a Create Vault operation.">
 {
-  "@context": ["https://w3id.org/security/v2"],
+  "@context": [
+    "https://w3id.org/security/v2",
+    "https://w3id.org/security/suites/ed25519-2020/v1"
+  ],
+  "id": "urn:zcap:root:https%3A%2F%2Fexample.com%2Fedvs",
   "allowedAction": "write",
   // entity on which the operation is performed
   "invocationTarget": "https://example.com/edvs",
   // DID used to prove possession (invoke the capability)
-  "controller": "did:example:abcd",
+  "invoker": "did:example:abcd#z6Mkje7QZCEUGCxTsxQjq4V37YGZoUrUc9cwJZ3gLHRTrixF",
   "proof": {
-    // ...
+    "type": "Ed25519Signature2020",
+    "created": "2021-11-11T20:30:40Z",
+    "verificationMethod": "did:example:abcd#z6Mkje7QZCEUGCxTsxQjq4V37YGZoUrUc9cwJZ3gLHRTrixF",
+    "proofPurpose": "capabilityInvocation",
+    "capabilityChain": [
+      "urn:zcap:root:https%3A%2F%2Fexample.com%2Fedvs"
+    ],
+    "proofValue": "z3sLGvhHU..."
   }
 }
 </pre>
@@ -580,21 +591,6 @@ <h4>
 This operation creates an encrypted resource (a Document with or without an
 associated Stream), in a given vault instance.
             </p>
-
-<pre class="example highlight"
-  title="Example authorization capability for a Create Resource operation.">
-{
-  "@context": ["https://w3id.org/security/v2"],
-  "allowedAction": "write",
-  // entity on which the operation is performed
-  "invocationTarget": "https://example.com/edvs/z4sRgBJJLnYy/documents",
-  // DID used to prove possession (invoke the capability)
-  "controller": "did:example:abcd",
-  "proof": {
-    // ...
-  }
-}
-</pre>
           </section>
         </section>
 
@@ -613,14 +609,25 @@ <h4>Read Vault Configuration</h4>
 <pre class="example highlight"
   title="Example authorization capability for a Read Vault Config operation.">
 {
-  "@context": ["https://w3id.org/security/v2"],
+  "@context": [
+    "https://w3id.org/security/v2",
+    "https://w3id.org/security/suites/ed25519-2020/v1"
+  ],
+  "id": "urn:zcap:root:https%3A%2F%2Fexample.com%2Fedvs/z4sRgBJJLnYy",
   "allowedAction": "read",
   // entity on which the operation is performed
   "invocationTarget": "https://example.com/edvs/z4sRgBJJLnYy",
   // DID used to prove possession (invoke the capability)
-  "controller": "did:example:abcd",
+  "invoker": "did:example:abcd#z6Mkje7QZCEUGCxTsxQjq4V37YGZoUrUc9cwJZ3gLHRTrixF",
   "proof": {
-    // ...
+    "type": "Ed25519Signature2020",
+    "created": "2021-11-11T20:30:40Z",
+    "verificationMethod": "did:example:abcd#z6Mkje7QZCEUGCxTsxQjq4V37YGZoUrUc9cwJZ3gLHRTrixF",
+    "proofPurpose": "capabilityInvocation",
+    "capabilityChain": [
+      "urn:zcap:root:https%3A%2F%2Fexample.com%2Fedvs/z4sRgBJJLnYy"
+    ],
+    "proofValue": "z3sLGvhHU..."
   }
 }
 </pre>
@@ -632,21 +639,6 @@ <h4>Read Resource (Document or Stream)</h4>
             <p>
 Returns the requested encrypted resource.
             </p>
-
-<pre class="example highlight"
-  title="Example authorization capability for a Read Resource operation.">
-{
-  "@context": ["https://w3id.org/security/v2"],
-  "allowedAction": "read",
-  // entity on which the operation is performed
-  "invocationTarget": "https://example.com/edvs/z4sRgBJJLnYy/documents/zMbxmSDn2Xzz",
-  // DID used to prove possession (invoke the capability)
-  "controller": "did:example:abcd",
-  "proof": {
-    // ...
-  }
-}
-</pre>
           </section>
         </section>
 
@@ -665,14 +657,25 @@ <h4>Update Vault Configuration</h4>
 <pre class="example highlight"
   title="Example authorization capability for an Update Vault operation.">
 {
-  "@context": ["https://w3id.org/security/v2"],
+  "@context": [
+    "https://w3id.org/security/v2",
+    "https://w3id.org/security/suites/ed25519-2020/v1"
+  ],
+  "id": "urn:zcap:root:https%3A%2F%2Fexample.com%2Fedvs/z4sRgBJJLnYy",
   "allowedAction": "write",
   // entity on which the operation is performed
   "invocationTarget": "https://example.com/edvs/z4sRgBJJLnYy",
   // DID used to prove possession (invoke the capability)
-  "controller": "did:example:abcd",
+  "invoker": "did:example:abcd#z6Mkje7QZCEUGCxTsxQjq4V37YGZoUrUc9cwJZ3gLHRTrixF",
   "proof": {
-    // ...
+    "type": "Ed25519Signature2020",
+    "created": "2021-11-11T20:30:40Z",
+    "verificationMethod": "did:example:abcd#z6Mkje7QZCEUGCxTsxQjq4V37YGZoUrUc9cwJZ3gLHRTrixF",
+    "proofPurpose": "capabilityInvocation",
+    "capabilityChain": [
+      "urn:zcap:root:https%3A%2F%2Fexample.com%2Fedvs/z4sRgBJJLnYy"
+    ],
+    "proofValue": "z3sLGvhHU..."
   }
 }
 </pre>
@@ -685,21 +688,6 @@ <h4>Update Resource (Document or Stream)</h4>
 Updates the encrypted resource (note that this is a "full replace" operation),
 and any corresponding encrypted indexes.
             </p>
-
-<pre class="example highlight"
-  title="Example authorization capability for a Read Resource operation.">
-{
-  "@context": ["https://w3id.org/security/v2"],
-  "allowedAction": "write",
-  // entity on which the operation is performed
-  "invocationTarget": "https://example.com/edvs/z4sRgBJJLnYy/documents/zMbxmSDn2Xzz",
-  // DID used to prove possession (invoke the capability)
-  "controller": "did:example:abcd",
-  "proof": {
-    // ...
-  }
-}
-</pre>
           </section>
         </section>
 
@@ -720,14 +708,25 @@ <h4>Delete Vault</h4>
 <pre class="example highlight"
   title="Example authorization capability for a Delete Vault operation.">
 {
-  "@context": ["https://w3id.org/security/v2"],
+  "@context": [
+    "https://w3id.org/security/v2",
+    "https://w3id.org/security/suites/ed25519-2020/v1"
+  ],
+  "id": "urn:zcap:root:https%3A%2F%2Fexample.com%2Fedvs/z4sRgBJJLnYy",
   "allowedAction": "write",
   // entity on which the operation is performed
   "invocationTarget": "https://example.com/edvs/z4sRgBJJLnYy",
   // DID used to prove possession (invoke the capability)
-  "controller": "did:example:abcd",
+  "invoker": "did:example:abcd#z6Mkje7QZCEUGCxTsxQjq4V37YGZoUrUc9cwJZ3gLHRTrixF",
   "proof": {
-    // ...
+    "type": "Ed25519Signature2020",
+    "created": "2021-11-11T20:30:40Z",
+    "verificationMethod": "did:example:abcd#z6Mkje7QZCEUGCxTsxQjq4V37YGZoUrUc9cwJZ3gLHRTrixF",
+    "proofPurpose": "capabilityInvocation",
+    "capabilityChain": [
+      "urn:zcap:root:https%3A%2F%2Fexample.com%2Fedvs/z4sRgBJJLnYy"
+    ],
+    "proofValue": "z3sLGvhHU..."
   }
 }
 </pre>
@@ -742,21 +741,6 @@ <h4>Delete Resource (Document with or without an associated Stream)</h4>
 Deletes the encrypted resource (note that a tombstone object should remain
 behind for replication purposes).
             </p>
-
-<pre class="example highlight"
-  title="Example authorization capability for a Delete Resource operation.">
-{
-  "@context": ["https://w3id.org/security/v2"],
-  "allowedAction": "write",
-  // entity on which the operation is performed
-  "invocationTarget": "https://example.com/edvs/z4sRgBJJLnYy/documents/zMbxmSDn2Xzz",
-  // DID used to prove possession (invoke the capability)
-  "controller": "did:example:abcd",
-  "proof": {
-    // ...
-  }
-}
-</pre>
           </section>
         </section>
 
@@ -772,20 +756,6 @@ <h4>Query all Resources in a Vault</h4>
               Requests all resources in a vault.
             </p>
 
-<pre class="example highlight"
-  title="Example authorization capability for a Query All Resources in a Vault operation.">
-{
-  "@context": ["https://w3id.org/security/v2"],
-  "allowedAction": "read",
-  // entity on which the operation is performed
-  "invocationTarget": "https://example.com/edvs/z4sRgBJJLnYy/query",
-  // DID used to prove possession (invoke the capability)
-  "controller": "did:example:abcd",
-  "proof": {
-    // ...
-  }
-}
-</pre>
           </section>
 
           <section class="normative">

From 9c8330d22ad1f8bae58ca442dd92f0c2040a6d9d Mon Sep 17 00:00:00 2001
From: Dmitri Zagidulin <dzagidulin@gmail.com>
Date: Thu, 11 Nov 2021 16:37:06 -0500
Subject: [PATCH 3/3] Remove unneeded capabilityChain property.

---
 index.html | 20 ++++----------------
 1 file changed, 4 insertions(+), 16 deletions(-)

diff --git a/index.html b/index.html
index 79971ce..d487761 100644
--- a/index.html
+++ b/index.html
@@ -567,15 +567,12 @@ <h4>
   // entity on which the operation is performed
   "invocationTarget": "https://example.com/edvs",
   // DID used to prove possession (invoke the capability)
-  "invoker": "did:example:abcd#z6Mkje7QZCEUGCxTsxQjq4V37YGZoUrUc9cwJZ3gLHRTrixF",
+  "controller": "did:example:abcd#z6Mkje7QZCEUGCxTsxQjq4V37YGZoUrUc9cwJZ3gLHRTrixF",
   "proof": {
     "type": "Ed25519Signature2020",
     "created": "2021-11-11T20:30:40Z",
     "verificationMethod": "did:example:abcd#z6Mkje7QZCEUGCxTsxQjq4V37YGZoUrUc9cwJZ3gLHRTrixF",
     "proofPurpose": "capabilityInvocation",
-    "capabilityChain": [
-      "urn:zcap:root:https%3A%2F%2Fexample.com%2Fedvs"
-    ],
     "proofValue": "z3sLGvhHU..."
   }
 }
@@ -618,15 +615,12 @@ <h4>Read Vault Configuration</h4>
   // entity on which the operation is performed
   "invocationTarget": "https://example.com/edvs/z4sRgBJJLnYy",
   // DID used to prove possession (invoke the capability)
-  "invoker": "did:example:abcd#z6Mkje7QZCEUGCxTsxQjq4V37YGZoUrUc9cwJZ3gLHRTrixF",
+  "controller": "did:example:abcd#z6Mkje7QZCEUGCxTsxQjq4V37YGZoUrUc9cwJZ3gLHRTrixF",
   "proof": {
     "type": "Ed25519Signature2020",
     "created": "2021-11-11T20:30:40Z",
     "verificationMethod": "did:example:abcd#z6Mkje7QZCEUGCxTsxQjq4V37YGZoUrUc9cwJZ3gLHRTrixF",
     "proofPurpose": "capabilityInvocation",
-    "capabilityChain": [
-      "urn:zcap:root:https%3A%2F%2Fexample.com%2Fedvs/z4sRgBJJLnYy"
-    ],
     "proofValue": "z3sLGvhHU..."
   }
 }
@@ -666,15 +660,12 @@ <h4>Update Vault Configuration</h4>
   // entity on which the operation is performed
   "invocationTarget": "https://example.com/edvs/z4sRgBJJLnYy",
   // DID used to prove possession (invoke the capability)
-  "invoker": "did:example:abcd#z6Mkje7QZCEUGCxTsxQjq4V37YGZoUrUc9cwJZ3gLHRTrixF",
+  "controller": "did:example:abcd#z6Mkje7QZCEUGCxTsxQjq4V37YGZoUrUc9cwJZ3gLHRTrixF",
   "proof": {
     "type": "Ed25519Signature2020",
     "created": "2021-11-11T20:30:40Z",
     "verificationMethod": "did:example:abcd#z6Mkje7QZCEUGCxTsxQjq4V37YGZoUrUc9cwJZ3gLHRTrixF",
     "proofPurpose": "capabilityInvocation",
-    "capabilityChain": [
-      "urn:zcap:root:https%3A%2F%2Fexample.com%2Fedvs/z4sRgBJJLnYy"
-    ],
     "proofValue": "z3sLGvhHU..."
   }
 }
@@ -717,15 +708,12 @@ <h4>Delete Vault</h4>
   // entity on which the operation is performed
   "invocationTarget": "https://example.com/edvs/z4sRgBJJLnYy",
   // DID used to prove possession (invoke the capability)
-  "invoker": "did:example:abcd#z6Mkje7QZCEUGCxTsxQjq4V37YGZoUrUc9cwJZ3gLHRTrixF",
+  "controller": "did:example:abcd#z6Mkje7QZCEUGCxTsxQjq4V37YGZoUrUc9cwJZ3gLHRTrixF",
   "proof": {
     "type": "Ed25519Signature2020",
     "created": "2021-11-11T20:30:40Z",
     "verificationMethod": "did:example:abcd#z6Mkje7QZCEUGCxTsxQjq4V37YGZoUrUc9cwJZ3gLHRTrixF",
     "proofPurpose": "capabilityInvocation",
-    "capabilityChain": [
-      "urn:zcap:root:https%3A%2F%2Fexample.com%2Fedvs/z4sRgBJJLnYy"
-    ],
     "proofValue": "z3sLGvhHU..."
   }
 }