Add example authorization capabilities for operations.

index.html

@@ -528,95 +528,229 @@ <h2>
 
       <section class="normative">
         <h2>
-  Operations
+  Operations and Authorization Structure
         </h2>
 
         <p>
 Data vaults allow for the classic set of CRUD (Create, Read, Update and Delete)
 operations on its data models.
+All operations performed by an Encrypted Data Vault must carry appropriate
+authorization. This section considers the structure (data model) of
+authorizations in the context of operations they're authorizing.
         </p>
 
         <section class="normative">
           <h3>
     Create Operation
           </h3>
 
-          <ul>
-            <li>
-Create Vault: Creates/provisions an Encrypted Data Vault by specifying a
-<code>DataVaultConfiguration</code> structure. This includes Replication configuration.
-            </li>
-            <li>
-Create Index: Creates an Index for a particular Vault.
-            </li>
-            <li>
-Create Resource (Document or Stream): Creates a Resource in a given Vault.
-            </li>
-          </ul>
+          <section class="normative">
+            <h4>
+              Create Vault
+            </h4>
+
+            <p>
+This operation creates/provisions an Encrypted Data Vault instance by specifying
+a <code>DataVaultConfiguration</code> structure (see the Encrypted Data Vault
+Data Model section). This includes Replication configuration.
+            </p>
+
+<pre class="example highlight"
+  title="Example authorization capability for a Create Vault operation.">
+{
+  "@context": [
+    "https://w3id.org/security/v2",
+    "https://w3id.org/security/suites/ed25519-2020/v1"
+  ],
+  "id": "urn:zcap:root:https%3A%2F%2Fexample.com%2Fedvs",
+  "allowedAction": "write",
+  // entity on which the operation is performed
+  "invocationTarget": "https://example.com/edvs",
+  // DID used to prove possession (invoke the capability)
+  "controller": "did:example:abcd#z6Mkje7QZCEUGCxTsxQjq4V37YGZoUrUc9cwJZ3gLHRTrixF",
+  "proof": {
+    "type": "Ed25519Signature2020",
+    "created": "2021-11-11T20:30:40Z",
+    "verificationMethod": "did:example:abcd#z6Mkje7QZCEUGCxTsxQjq4V37YGZoUrUc9cwJZ3gLHRTrixF",
+    "proofPurpose": "capabilityInvocation",
+    "proofValue": "z3sLGvhHU..."
+  }
+}
+</pre>
+          </section>
+
+          <section class="normative">
+            <h4>
+              Create Resource
+            </h4>
+
+            <p>
+This operation creates an encrypted resource (a Document with or without an
+associated Stream), in a given vault instance.
+            </p>
+          </section>
         </section>
 
         <section class="normative">
           <h3>
     Read Operation
           </h3>
 
-          <ul>
-            <li>
-Read Vault Configuration: Returns the <code>DataVaultConfiguration</code> object
-for a given Vault.
-            </li>
-            <li>
-Read Index: Returns the Index configuration object.
-            </li>
-            <li>
-Read Resource (Document or Stream): Returns the given resource.
-            </li>
-          </ul>
+          <section class="normative">
+            <h4>Read Vault Configuration</h4>
+
+            <p>
+Returns the <code>DataVaultConfiguration</code> object for a given Vault.
+            </p>
+
+<pre class="example highlight"
+  title="Example authorization capability for a Read Vault Config operation.">
+{
+  "@context": [
+    "https://w3id.org/security/v2",
+    "https://w3id.org/security/suites/ed25519-2020/v1"
+  ],
+  "id": "urn:zcap:root:https%3A%2F%2Fexample.com%2Fedvs/z4sRgBJJLnYy",
+  "allowedAction": "read",
+  // entity on which the operation is performed
+  "invocationTarget": "https://example.com/edvs/z4sRgBJJLnYy",
+  // DID used to prove possession (invoke the capability)
+  "controller": "did:example:abcd#z6Mkje7QZCEUGCxTsxQjq4V37YGZoUrUc9cwJZ3gLHRTrixF",
+  "proof": {
+    "type": "Ed25519Signature2020",
+    "created": "2021-11-11T20:30:40Z",
+    "verificationMethod": "did:example:abcd#z6Mkje7QZCEUGCxTsxQjq4V37YGZoUrUc9cwJZ3gLHRTrixF",
+    "proofPurpose": "capabilityInvocation",
+    "proofValue": "z3sLGvhHU..."
+  }
+}
+</pre>
+          </section>
+
+          <section class="normative">
+            <h4>Read Resource (Document or Stream)</h4>
+
+            <p>
+Returns the requested encrypted resource.
+            </p>
+          </section>
         </section>
 
         <section class="normative">
           <h3>
             Update Operation
           </h3>
 
-          <p class="issue">
-Does an Update Index operation make sense?
-          </p>
+          <section class="normative">
+            <h4>Update Vault Configuration</h4>
 
-          <ul>
-            <li>
-Update Vault Configuration: Modifies the <code>DataVaultConfiguration</code>
-object for a given Vault.
-            </li>
-            <li>
-Update Index: Modifies the Index configuration object.
-            </li>
-            <li>
-Update Resource (Document or Stream): Updates the encrypted resource (note that
-this is a "full replace" operation).
-            </li>
-          </ul>
+            <p>
+              Modifies the <code>DataVaultConfiguration</code> object for a given Vault.
+            </p>
+
+<pre class="example highlight"
+  title="Example authorization capability for an Update Vault operation.">
+{
+  "@context": [
+    "https://w3id.org/security/v2",
+    "https://w3id.org/security/suites/ed25519-2020/v1"
+  ],
+  "id": "urn:zcap:root:https%3A%2F%2Fexample.com%2Fedvs/z4sRgBJJLnYy",
+  "allowedAction": "write",
+  // entity on which the operation is performed
+  "invocationTarget": "https://example.com/edvs/z4sRgBJJLnYy",
+  // DID used to prove possession (invoke the capability)
+  "controller": "did:example:abcd#z6Mkje7QZCEUGCxTsxQjq4V37YGZoUrUc9cwJZ3gLHRTrixF",
+  "proof": {
+    "type": "Ed25519Signature2020",
+    "created": "2021-11-11T20:30:40Z",
+    "verificationMethod": "did:example:abcd#z6Mkje7QZCEUGCxTsxQjq4V37YGZoUrUc9cwJZ3gLHRTrixF",
+    "proofPurpose": "capabilityInvocation",
+    "proofValue": "z3sLGvhHU..."
+  }
+}
+</pre>
+          </section>
+
+          <section class="normative">
+            <h4>Update Resource (Document or Stream)</h4>
+
+            <p>
+Updates the encrypted resource (note that this is a "full replace" operation),
+and any corresponding encrypted indexes.
+            </p>
+          </section>
         </section>
 
         <section class="normative">
           <h3>
             Delete Operation
           </h3>
 
-          <p class="issue" data-number="114"></p>
+          <section class="normative">
+            <h4>Delete Vault</h4>
 
-          <ul>
-            <li>
-Delete Vault Configuration: Deletes a Vault.
-            </li>
-            <li>
-Delete Index: Deletes an Index.
-            </li>
-            <li>
-Delete Resource (Document or Stream): Deletes the encrypted resource (note that
-a tombstone object should remain behind for replication purposes).
-            </li>
-          </ul>
+            <p class="issue" data-number="21"></p>
+
+            <p>
+Deletes a vault.
+            </p>
+
+<pre class="example highlight"
+  title="Example authorization capability for a Delete Vault operation.">
+{
+  "@context": [
+    "https://w3id.org/security/v2",
+    "https://w3id.org/security/suites/ed25519-2020/v1"
+  ],
+  "id": "urn:zcap:root:https%3A%2F%2Fexample.com%2Fedvs/z4sRgBJJLnYy",
+  "allowedAction": "write",
+  // entity on which the operation is performed
+  "invocationTarget": "https://example.com/edvs/z4sRgBJJLnYy",
+  // DID used to prove possession (invoke the capability)
+  "controller": "did:example:abcd#z6Mkje7QZCEUGCxTsxQjq4V37YGZoUrUc9cwJZ3gLHRTrixF",
+  "proof": {
+    "type": "Ed25519Signature2020",
+    "created": "2021-11-11T20:30:40Z",
+    "verificationMethod": "did:example:abcd#z6Mkje7QZCEUGCxTsxQjq4V37YGZoUrUc9cwJZ3gLHRTrixF",
+    "proofPurpose": "capabilityInvocation",
+    "proofValue": "z3sLGvhHU..."
+  }
+}
+</pre>
+          </section>
+
+          <section class="normative">
+            <h4>Delete Resource (Document with or without an associated Stream)</h4>
+
+            <p class="issue" data-number="20"></p>
+
+            <p>
+Deletes the encrypted resource (note that a tombstone object should remain
+behind for replication purposes).
+            </p>
+          </section>
+        </section>
+
+        <section class="normative">
+          <h3>
+            Query Operation
+          </h3>
+
+          <section class="normative">
+            <h4>Query all Resources in a Vault</h4>
+
+            <p>
+              Requests all resources in a vault.
+            </p>
+
+          </section>
+
+          <section class="normative">
+            <h4>Query on an Encrypted Index Value</h4>
+
+            <p class="issue" data-number="37"></p>
+          </section>
         </section>
 
         <section class="normative">