Authorization Protocols

The diversity of our community is a plus. To begin a conversation on VC access controls, I suggest this short intro to the differences between OAuth 2.0 and GNAP:

My goal is to arrive at a shared understanding of what would be minimum needed to support both OAuth2 and GNAP for securing access to a VC.


This week’s CCG teleconference had a great discussion about object capabilities

Alan Karp:  I’ve been doing capabilities since I reinvented them in 1996 and I want to make sure we get it right, because when newbies start to use them there are plenty of mistakes that can be made

[…] A capability or an OCAP is an unforgeable, transferable, permission to use the thing it designates … it combines designation with authorization

I was reading zcaps draft, as well as related work, mostly macaroons (

Something that I found confusing  about capability documents is that they do not make clear the actions they concern. For example from this it is not clear that this is a capability for “driving a car”.

We are still trying to figure out how to explain these things to people.

Capabilities-based systems are not a new concept; they’re decades old at this

point. The challenge has always been in communicating why they’re useful and

have a place in modern security systems.

The Encrypted Data Vault work uses zcaps, and it’s there that we’re trying

hard to explain to developers how to use it:

After ruminating on ZCAPs, VCs, DIDs, and DID Documents over Easter dinner, it occurred to me that we’re on the verge of creating a model for a “verifiable” economy…


I see all of this converging into a Capability Authorization-enabled Decentralized Object Model.  “More news at 11…”


Updates on Kepler including implementing support for CACAO-ZCAPs, improved the put function to make it easier to store objects of different types, and added support for listing objects by prefix: kepler-sdk#40 kepler#115.



these are the types of use cases that we think can be created and enabled across the web as an open, interoperable standard. And some of it crosses into the work we’re doing as part of the Decentralized Identity Foundation, too.