Let us assume that Alice and Bob each have 4 agents (A.1-A.4 and B.1-B.4, respectively), and that each of these agents possesses one key pair that's authorized to authenticate and do certain things in the DID Doc.
A.1 and B.1 are routing (cloud) agents, where A.2-4 and B.2-4 run on edge devices
that are imperfectly connected. A.1 and B.1 do not appear in the authentication
section of their respective DID Docs, and thus cannot login on Alice and Bob's behalf.
Let us further assume that Alice and Bob each have two "recovery keys": A.5 and A.6; B.5 and B.6. These keys are not held by agents, but are printed on paper and held in a vault, or are sharded to friends. They are highly privileged but very difficult to use, since they would have to be digitized or unsharded and given to an agent before they would be useful.
"Admin" operations like adding keys and granting privileges to them require either one of the privileged recovery keys, or 2 of the other agent keys to agree.
Let us further assume that the initial state of Alice's domain, as described above, is known as A.state[0], and that Bob's state is B.state[0].
These states may be represented by the following authorization
section of each
DID Doc:
[TODO]
-
A.1 attempts to rotate its key by sending a
sync_state
message to A.2. Expected outcome: Should receive ACK, and A.2's state should be updated. Once A.1 receives the ACK, it should commit the pending change in its own key. Until it receives the ACK, it should NOT commit the pending change. -
Like #1, except that message goes to B.1 and B.1's state is what should be updated.
-
A.1 attempts to send a message to B.1, using the
~relstate
decorator, claiming states withhash(A.state[0])
andhash(B.state[0])
. Expected outcome: B.1 accepts the message. -
As #3, except that A.1 claims the current states are random hashes. Expected outcome: B.1 sends back a problem report, plus two
sync_state
messages (one withwho
= "me" and one withwho
= "you"). Each has an emptydeltas
array andbase_state
= the correct base state hash. -
A.1 attempts to rotate the key for A.2 by sending a
sync_state
message to any other agent. Expected outcome: change is rejected with a problem report that points out that A.1 is not authorized to rotate any key other than itself.