Skip to content

Commit e59b097

Browse files
CMCDragonkaiCMCDragonkai
committed
wip
1 parent ac5c472 commit e59b097

File tree

1 file changed

+26
-0
lines changed

1 file changed

+26
-0
lines changed

docs/reference/specifications/PSP-3 - Sigchain and Envelope.mdx

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,3 +17,29 @@ Provided by the Grant Payload (PCAP-01):
1717
- action: A single verb string (e.g., "deploy:to_env").
1818
- resource: A single resource identifier (e.g., a URI).
1919
- bind: The Bind object containing capability constraints.
20+
21+
Normative rules:
22+
23+
- Grants MUST be written on the issuer's (P's) sigchain.
24+
- The envelope MUST include iss, sub, exp, and a valid signature per SIGCHAIN-01; Presentations beyond exp are invalid.
25+
- payload.typ MUST be "ClaimGrant".
26+
- A Grant MUST carry exactly one action (verb) and exactly one resource.
27+
- action MUST reference a registered verb; for attenuation, child.action MUST equal parent.action unless the verb registry defines a subset sub-verb accepted by TAP.
28+
- resource MUST conform to a registered scheme; for attenuation, resource.child MUST be a subset of resource.parent per the scheme's subset relation.
29+
- bind MUST be enforceable by CEPs and MUST be included as a bind_snapshot in the Access PoAR (PRSC-01).
30+
- Required Bind dimensions declared by the verb's registry entry (e.g., nbf/exp, channel, policyRef) MUST be present; otherwise the CEP MUST deny.
31+
- Unknown verbs, unknown resource schemes, or unresolvable scheme comparators MUST cause deny.
32+
- CEPs MUST check revocation status (see Revocation) before enforcement.
33+
- Presentations MUST reference the Grant via its canonical digest (grant_ref) derived per SIGCHAIN-01.
34+
35+
Recommended fields:
36+
37+
- aud: DID or array of DIDs of acceptable enforcers (e.g., `"did:pk:P"` or `["did:pk:P","did:pk:R"]`)
38+
- purpose: semantic hash or descriptor of intent (e.g., `"sha256:artifact-H"`, `"door-visit-123"`)
39+
- context: structured k/v describing runtime context (e.g., `{"pod":"runner-xyz","ns":"ci"}`)
40+
- nbf, exp: NumericDate (Unix seconds) defining the enforceable window; if the envelope also carries nbf/exp, CEPs MUST enforce the intersection
41+
- ttl: maximum Presentation lifetime in seconds (e.g., 120)
42+
- maxUses: optional counter for total uses (enforced only by stateful CEPs)
43+
- geofence / net: optional constraints (e.g., CIDR, region, location)
44+
- channel: required channel-binding profile id (e.g., "tls_exporter:v1", "dpop:v1")
45+
- policyRef: OPTIONAL content-addressed “affordance bundle” for mediated flows (e.g., Allowed-Surface); structure/enforcement in CEP/BA spec

0 commit comments

Comments
 (0)