@@ -355,13 +355,17 @@ To create a Space:
355355* Perform an authenticated Create Space operation that includes a Proof of
356356 (cryptographic material) Possession via a mechanism such as HTTP Signatures.
357357
358- * The signing DID (from the proof of possession signature) is set as the
359- Space's ` controller ` . See the [ Space ` controller ` and the Root of
360- Trust] ( #space-controller-and-the-root-of-trust ) section for more details)
361-
362358* If an ` id ` is provided in the Create Space request, it must start with ` urn:uuid ` .
363359 If no ` id ` is provided, it will be generated by the storage server.
364360
361+ * A ` controller ` MUST be provided in the request body.
362+ * If no ` controller ` is provided, the server MUST return an HTTP 400 error
363+ response
364+ * The signing DID (from the proof of possession signature) MUST match the
365+ Space's ` controller ` . This is how the root of trust is initially set up
366+ (see the [ Space ` controller ` and the Root of
367+ Trust] ( #space-controller-and-the-root-of-trust ) section for more details)
368+
365369* (Optional, out of scope) A given storage provider MAY impose additional
366370 requirements in order to create a Space for a given controller, such as:
367371 - a Verifiable Credential representing a pre-arranged onboarding coupon
@@ -380,7 +384,8 @@ Content-type: application/json
380384Authorization: ...
381385
382386{
383- "name": "Example space #1"
387+ "name": "Example space #1",
388+ "controller": "did:key:z6MkpBMbMaRSv5nsgifRAwEKvHHoiKDMhiAHShTFNmkJNdVW"
384389}
385390```
386391
@@ -403,14 +408,64 @@ Note that in the example above:
403408
404409* the ` id ` was not specified in the body of the request, and so was generated by
405410 the server and returned in the response
406- * the ` controller ` was not specified in the body of the request, it was determined
407- by the server (based on the Key ID in the ` Authorization ` header's HTTP
408- Signature)
409411
410- Example error response (missing Proof of Possession signature, unable to
411- determine controller):
412+ #### Create Space Errors
413+
414+ Example error response (missing ` controller ` property):
415+
416+ ``` http
417+ HTTP/1.1 400 Bad Request
418+ Content-type: application/problem+json
419+ Content-Language: en
420+
421+ {
422+ "type": "https://wallet.storage/spec#create-space-errors",
423+ "title": "Invalid Create Space request.",
424+ "errors": [
425+ {
426+ "detail": "'controller' property is required.",
427+ "pointer": "#/controller"
428+ }
429+ ]
430+ }
431+ ```
432+
433+ Example error response (missing Proof of Possession signature):
434+
435+ ``` http
436+ HTTP/1.1 401 Unauthorized
437+ Content-type: application/problem+json
438+ Content-Language: en
412439
413- Example error response (invalid authorization):
440+ {
441+ "type": "https://wallet.storage/spec#create-space-errors",
442+ "title": "Invalid Create Space request.",
443+ "errors": [
444+ {
445+ "detail": "Valid proof of possession of the 'controller' DID must be provided."
446+ }
447+ ]
448+ }
449+ ```
450+
451+ Example error response (invalid authorization - the signing DID in the ` Authorization `
452+ header does not match the DID specified in the ` controller ` ):
453+
454+ ``` http
455+ HTTP/1.1 403 Forbidden
456+ Content-type: application/problem+json
457+ Content-Language: en
458+
459+ {
460+ "type": "https://wallet.storage/spec#create-space-errors",
461+ "title": "Invalid Create Space request.",
462+ "errors": [
463+ {
464+ "detail": "The signing DID from the Authorization header must match the 'controller' DID in request body."
465+ }
466+ ]
467+ }
468+ ```
414469
415470Example error response (missing or insufficient onboarding material provided):
416471
0 commit comments