How does replication and portable authorizations work?

[dmitrizagidulin]

If I have a document on an encrypted data vault A, https://example.com/edvs/z4sRgBJJLnYy/documents/zMbxmSDn2Xzz, and and I have an authorization/capability for that document, how does the EDV spec ensure that when the document is replicated to another vault B, that my authorization works for that replica also?

(See also the discussion over at #52 )

[dmitrizagidulin]

Discussed on Sep 30, 2021 call.

Q: Do we consider replication to cross trust boundaries?

• Who controls (the key to) the vaults?
• Who is hosting them (who owns/controls the machines it's hosted on)
• Are the vaults on different domains?
• There's a difference between a multi-tenant hosting service EDV, and a single-tenant EDV.

It's important to understand the various use cases. (see Replication use cases doc.)

• Dave Longley: If the replication crosses trust boundaries, then you're going to need a different authorization (capability/token)
• Dave Longley: If it's WITHIN the same trust boundary, you'd want to make the authorization the same (no need to complicate the interface).
• Adrian: How do resources controlled by multiple entities play into this?
• Dave Longley: in terms of the authorization data model, if you're crossing web domains/origins, you're crossing trust boundaries (it does not matter that both domains are controlled by the same entity). This is how the general browser security model works, too.

Proposal: in the spec, when we're talking about replication and authorization, we should add a section (and give examples) of this, that when you're hosting on different domains, you're crossing trust boundaries (and its effect on the authz data model).