Please post links and thoughts about existing or emerging standards that we should consider adopting/joining and those that might be competing for headspace. We need to be able to answer the question “How are you different than X?”
One of the lessons learned from OAuth 1 was that developers do not understand crypto. You can provide all the libraries you like; you can give them a gazillion examples; they’ll still get it wrong. A key feature of OAuth 2 was that the only crypto you needed was HTTPS. I expect HTTPS to be too heavyweight for some Spritely applications, but it would be nice if we could get away with just mutual TLS as the only required crypto. That rules out capability certificates, but I’m OK with that.
Conflict-free Replicated Data Types (CRDTs) are something that may help maintain consistency.
Sam Smith’s Keri is an alternative to distributed ledgers that provides a decentralized root of trust and key rotation. There’s a lot about identity in the material linked from the web page. Don’t be put off by that. A capability designates the object it is authorizing access to. What is that designation? It could well be a Keri identity.
I think it’s worth looking at what’s becoming Bluesky’s experimental stack: UCAN, IPLD, and DID.
I’ve looked at UCAN. It seems pretty good even though I had a few quibbles.
Interesting things about Fuchsia: