►
From YouTube: Connecting IPFS users and permissions to DIDs with UCAN - @hugomrdias - Connecting IPFS
Description
Connecting IPFS users and permissions to DIDs with UCAN - presented by @hugomrdias at IPFS þing 2022 - Connecting IPFS - https://2022.ipfs-thing.io
A
A
We
have
some
some
stuff
already
working
and
it's
pretty
interesting
and
we
want
to
dig
deeper
into
this
and
start
using
this
more
and
more
in
our
services
and
connecting
our
services
with
identity,
with
permissions,
making
them
more
flexible
and
more
powerful
and
easier
to
integrate
from
the
the
outside
with
other
services,
not
specific,
like
the
stuff
we
built
so
yeah.
A
That's
me:
we
can
move
on
so
the
ids,
so
the
ids,
I'm
just
gonna-
go
through
really
fast
about
the
ids,
because
it's
just
to
tie
into
other
two
other
things.
So
the
id
is
identity,
dedication,
proof
of
control.
This
is
the
lies,
self-issue
several
things
that
are
good
about
the
ideas.
A
I
don't
know
if
you
know
about
this,
but
yeah
it
took
a
while,
but
it
was
advanced
to
other
recommendation
and
the
director
said
yeah.
Let's
the
balance
lies
in
favor
of
the
idea
developer,
community
community
and
the
objections
are
overruled
yeah.
Several
other
companies
were
kind
of
blocking
this
off,
but
yeah.
A
Yeah,
so
we
for
now
are
focusing
on
the
id
key
method,
so
this
is
one
example
of
how
that
works
so
stuff
that
you
probably
already
know
like
multi-base
and
multi-colors
are
all
in
there.
This
is
basically
a
public
key
identifier.
A
And
one
of
the
things
that
some
considerations
and
around
this
method
around
security
around
privacy
can
be
addressed
with
the
stuff
that
I'm
going
to
talk
right
after
which
is
eucans
so
stuff
around
relocation
and
even
rotation
can
be
dealt
with
so
the
the
two
paired
up
really
well
so
yeah
you
can't
user,
controlled
authorization
networks
and
one
of
the
great
like
phrases
for
you
can
this?
Is
this
one
like
transfer
authority
without
transferring
keys?
So
we
we?
A
We
started
talking
about
the
ideas,
it's
more
like
identity
who
you
are,
and
you
can't
is
more
like
what
you
can
do
and
the
way
to
transfer
those
that
authority
that
those
capabilities
to
other
actors
in
your
system,
your
networks,
in
whatever
way
you
want
yeah
some
of
the
the
great
things
about
you-
cans,
trustless,
secure,
local,
first
attenuation,
revocation,
verifiable,
it's
the
delegation,
it's
expressive
extensible
and
it's
all
about
capabilities.
A
So
with
this
we
can
kind
of
achieve
a
kind
of
a
new
version
of
control
back
to
the
user,
and
the
user
is
in
control
of
the
capabilities
who
to
delegate
what
to
delegate.
So
it
turns
the
the
whole
authentication
and
authorization
on
this
side.
A
A
A
A
So,
as
I
was
saying,
the
ids
and
you
can
they
kind
of
love
each
other
and
complement
each
other,
and
this
kind
of
one
example
of
how
a
uk
looks
like
so
here
we
have
alice
delegating
something
to
to
bob,
so
this
is
kind
of
like
like
the
resource
and
the
the
the
action
or
the
operations
like
upload.
Here
is
kind
of
okay.
There's.
A
Thing
going
on
there
and
you
all
the
operations
under
that
namespace
you're
kind
of
delegating
to
bob
and
on
the
next
one.
So
if
then,
bob
wants
to
delegate
someone
else
in
this
case
like
a
service
like
the
ones
we
have
like
nfc
storage
like
something
is
kind
of
missing
here.
This
doesn't
really
make
sense
right,
because
now
bob
wants
to
to
this
would
be
like
an
invocation.
A
You
can
so
this
would
it's
the
thing
that
you
send
us
saying:
okay,
I'm
gonna
upload
something
now
these
don't
make
sense
like
bob
and
if
something
is
kind
of
missing
here
right.
So
actually
what
it
really
looks
like
is
something
like
this.
So
bob
wants
to
upload
20.
storage,
but
to
the
like
the
alice
bucket
or
the
alex
namespace.
A
So
he
needs
a
proof
from
alex.
So
the
the
proof
is
this
one,
so
alice
delivered
to
bob
for
to
upload
or
basically
do
whatever
action
under
this
namespace
to
this
resource
pointer
and
that
one
can
use
this
one
as
a
proof,
and
you
can
actually.
This
would
actually
work
to
to
do
an
upload
actually
probably
exactly
like
like
this.
It
would
work
on
nft
storage
somewhat,
so
this
is
basically
an
overview
on
how
you
can
and
you
can
shame
or
the
proofs
in
in
a
in
you
can
work.
A
A
Yeah
yeah:
this
was
like
the
first
prototype
that
we
did
when
we
start
looking
into
ucans-
and
this
is
this
is
actually
in
production.
But
that's
like
a
preview
feature
on
nft.storage.
So
what
we?
A
What
we
have
here-
and
this
was
like
to
to
solve
a
real
use
case-
that
we
have-
and
we
still
have
right
now,
which
is
like
we
have
our
service
and
if
it's
not
storage,
we
have
like
an
nft
marketplace
and
the
nft
marketplace
as
alice,
probably
running
some
going
to
a
website
or
a
browser,
or
something
like
that.
A
Normally,
what
would
happen
is
like
alice
would
need
to
upload
the
thing
to
into
the
marketplace
and
then
the
marketplace
uploads
to
us,
which
is
kind
of
troublesome,
and
we
can
do
better
and
one
way
to
do
it
better.
It's
with
ucans
because
there's
a
delegation
going
on,
so
we
have
the
nft
servers
on
that
side.
A
That
can
delegates
from
the
permission
or
you
can
to
do
uploads
to
the
marketplace
because,
like
it's,
the
marketplace
account
and
we
know
about
it.
So
that
yellow
thing
there
is
it's
about
like
the
marketplace
as
an
account
with
us.
So
alice
doesn't
alice
has
an
account
with
the
the
marketplace.
A
So
the
marketplace
starts
like
the
process
there.
So
they
start
by
getting
informing
us
about
their
own.
The
id
we
sign
a
you
can
for
them
and
we
give
them.
We
give
them
the
actual
you
can,
so
they
can
do
whatever.
So
it's
the
wild
wildcard
thing,
so
they
can
do
all
of
the
things
under
the
upload
namespace.
A
So
now
they
can
delegate
to
their
own
users
and
they
can
they
can
delegate
like
shortly.
You
can't
for
browser
sessions
and
with
they
can
attenuate
the
capabilities
instead
of
the
wild
card.
They
can
just
say,
okay
for,
like
20
minutes
alice
can
do
one.
B
A
And
that's
it
and
if
it
expires,
they
can
do
the
loop
and
ask
for
a
new.
You
can
and
move
on
one
of
the
the
interesting
things
here,
and
this
is
more
actually
on
the.
How
you
can
works
is
like
this
this
bit
here
like
if
you
see,
if
you
look
like
in
this
diagonal,
this
is
the
actual
you
can
chain
the
delegation
chain.
That's
really
interesting
and
that's
basically
how
you
cans
are
really
awesome
and
really
powerful,
because
we
can
verify
all
of
that.
A
So
what
happens
at
the
end,
when
all
this
delegation
ends
is
here,
alice
doesn't
need
to
upload
to
the
marketplace.
You
can
just
upload
to
us
directly.
So
just
right,
there
is
like
a
big
win.
That's
why
we
kind
of
started
looking
into
this
more
and
more
and
more
and
now
we
are
even
doing
more
st
more
things
than
like
everything
similar
to
this,
but
in
on
this
example,
as
I
said,
this
was
just
one
and
the
first
prototype
there's.
A
Actually
one
thing
that
kind
of
could
be
better,
which
is
that
bit
over
there,
where
the
service
is
the
one
delegating
to
the
marketplace.
A
So
now,
in
the
the
new
stuff
that
we're
trying
building
the
marketplace
can
actually
just
self-issue
that
you
can
doesn't
need
to
talk
to
us
first,
the
only
thing
he
needs
to
create
an
account.
He
needs
to
tell
us
about
the
id,
but
it
doesn't
need
us
to
issue
him.
The
the
you
can
itself
because
he
is
he
is,
he
has
an
account
he
can
just
self-issue.
A
Some
operations
can
work
like
that.
Some
others
are
harder
and
more
complex
and
more
so
others
may
still
come
from
the
service,
but
in
general,
most
of
the
operation,
the
user
can
just
self-issue.
A
Okay,
so
now
one
of
the
things
that
we
did
after
that
first
prototype
was
actually
build
up:
an
implementation
of
ucans
in
ipld
via
advanced
data
layouts
designed
for
use
with
the
multifarms
and
the
the
it
was
directly
gonzalo.
You
may
know
him
that
actually
built
this,
not
what
we
have
with
it
is
like.
We
have
an
apld
schema
that
can
be
encoded
as
daxivore.
A
We
also
support
encoding
as
jwts
and
others,
and
we
also
support
like
raw
jwts
with
a
little
bit
of
magic
in
there.
So
we
can
account
for
white
space
and
key
order
and
stuff
like
that,
because
we
need
to
keep
those
for
the
signatures
to
match
and
the
good
thing
about
it
is
like
we
can
export
a
fully
pin
chain
into
a
car
file.
A
A
We
can
and
we
we
will
do
more
stuff
with
it,
so
this
is
kind
of
the
the
the
container
or
the
how
we
wrap
everything
together,
because
it's
a
framework
that
we
can
use
to
build
our
you
can
base
rpc
apis
and
when
we
say-
or
I
say
apis
does
need
to
be
a
rest.
Api
can
be
a
little
pgp,
rpc
type
of
stuff
or
pub
sub.
Whatever
you
want
some
nice
things
about,
it
is
like
it
has
a
nice
way
to
define
your
capabilities
and
it
kind
of
guides
you
to
okay.
A
You
should
start
by
defining
your
capabilities,
and
then
it
gives
you
the
tools
coming
out
of
the
the
capability
definition
to
do
everything
else
like
setting
up
the
connections,
actually
invoking
those
capabilities
to
trigger
the
operation
and
stuff
like
that,
the
second
one
is
like
actually,
basically
that
which
is
is
also
able
to
route
the
the
capability
invocation
and
actually
executed.
A
There's
also
the
the
uk
validation
system
inside
it.
This
is
more
on
the
on
the
server
side
of
it,
and
it's
also
pluggable
in
the
transport
layer
as
in
the
actual
transport.
So
it
can
be
http.
It
can
be
php
and
also
in
the
codex
for
the
requests
and
the
response,
and
the
last
bit
is
more
about
like
the
client
side
of
it,
which
we
support
like
batch
invocations.
So
we
can
invoke
several
things
at
at
the
same
time.
A
It's
basically
sending
multiple
you
can't,
or
you
can
change
at
the
same
time
and
also
has
like
full
type
infusions
from
the
server.
A
So
yeah
wrapping
everything
we
have
the
ids.
We
have
that
you
can.
We
have
you
can
too.
So
what?
What
does
that
mean?
That
means
that
we
can
have
identity
permission
operations,
all
packaged
up
as
car
files
and
with
car
files.
We
can
even
include
like
the
the
interest
interesting
bit
is
like
we
can
package
everything.
We
can
package
multiple
operations
and
we
can
have
the
id
and
permissions
plus
a
list
of
several
things.
A
A
A
A
The
user
tells
us
about
their
the
the
ids,
and
we
have
like
an
end
user
entry
point
that
right
now
is
just
a
cli
to
upload
files,
and
the
third
system
integrated
was
what
we
call
upload
v2,
which,
where
the
the
bytes
go,
where
the
file
gets
uploaded
to
and
after
that,
it's
all
about
the
elastic
ipfs
that
you
already
heard
about,
and
we
kind
of
it
was
kind
of
cool,
because
we
we
kind
of
worked
separately
communicating
but
in
several
ways.
A
But
when
we
tried
to
integrate
it
will
work
like
kind
of
beautifully
like
the
first
time
we're
trying
to
integrate
everything.
Everything
works
like
the
first
one
we
tried,
so
it
was
kind
of
cool
and
it
validated
all
all
the
stuff
that
all
the
tooling
we
are
building
and
also
like
the
the
use
case
and
why
you
can't
are
so
cool
and
also
the
tooling
that
we
built
is
kind
of
pretty
awesome.
A
So
yeah
I
was
talking
about
like
we
can
do
multiple
operations
inside
the
car
floor,
one
of
the
the
nice
things
would
be
to
have
like
delegated
ips
mutations
and
that's
the
thing
we
really
want
to
kind
of
go
into.
We
will
already
have
like
w3
name.
A
That
was
a
previous
talk
early
in
the
day,
but
the
what
would
be
really
interesting
is
to
actually
support
ucans
in
something
like
w3
name,
which
is
not
actually
ips,
and
it's
really
hard
for
it
to
be
apns
until
actually
ipfs
kind
of
supports
you
can
we
try
it
and
probably
still
discuss
a
lot
more
about
this
if
we
have
any
way
to
be
compatible
and
still
like,
have
the
the
proper
ips
records
in
the
network
or
not,
but
right
now,
it's
kind
of
hard
to
get
there.
A
So
we're
probably
going
to
build
an
ips
that
supports
ucans
and
hopefully,
with
that
experience
gain
with
that
knowledge,
we
can
bring
back
through
implementations
and
kind
of
convince
them.
Okay,
you
can't
are
cool.
Maybe
you
should
support
that
and
everything
can
work
together,
much
better,
so
yeah.
A
Some
of
the
use
cases
for
this
is
like
uploading,
a
file
and,
at
the
same
time
like
changing
an
ips
record
or
an
ips
record,
because,
as
I
said,
the
card
file
already
has
the
identity
already
has
the
permissions,
and
it
can
do
two
things
at
the
same
time,
but
because
we
are
sending
that
to
a
service
like
an
ftd
storage
or
way
through
that
storage.
A
A
But
if
we
have
we
accounts
you
can
we
don't
need
to
sign
it.
The
user
doesn't
need
to
sign.
It
just
needs
to
delegate
to
permission
for
us
to
sign
it,
and
then
we
can
hook
up
into
wt
name
and
all
the
nice
things
that
the
lutheran
name
does.
We
can
also
do
like
transfer
large
docs
into
like
shards
across
multiple
network
requests
and
kind
of
create
sessions
and
use
ips
to
to
be
like
the
the
thing
that
ties
up
the
session
and
kind
of
creates
a
session.
A
It's
also
really
useful,
and
I'm
really
excited
about
this
one,
which
would
be
like
uncoordinated
multiplayer
that
creation
or
transfer,
which
is
more
of
an
advanced
thing.
But
if
we
start
building
up
all
these
primitives,
we
can
get
there
and
I
think
it
can
really
work
and
then,
at
the
end
it's
all
about.
Can
we
actually
make
it
really
ipfs?
A
So
we
would
need
help
from
ipfs,
implementations
and
whatnot
to
be
able
to
tie
everything
together
and
to
finish
up
what,
if
ipfs
could
talk
you
can
like,
as
I
told
you
like,
delegate
ibn's
mutation,
would
be
kind
of
great.
It
can
also
be
useful
to
delegate
ipfs
operations
to
remote
nodes,
writable
gateways
gateway
routed
operations,
maybe
even
bitswap,
where
else,
if
you
are
interested
in
this
topic,
let's
talk
more
about
it
and
yeah,
just
some
future
work.
A
It's
all
a
big
thing,
key
management,
it's
kind
of
hard
and
we're
still
talking
about
what's
the
best
way
to
handle
key
management
on
the
client
side
and
on
the
back
end
side,
we
need
definitely
need
to
improve
the
tooling
and
build
more
tooling
on
the
uk
inside
there's
still,
some
spec
work
to
be
done
to
be
improved,
especially
on
the
transports
and
yeah.
That's
it.
If
you
have
any
questions,
this
qr
code
is
just
for
the
slides.
A
If
you
want
to
look
into
it,
and
we
also
doing
thursday
an
open
session
about
you,
can't
that
we
call
it,
you
can
join
and
yeah
links,
for
it
will
be
sent
in
slack.
And
if
you
are
interested.
A
A
A
In
our
use
case,
it
was
most
like
that,
because
we
kind
of
have
like
the
the
centralized
type
of
http
api,
but
in
the
future
what
we
want
to
evolve
into
is
more
of
a
decentralized.
That's.
Why
like
naming
is
always
hard
and
I'm
I
was
talking
about
clients
and
servers,
and
that's
one
of
the
things
we
we
want
to
kind
of
change.
A
It's
because
it's
not
going
to
be
always
like
that,
like
a
client
and
servant
more
like
nodes
and
actors
talking
to
each
other,
but
we
don't
actually
need
like
a
server
to
be
the
the
the
the
target
for
an
invocation
in
a
new
you
can
invocation.
We
just
can
do
leap
to
p
from
one
node
to
the
other
and
just
say:
oh,
I
want
you
to
do
this
thing
for
me
and
here's
the
thing
that
proves
that
you
can
do
it.
B
It
was
originally
concepted,
as
this
works
offline,
so
like
to
support
local
first
use
cases
but
permission
to
be
quickly
encrypted,
so
definitely
peer-to-peer.
It
was
designed
to
go
to
that
and
we
actually
did
server-based
versions.
Second,
because
people
are
like
boris
shut,
the
hell
up,
we're
still
running
servers,
but
it
turns
out
that
there's
a
lot
of
useful
use
cases
on
the
server
side
as
well
and
remixing
right.
B
C
C
C
A
There's
actually
a
talk
at
one
right,
some
folks
from
subconscious
and
no
sphere
are
talking
about
it
and
they
touch
a
little
bit
on
you
can't
because
they
are
using
it.
Some
more
examples
are
I
don't
know
what
five
seems.
B
Not
actually
a
joke,
unfortunately,
that's
jack's
lock.
So
a
lot
of
did
centric
stuff
that
is
tied
to
microsoft.
Island
bitcoin,
stuff
they've
ended
up
plug-ins.
They
gave
the
capability
model.
B
So
one
of
the
other
use
cases
that
we
wrote
as
a
blog
post
is
imagine
you're
an
ecommerce
standard
and
you
want
to
get
discounts
from
shop
a
to
shop
b.
Are
you
gonna
say?
Are
you
gonna
share
your
entire
customer
database
of
email
addresses?
You
are
not,
but
can
you
like?
This
is
more
sort
of.
B
C
We're
also
like,
over
time,
we're
going
to
have
all
of
our
internal
distributive
system
as
the
idea.
So
when
you
you'll
ask
our
services
to
call
these
and
then
you'll
actually
see
that
sort
of
delegate.
To
another
token,
just
like
you
know
the
24-hour,
like
key
reviews
right
so
all
of
our
internal
key
rotations,
you'll
see
in
this
game,
and
we
can
then
at
any
time
break
those
into
other
services
we're
not
bound
to
any
infrastructure
company
anymore
right
like
if
you
run
into
the
cloud
provider
and
just
all
looks
the
same.