Which component is responsible to access control?

https://github.com/ceramicnetwork/ceramic/blob/main/OVERVIEW.md#policies

Hi forgive my ignorance,

I’m wondering is Ceremic Network the one responsible to access control of our data?

did workflow

  1. Seems to me that in this case, Ceramic Network is the DID Controller right?
  2. If that’s true, is Ceramic the one asking for user’s private key signature the give them access to DID subject?

Best,
David

1 Like

Data on Ceramic is public by default. You can encrypt data before putting it into Ceramic of course, but that’s up to the application to handle.

The DID controller only affects who is allowed to update a stream, it has no implications for who has access to read the data. Generally the DID used as the controller for a stream is a DID owned by the end user of the application. So it usually correlates to the user’s blockchain wallet. This means that if, for example, an app is using Ceramic to store user profiles, there will be one profile per user, each with a different controller DID that correspond to that user’s blockchain wallet.

1 Like

Hi @spencer thx for the prompt reply~

Got it, so data on Ceramic is public by default.

Tiles are used to define more explicit, specific terms around the design of a particular service or the access control requirements and permissions needed to access it. For example, policies can define the data model for an application, terms and requirements of a service, or the permissions set by a user to access their data.

  • Privacy Policy: User-managed access control permissions to their resources
  1. Just to clarify, permissions set by a user to access their data, the data here stands for stream right?
    In other words, we can authorize wether this dApp can write to our stream?
  2. About DID controller: the controller here stands for ceramic network right?
  3. You can encrypt data before putting it into Ceramic of course: Sorry for going a little bit off tangent. Let’s say you only want to authrize A dApp to read your encrypted profile, how do A dApp decrypt your profile without your privatekey? (I guess I’m dumb)

Thx for your prompt reply again, Best,
David

In other words, we can authorize whether this dApp can write to our stream?

Yes, we an object capability system called CACAO (Chain Agnostic Capability Object) to allow users to grant permission to another key to write data on their behalf into their streams. Since you use the word dApp in your question though, to be clear, it is not possible for a smart contract running on a blockchain to write data directly to Ceramic (unless some sort of bridge or oracle is used) as Ceramic is a separate network and smart contracts cannot generally access the internet.

About DID controller: the controller here stands for ceramic network right?

No, DIDs (Decentralized Identifiers) are a W3C recommended standard for representing identities online. DIDs map a pseudonymous identifier to a public/private keypair for performing cryptographic signatures. So when we talk about the DID controller for a stream, we mean the actual end user’s DID. Apps that use Ceramic give their users a DID, generally by having them use a blockchain wallet with something like SIWE (sign-in with Ethereum) or SIWS (sign-in with Solana) to generate a did:pkh for the user from the user’s blockchain wallet. Docs here are still kind of light, but @avi or @mattdavis0351.eth should be able to point you in the right direction on where to look for more information on how to get started with this.

how do A dApp decrypt your profile without your privatekey?

That’s not really something that Ceramic manages, you’d have to do your own key management or use a system that does key management for you. Some Ceramic users have been using Lit Protocol for this, but I cannot speak to that solution one way or the other, you’ll have to look into it yourself and see if it looks like a good fit for your needs.

Okay, got a response from Avi. More information on DIDs and did:pkh is available here: https://did.js.org/

thx @spencer for correcting my misunderstanding about controller~
Also, Lit Protocol is very useful information.

btw I found this glossary page, hope other newcomers find it useful when learning Ceramic~

1 Like