Clarify the meaning of Capabilities

[bmayd]

Such questions are answerable if the defender has the requisite “capabilities,” each of which provides a specific inference that may be enforced upon on its own, or in combination with inferences from complementary capabilities.

I'm not certain I understand what is meant by capabilities -- is this some combination of signals and the ability to assess them?

[philippp]

They are intended to be high-level functional requirements: A simple statement of the specific fact that the defender has to assert.
As you point out, the implementation of this includes a signal (what is indicated) and assessment (is it true), however I want to keep us shy of defining the exact signal (boolean? enum? scalar?) and exact mechanism of assessment (e.g. signing + certificate validation) at this stage, if possible.

Some example capabilities may be:

• Does a given set of requests come from >N distinct devices?
• Is this the physical device that the client reports itself to be?
• Is this interaction event coming from a human?

Assuming that enough capabilities resonate across use cases and stakeholders, we should be able to group them into a cardinal set of capabilities for discussion. I anticipate that each capability will attract a robust dialogue involving privacy principles, use case criticality to the user and society, and that this will inform the parameters within which we define sources of truth and specific signals.

I hope this is helpful.

[bmayd]

Very helpful, thank you.