EXOCHAIN
Early AccessSign in
Documentation

AVC — schema and validation

Unstable

Schema

An AVC carries a unique id, subject and issuer actor ids, an optional parent AVC id (for delegation), a policy domain, a scope (action set + optional constraints), validity window, and an issuer signature.

Delegation

Delegation strictly narrows scope: a child AVC's permitted actions and constraints must be a subset of its parent's. Validation rejects any attempt to widen scope beyond the parent.

Validation rules

  • Signature verifies under the registered issuer key.
  • Current time is within not_before/not_after.
  • Subject actor is active.
  • Issuer actor is active and authorized to issue in the policy domain.
  • Parent AVC, if present, is itself valid and not revoked.
  • Scope is contained within the parent's scope.
  • Policy expressions evaluate without error.

Validation is fail-closed and deterministic.

Revocation

An issuer revokes their AVC by submitting a signed revocation. The revocation cascades to all derivative AVCs. Already-issued trust receipts under the revoked AVC remain as evidence of past authorization.

Signature algorithms

ML-DSA-65 (CRYSTALS-Dilithium) is the post-quantum signature for new AVCs. Hybrid signatures are supported for transitional environments.