After perusing
https://identity.foundation/decentralized-web-node/spec/
a bit I think I have an inkling on how this works.
Alice and Bob use their public nodes as incomming message store and
forward inboxes. And as a simple repositories.
What it looks like with Collections is that Bobs message to create a
record in one of Alices Collections contains an certificate granting
Bob (identified by a DID and that points to a public key of Bobs) the
ability to create records in that collection.
That record creation message is signed by one of Bobs public keys,
refered from Bobs DID.
Now Bob can refer to this record creation message, via the message id,
as the faunt of the authority to change or delete the record, or even
grant that authority to other principals identified by DIDs.
The messages changing or deleting must be signed by a private key of
Bobs, and refer to the record creation message as the faunt of that
authority. If Bob granted or delegated to someone or something else,
they must refer to that granting/delegation message as their faunt of
authority in their record change or deletion messages.
Anyone that gets these messages (or can optain copies) can follow
along, verify the sigintures and that the ‘actions’ in these messages
are actually permitted. Including the aforesaid nodes, and they can
then decide to either propagate the messages or not.
Sounds like something I could build with ActiveCapCerts and specified
semantics like these folks are doing.
One note though, this system of theirs leaks metadata like water through sieve.