On 22/08/2021 20:25, Joe Andrieu wrote:

On Sun, Aug 22, 2021, at 11:25 AM, David Chadwick wrote:
For example, I think the minimum authz token that should be accepted, where one is needed, is an X.509 PKC. Plain and simple. No authz/delegation infrastructure is needed for this. Requiring an Oauth token is heavier lifting as Oauth requires Https as the foundation. (And yes I accept that some calls may not require any authz at all, and be publicly accessible)

This is a great example for why any early binding at this stage is likely a poor choice.

that's exactly my point about why the http api spec should concentrate on functionality first and foremost, and leave all the authz and security issues to either last or preferably a subsequent spec.


IMO, what we should be doing is defining an extension mechanism that allows any number of auth mechanisms to work interchangeably, like we did with crypto-suites for the DID and VC specs.

Then, we can focus on the actual mechanism using real spectext rather than getting lost in rathole discussions about which auth approach is best.

The devil will be in the details for that extension mechanism. Whatever mechanism we choose may not be able to treat all options equally, but at least we can separate the debate about good v bad authorization strategies from the specific means through which we will support authorization.


Joe Andrieu, PMP                                                                              joe@legreq.com
LEGENDARY REQUIREMENTS                                                        +1(805)705-8651
Do what matters.                                                                            http://legreq.com