Re: [AGENDA] VC HTTP API Work Item - July 13th 2021 from Alan Karp on 2021-07-10 (public-credentials@w3.org from July 2021)

From: Alan Karp <alanhkarp@gmail.com>
Date: Sat, 10 Jul 2021 10:05:44 -0700
To: Manu Sporny <msporny@digitalbazaar.com>
Cc: W3C Credentials CG <public-credentials@w3.org>
Message-ID: <CANpA1Z0dAAPz5c_gLfgv=tvHsPE1gfKFf6d2RffNwfXhAsT8wA@mail.gmail.com>

I won't be able to attend, but I think the second to last could be SHOULD,
or even MAY,
instead of MUST.  That way client credentials can be used within a trust
domain and bearer
tokens between them.

--------------
Alan Karp


On Sat, Jul 10, 2021 at 8:13 AM Manu Sporny <msporny@digitalbazaar.com>
wrote:

> VC HTTP API Work Item - July 13th 2021
> Time: Tue 4pm ET, 1pm PT, 10pm CET, 8am NZDT (Wed)
>
> Text Chat:
>       http://irc.w3.org/?channels=ccg
>       irc://irc.w3.org:6665/#ccg
>
> Jitsi Teleconf:
>       https://meet.w3c-ccg.org/vchttpapi
>
> Duration: 60 minutes
>
> MEETING MODERATOR: Manu Sporny
>
> AGENDA:
>
> 1. Agenda Review, Introductions, Use Cases Update (10 min)
>
> 2. Pull Requests (5 minutes)
>    https://github.com/w3c-ccg/vc-http-api/pull/211
>
> 3. Issue Processing (5 minutes)
>    https://github.com/w3c-ccg/vc-http-api/issues/204
>
> 4. Authorization Proposals (40 minutes)
>
> These are synthesized proposals based on Justin's reformulation of MikeV's
> proposals, the +1s on the mailing list, work that has volunteers, and ideas
> that seem like they might at least get majority support given input from
> the
> mailing list.
>
> PROPOSAL: How a VC HTTP API client gets an authorization token is out of
> scope.
>
> PROPOSAL: How a VC HTTP API server validates an authorization token is out
> of
> scope.
>
> PROPOSAL: One of the authorization mechanisms for the VC-HTTP-API MUST be
> OAuth 2 Bearer tokens.
>
> PROPOSAL: One of the authorization mechanisms for the VC-HTTP-API SHOULD be
> GNAP key-bound access tokens.
>
> PROPOSAL: One of the authorization protocols for the VC-HTTP-API MUST be
> OAuth
> 2 Client Credentials. NOTE: This one conflicts with the first proposal (on
> purpose).
>
> PROPOSAL: The VC HTTP API MUST define access actions in terms of OAuth 2
> RAR
> structures.
>
> In the interest of making some preliminary decisions and moving on, we
> will be
> doing majority voting for all proposals that fail to achieve consensus.
> Remember that all of this is at risk to being re-litigated when the work
> flows
> into an official working group, so decisions are to be viewed as
> preliminary
> (and not final).
>
> -- manu
>
> --
> Manu Sporny - https://www.linkedin.com/in/manusporny/
> Founder/CEO - Digital Bazaar, Inc.
> News: Digital Bazaar Announces New Case Studies (2021)
> https://www.digitalbazaar.com/
>
>

Received on Saturday, 10 July 2021 17:06:15 UTC