Re: [AGENDA] VC HTTP API Work Item - July 13th 2021 from Adrian Gropper on 2021-07-11 (public-credentials@w3.org from July 2021)

From: Adrian Gropper <agropper@healthurl.com>
Date: Sun, 11 Jul 2021 15:34:52 -0400
To: W3C Credentials CG <public-credentials@w3.org>, Manu Sporny <msporny@digitalbazaar.com>
Message-ID: <CANYRo8hERVLfkXrxWD3zFw+BLwAAWO3WiTt2u2CeUUNAzvc5VA@mail.gmail.com>

Manu,

I would like to run the following:

PROPOSAL: We do not separate GNAP from OAuth2 until it is clear how much
extra work GNAP would add within the scope of the VC-HTTP API specification
once that scope is established by consensus.


This proposal would have the effect of focusing attention on the scoping
questions _before_ we revisit the protocol questions including RAR, OAuth2,
and GNAP.


Also, as part of the Use Cases and scope discussion, I hope we can be clear
on which party is responsible for registering the requesting party client
in cases where the protocol allows the VC Issuer to request client
credentials.


- Adrian




On Sat, Jul 10, 2021 at 11:12 AM Manu Sporny <msporny@digitalbazaar.com>
wrote:

> VC HTTP API Work Item - July 13th 2021
> Time: Tue 4pm ET, 1pm PT, 10pm CET, 8am NZDT (Wed)
>
> Text Chat:
>       http://irc.w3.org/?channels=ccg
>       irc://irc.w3.org:6665/#ccg
>
> Jitsi Teleconf:
>       https://meet.w3c-ccg.org/vchttpapi
>
> Duration: 60 minutes
>
> MEETING MODERATOR: Manu Sporny
>
> AGENDA:
>
> 1. Agenda Review, Introductions, Use Cases Update (10 min)
>
> 2. Pull Requests (5 minutes)
>    https://github.com/w3c-ccg/vc-http-api/pull/211
>
> 3. Issue Processing (5 minutes)
>    https://github.com/w3c-ccg/vc-http-api/issues/204
>
> 4. Authorization Proposals (40 minutes)
>
> These are synthesized proposals based on Justin's reformulation of MikeV's
> proposals, the +1s on the mailing list, work that has volunteers, and ideas
> that seem like they might at least get majority support given input from
> the
> mailing list.
>
> PROPOSAL: How a VC HTTP API client gets an authorization token is out of
> scope.
>
> PROPOSAL: How a VC HTTP API server validates an authorization token is out
> of
> scope.
>
> PROPOSAL: One of the authorization mechanisms for the VC-HTTP-API MUST be
> OAuth 2 Bearer tokens.
>
> PROPOSAL: One of the authorization mechanisms for the VC-HTTP-API SHOULD be
> GNAP key-bound access tokens.
>
> PROPOSAL: One of the authorization protocols for the VC-HTTP-API MUST be
> OAuth
> 2 Client Credentials. NOTE: This one conflicts with the first proposal (on
> purpose).
>
> PROPOSAL: The VC HTTP API MUST define access actions in terms of OAuth 2
> RAR
> structures.
>
> In the interest of making some preliminary decisions and moving on, we
> will be
> doing majority voting for all proposals that fail to achieve consensus.
> Remember that all of this is at risk to being re-litigated when the work
> flows
> into an official working group, so decisions are to be viewed as
> preliminary
> (and not final).
>
> -- manu
>
> --
> Manu Sporny - https://www.linkedin.com/in/manusporny/
> Founder/CEO - Digital Bazaar, Inc.
> News: Digital Bazaar Announces New Case Studies (2021)
> https://www.digitalbazaar.com/
>
>

Received on Sunday, 11 July 2021 19:35:17 UTC