Re: VC HTTP Authorization Conversation

+1 to start defining what *is* in scope, instead of what is not (as one who is guilty of providing an “out of scope?” use case/capability 😊)
I recommend on the next call we focus on some of the use cases at the top of the document to start aligning on the in-scope items.

Thanks.

MV

From: Juan Caballero <juan.caballero@spherity.com>
Date: Thursday, June 10, 2021 at 5:37 PM

On 6/10/2021 4:52 PM, Manu Sporny wrote:


On 6/10/21 10:04 AM, Orie Steele wrote:

I see the scope of the VC-HTTP-API as limited to the following:



1. HTTP endpoints for producing and consuming the W3C VC Data Model Objects

2. HTTP endpoints for producing and consuming extensions to the VC Data Model,

or data structures it relies on, like Revocation Status and Credential Schemas

3. Recommendations for securing these HTTP endpoints using HTTP Headers.

4. Recommendations for exposing these HTTP endpoints inside and across trust

domains.

The above feels like a good start to a scoping statement.
+1 from the use-case team.  We are coming up fast on the deadline for "first drafts" of use cases that are far enough along to anchor PRs. If you have opinions about #3 and #4 (especially an opinion like, "I would hate to see mTLS discouraged as a valid option for #3/4"), a quick way to lobby for that opinion is to submit a first-draft use case.  Feel free to "fork," riff, or expand on other peoples' submissions that are halfway to what you want to see, but too brief, too specific in in describing a solution rather than a problem, etc.



This email and any attachments are for the sole use of the intended recipients and may be privileged, confidential or otherwise exempt from disclosure under law. Any distribution, printing or other use by anyone other than the intended recipient is prohibited. If you are not an intended recipient, please contact the sender immediately, and permanently delete this email and its attachments.