Verifiable Credentials HTTP API Telecon
Minutes for 2021-06-01
- Use Cases Update
- Authorization Part Deux
- Manu Sporny
- Manu Sporny, Mike Varley, Markus Sabadello, Eric Schuh, Aaron Coburn, Henry Story, Adrian Gropper, Andreas Freund, Sanuja, Diwala, Brent Shambauh, Juan Caballero, Ted Thibodeau, Anil John, Orie Steele, David Ward
- Audio Log
aaron_coburn is scribing.
<tallted> confirming -- delete repeating Thursday 3pm ET, effective this week?
Topic: Use Cases Update
<tallted> s/june 14/june 15/
Topic: Authorization Part Deux
Andreas: pull vs. push use case ✪
Andreas: assumption is that authZ is needed ✪
Andreas: is there something out of band in the communication? ✪
<andreas_freund> @aaron ... there is the assumption of out of band communication to establish a trust relationship between requester and target systems
<andreas_freund> that is what i meant
<bblfish> ok, changed browser
Andreas: need to distinguish b/t authZ of the endpoint and authZ of the resource ✪
Andreas: the different endpoints do different things: some are public some are not ✪
Andreas: e.g. SAP (A) delegates to SAP (B) ✪
Andreas: system a requests a resource (a presentation) ✪
<adrian_gropper> Yes - I would object.
<bblfish> On the whole I am on Adrian's side, I don't think it OAuth for Solid is really the right tool for example.
<orie> sure OIDC is built on OAuth....
<tallted> OIDC is also not trapped in a G/FB coin-flip
<orie> ^ bingo
<orie> there is a difference between "authenticating an application" and a "human being"....
<juan_caballero_(dif/spruce)> but what if all the subjects of the VCs in question are inanimate objects and batches of steel or coal?
<juan_caballero_(dif/spruce)> OAuth is being used to authenticate servers which are passing between them VCs about rocks
<mike_varley> -1; I do not feel GNAP is ready to be worked with yet. But I hope it gets there soon
<bblfish> ISn't GNAP a 100 page proposal that is only just started being worked on at the IETF?
<orie> my reason for -1 is that both GNAP is not stable enough to use in production today, and its additional complexity which is orthogonal to our mission
<markus_sabadello> XDI link contracts!
<adrian_gropper> - 1
<tallted> wording bites me...
<orie> "lower priority" means a license to distract and waste call time, but no commitment/
<orie> at least to me
<orie> I would be supportive of "not blocking future solutions" and "not spending time on them other than when they are at risk or having the door shut on them".
<tallted> *nods* yes, Orie
<orie> I suspect that HTTP headers are not going away anytime soon.
<david_ward> Can the technology used be kicked down the road a bit? Is it actually important at this time until how the end points fit the use cases are worked out?