Verifiable Credentials HTTP API Telecon
Minutes for 2021-08-17
- Introductions and re-introductions
- VC HTTP API Renaming Poll Reminder
- Simple Majority Objection w/ GNAP-KBAT
- Manu Sporny
- Mike Prorock
- Manu Sporny, Mike Prorock, Bob Wyman, Mahmoud Alkhraishi, Dmitri Zagidulin, Joe Andrieu, David Chadwick, Ted Thibodeau, Orie Steele, Butch, Juan Caballero, Stuart Freeman, Justin Richer, Mike Varley, Kaliya Young, Brian Sletten, Adrian Gropper, Michael Herman, Marty Reed, Charles E. Lehner, Ted O'Connor
- Audio Log
Mike Prorock is scribing.
Topic: Introductions and re-introductions
Reminder on renaming call
Topic: VC HTTP API Renaming Poll Reminder
Topic: Simple Majority Objection w/ GNAP-KBAT
NB: not a single person objection in this case
<justin_richer> As stated on a previous call I think the :whole: PR is a bad idea, but I'm not going to try to stop anything on that. :)
<michael_herman_(trusted_digital_web)> Why am I only hearing Adrian? ...an no one else. An interesting conversation but definitely 1-sided ;-)
<orie> everyone can see that folks don't agree to the resolution... I suggest we make the WG notes and specs reflect the WG consensus. No consensus, no resolutions :)
Man: proposal from adrian appears to be temporarily defer and maybe revisit?
<orie> we don't need to say anything about GNAP if folks can't agree its a good idea... same thing is true of WebAuthN or DID ION :)
<justin_richer> I was going to answer Joe's assertions but really there isn't much of a point here.
<orie> are Justin or Adrian planning to implement this API?
<justin_richer> I do want to point out that OAuth 2.0 bearer tokens are also usable in GNAP
<justin_richer> And that the various GNAP bound-token methods are being ported to OAuth 2.0 as well
<orie> if in the future GNAP and OAuth2.0 merge, I'll be happy to support it, when our tooling supports it.
<justin_richer> That is like asking for HTTP1 and HTTP2 to merge
<orie> maybe OAuth3?
<justin_richer> to clarify the "MUST" is that the spec has to talk about it, "SHOULD" doesn't make sense there
<justin_richer> this isn't a normative implementaiton requirement
<orie> we're waiting to see GNAP on Auth0 / Okta Roadmap, before committing to considering support for it.
Counter argument is "we are not saying you have to do anything" - whereas just existince in spec implies something will have to get done at some point
Mike_v: sees value in gnap - reiterate that they have plans for gnap at some point, but not sure how it fits at this time
<orie> Maybe that will happen soon, maybe it will take years... either way, we don't think its worth holding up building a secure API... with existing API security products and standards.
<cel> GNAP on our (Spruce's) roadmap, but we cannot commit to a schedule right now
<justin_richer> I'm personally fine with a delay because there was never a time constraint to address
Jow: missing chain and lacking leadership on group and process not documented and this is creating the issues
<orie> chairs of the ccg arbitrate, and if they fail, W3C leadership is involved i assume...
<orie> we do have editors
<mahmoud> dont we have four editors?
<orie> these folks are editors
<orie> @peacekeeper @msporny @mavarley @OR13 @mkhraisha
<orie> I am one of them
<justin_richer> Nobody's saying to ignore the problem, they're saying that this group has other work to do while the process is also fixed
<justin_richer> One note, often real consensus can't be reached until there is concrete text to discuss. It's the editors' job to get people there.
<orie> we can always add stuff later, if consensus is reaccheed
<justin_richer> So I don't disagree in principle with Orie but you can put stuff into the draft spec and say "hey the editors did this, let's talk about it"
<justin_richer> Waiting for the group to agree on every detail is a recipe for never moving forward, in my experience.
<orie> I could live with OAuth2.0 until something better exists... but I'm an engineer...