Mahmoud Alkhraishi: On index.html there's a lot of things being removed, like encryption key management. I don't believe we received reqs these should be removed, says removing them for clutter. I feel these are important ✪
Mahmoud Alkhraishi: Spec about, would you like to be able to work to us, send data to us. like, if you don't use tls it won't work, we won't accept your stuff. can't test for encryption at rest, but we can rec you do that. so yes, not hard req, but good idea to keep in actual spec ✪
Mahmoud Alkhraishi: Is a must right now in spec. Feel that that should stay in, but no hard statement saying "if it's must, must be testable" ✪
Nis Jespersen : That aside, why is storage part of protocol? ✪
Mahmoud Alkhraishi: Can ay encryption at rest maybe not part, but encryption in transit yes definitely. ✪
Mahmoud Alkhraishi: I'd rather we keep these in. disaster recovery stuff maybe not, not actually telling you how to do it, so that should go. threat model, maybe should stay, non-normative, tiny, actually... ✪
Patrick St-Louis: Q on reqs, a lot of items noted post 1.0 release, how update reqs? ✪
Mahmoud Alkhraishi: Don't think they mention 1.0 ✪
Patrick St-Louis: Want to understand, how will the test suite evolve along with reqs, if reqs come before test suites, are we expecting change in suites soon enough? ✪
Ted Thibodeau: Seems odd making substantial alterations to conform to reqs some of us can't see ✪
Nis Jespersen : Was going to ask, mavennet, do you know if reqs available online? ✪
Mahmoud Alkhraishi: Not publicly available. Patrick it's a direction question. We have existing tests, if new reqs come in, what happens to existing tests? ✪
Patrick St-Louis: Makes sense, have conformance and interop test suites. conformance do test data model with neg tests, but most important part interop, can cred issued by some org be verified by another org. If conformant against self good to know, but these sorts of tests outside data model good to know. ✪
Mahmoud Alkhraishi: Clarifying, nis pointed out where in reqs we've said 2.0. ✪
Ted Thibodeau: How make what we have conform with secret reqs, though? ✪
Nis Jespersen : Have 3 companies on call contracted with gov, building for gov. not a secret, just not been shared publicly. there are earlier drafts ✪
Ted Thibodeau: Work of ccg is entirely outside bounds of cbp, ridiculously secret cohort project. thing is semipublic, needs to become public or not be banging on ccg. ✪
<nis> Reminder I need to drop in 2 mins
Patrick St-Louis: In beginning, comment, trace perceived as us way of doing things. answer was that this is more global. but when reqs come from cbp, reinforces that this is us system. ✪
Nis Jespersen : Acknowledgement, says, no secret this is for us gov ✪
Mahmoud Alkhraishi: While they've funded us to work on this, doesn't mean they have any control over this work. ppl on call have say, "don't like these things don't include them" ✪
Nis Jespersen : Need to drop, hope you can stay on call ✪
Patrick St-Louis: As you get more actors to impose changes, on this pr been open two weeks. I have no problem with content, it's just to put these in renqs week, week and a half, seems abrupt. incl as "this is where we're going, next step", but keep test suites as are now. For me it's how quickly these came into play ✪
Ted Thibodeau: Starting point, change title of pr to, reflect more of functional justification. cbp not mentioned in acknowledgements. should not be black box from which mysterious deletion of chunk of stuff that was work. don't have a problem removing what's in this pr. ✪
Mahmoud Alkhraishi: Reqs only in mandatory to implement html file. everything else is nis cleaning up spec in general. two separate things ✪
Mahmoud Alkhraishi: Could I walk through reqs 1 by 1? I agree with you, will update pr name and split into two PRs. One, updates to clean up existing pieces, one "requirements". Does that sound fair? ✪
Mahmoud Alkhraishi: Yes. and these are what we're already doing, just says "use latest version of it". use latest jose/cose, use statuslist. these reqs are just, use latest version of publicly available drafts as your baseline. ✪
Patrick St-Louis: Yeah. think there should be section on backwards compatibility. ✪
Mahmoud Alkhraishi: That was nis. just says "we're considering diff drafts, waiting til mature, once its mature we'll choose one". was wishy washy statement ✪
Patrick St-Louis: Sd has a place I think, removing it entirely, think there should be a section even if just says "under eval" ✪
Mahmoud Alkhraishi: Should be non-normative, for info only, with you. ✪
Ted Thibodeau: Why not piped through pr preview? ✪
Patrick St-Louis: Looking at privacy considerations ✪
Mahmoud Alkhraishi: Yeah, lot of work to be done, I'm with you. nis's first instinct. I'll split it into two PRs, one that outlines "we need to sync to latest version". ✪
Patrick St-Louis: Three prs, selective disclosure in own pr? I can make an issue for sd stuff. ✪
Ted Thibodeau: Looking at what's in this pr. two substantial change suggestions, both in reqs list and reference section above. I believe this update was intended to peg interop spec to specific versions of other spec. ✪
Mahmoud Alkhraishi: These should be applied, make sense ✪
Mahmoud Alkhraishi: Says its outdated, when I un-resolved it. think it's a github thing. ✪
Ted Thibodeau: Yeah github, when click on commit doesn't show changes happened, file does ✪
Mahmoud Alkhraishi: So, fork off of this pr, revert changes on cleanups, keep rest of changes to reqs, discuss those on merits 1 by 1, remove references to cbp, new pr that doesn't touch selective disclosure, then patrick open third pr to clean up sd ✪
Patrick St-Louis: Sure, issue then pr linked to it ✪
Mahmoud Alkhraishi: Next up 629, by patrick, change collection link to use SL2021 collection ✪
Patrick St-Louis: Confused by orie's comments. in interop & conformance there's tests for both. but github actions only tests 2020, not 2021. I'd like to drop support for R2020. According to orie, cred status update wouldn't work. ✪
Mahmoud Alkhraishi: As general idea, previous pr says "use 2021". we've all wanted that. orie's saying "until that's merged don't test for 2021". I don't agree ✪
Patrick St-Louis: Don't understand why cbp status update has to do with this ✪
Mahmoud Alkhraishi: Nowhere in spec says use status list 2021 ✪
Mahmoud Alkhraishi: So I would't merge on top of his objections, ask him to clarify. ted put link in chat to where says sl2021 is req in spec, ask him to clarify why wouldn't. ✪