Secure Data Storage WG Agenda - Thu Sept 17th, 2020

Current Spec

Issues

Agenda

1. IPR Reminder

2. Introductions and Re-Introductions

3. Authorization: Criteria Selection

4. (if time) Issue Review

Authorization scheme selection criteria

1. What language are we going to use to discuss Proof of Cryptographic Possession / Cryptographic Invocation (examples DPOP in OAuth2.0 vs ZCAP cryptographic invocation)

* need to agree on the language

* need to agree on if it's a required selection criteria

2. Delegation (multi-step delegation, with attenuation)

* need a good clear example of why delegation might be useful

3. Structured Scopes (whatever authorization token we settle on should specify resource / action etc). (Like the structured scopes in auth.xyz)

* as opposed to: OAuth2's flat freeform scopes

4. Replication / Portability

* (if my Vault is replicated, so should the permissions)

Proposals

PROPOSAL: The authorization system MUST NOT support decentralized delegation.

- a bunch of -1s in chat.

PROPOSAL: The authorization system MUST support decentralized delegation.

- ~9 +1s

PROPOSAL: The authorization mechanism MUST rely on SOME FORM or cryptographic Proof of Possession

- 8 +1s

PROPOSAL: The authorization system MUST NOT include a mechanism for attenuated delegation of authority.

- all -1s

PROPOSAL: The authorization system MUST include a mechanism for attenuated delegation of authority.

- all +1s

PROPOSAL: The authorization system MUST NOT require integrity checking of HTTP requests

- all -1s

PROPOSAL: The authorization system MUST integrity check all parts of the HTTP request that are critical to the security of the operation being performed. (relevant headers and body)

- all +1s

PROPOSAL (from Orie): The SDS WG will specify a data model for scopes / will specify and document a minimal set of authorizations.

- (majority of +1s, +0 from Adrian)