Secure Data Storage WG Agenda - Thu Sept 17th, 2020
1. IPR Reminder
2. Introductions and Re-Introductions
3. Authorization: Criteria Selection
4. (if time) Issue Review
Authorization scheme selection criteria
1. What language are we going to use to discuss Proof of Cryptographic Possession / Cryptographic Invocation (examples DPOP in OAuth2.0 vs ZCAP cryptographic invocation)
* need to agree on the language
* need to agree on if it's a required selection criteria
2. Delegation (multi-step delegation, with attenuation)
* need a good clear example of why delegation might be useful
3. Structured Scopes (whatever authorization token we settle on should specify resource / action etc). (Like the structured scopes in auth.xyz)
* as opposed to: OAuth2's flat freeform scopes
4. Replication / Portability
* (if my Vault is replicated, so should the permissions)
PROPOSAL: The authorization system MUST NOT support decentralized delegation.
- a bunch of -1s in chat.
PROPOSAL: The authorization system MUST support decentralized delegation.
- ~9 +1s
PROPOSAL: The authorization mechanism MUST rely on SOME FORM or cryptographic Proof of Possession
- 8 +1s
PROPOSAL: The authorization system MUST NOT include a mechanism for attenuated delegation of authority.
- all -1s
PROPOSAL: The authorization system MUST include a mechanism for attenuated delegation of authority.
- all +1s
PROPOSAL: The authorization system MUST NOT require integrity checking of HTTP requests
- all -1s
PROPOSAL: The authorization system MUST integrity check all parts of the HTTP request that are critical to the security of the operation being performed. (relevant headers and body)
- all +1s
PROPOSAL (from Orie): The SDS WG will specify a data model for scopes / will specify and document a minimal set of authorizations.
- (majority of +1s, +0 from Adrian)
- Orie Steele
- Tobias Looker
- Kaylia Young
- Adrian Gropper
- Dave Longley
- Michael Shea
- Evan Tedesco
- Martin Riedel
- Manu Sporny
- Andreas Freund
- Dmitri Zagidulin
Transcript (Otter AI)