Last edited · 2 revisions  

 


Secure Data Storage WG Agenda - Thu Sept 17th, 2020

Current Spec

Issues

Agenda

1. IPR Reminder

2. Introductions and Re-Introductions

3. Authorization: Criteria Selection

4. (if time) Issue Review 

Authorization scheme selection criteria

1. What language are we going to use to discuss Proof of Cryptographic Possession / Cryptographic Invocation (examples DPOP in OAuth2.0 vs ZCAP cryptographic invocation)

    * need to agree on the language

    * need to agree on if it's a required selection criteria

2. Delegation (multi-step delegation, with attenuation) 

    * need a good clear example of why delegation might be useful

3. Structured Scopes (whatever authorization token we settle on should specify resource / action etc). (Like the structured scopes in auth.xyz)

    * as opposed to: OAuth2's flat freeform scopes

4. Replication / Portability

    * (if my Vault is replicated, so should the permissions)

Proposals

PROPOSAL: The authorization system MUST NOT support decentralized delegation. 

- a bunch of -1s in chat.

PROPOSAL: The authorization system MUST support decentralized delegation. 

- ~9 +1s

PROPOSAL: The authorization mechanism MUST rely on SOME FORM or cryptographic Proof of Possession

- 8 +1s

PROPOSAL: The authorization system MUST NOT include a mechanism for attenuated delegation of authority.

- all -1s

PROPOSAL: The authorization system MUST include a mechanism for attenuated delegation of authority.

- all +1s

PROPOSAL: The authorization system MUST NOT require integrity checking of HTTP requests 

- all -1s

PROPOSAL: The authorization system MUST integrity check all parts of the HTTP request that are critical to the security of the operation being performed. (relevant headers and body)

- all +1s

PROPOSAL (from Orie): The SDS WG will specify a data model for scopes / will specify and document a minimal set of authorizations.

- (majority of +1s, +0 from Adrian)

Attendees

  • Orie Steele
  • Tobias Looker
  • Kaylia Young
  • Adrian Gropper
  • Dave Longley
  • Michael Shea
  • Evan Tedesco
  • Martin Riedel
  • Manu Sporny
  • Andreas Freund
  • Dmitri Zagidulin

Recording (Zoom)

Transcript (Otter AI)