Minutes IETF108: gnap
minutes-108-gnap-00

1. Opening - Chairs - 14:10-14:20

New chairs, thanks to Dick for his work as BOF chair.

2. XAuth progress - Dick - 14:20-14:40

[JR] the callback negotiation portion is not in contrast to XYZ.

3. XYZ progress - Justin - 14:40-15:00

Details at https://oauth.xyz/ including source code.
Jumps into Continuation Structure.
Open question: can we manage access tokens and grants with access tokens.

4. Protocol comparison - Kathleen - 15:00-15:30

[JR]: @Yoav QUIC didn't start as being called HTTP/3, that came a lot later
with coordination from the HTTP WG. Nothing would stop us from doing that here
too if we wanted, in the future. New WG is because OAuth WG is also still doing
a lot of work today. [YN]: @Justin  Understood.  Here it looks like we're
revving OAuth right from the start

Recommendation: adopt XYZ as a WG draft, but merge in XAuth diagrams,
articulate the request/response requirements more clearly as is done in XAuth

5. Discussion and next steps - Chairs - 15:30-15:50

Questions/comments to Kathleen:
[JR] Thanks everyone. XYZ is not yet a complete solution, there is a lot more
that it could do.  Tried to be clear about places where there are gaps, and 1/3
is editor's notes.  If we decide to start with XYZ document, then I very much
want to refine that as we go.

[MCR]: would you say that we need to have JWT everywhere, or what?
[KM]: both seem to use JWT where it works, but in some cases resort to HMAC.
[Dick]: in the one place where XYZ uses HMAC directly, I didn't think XAuth
needed anything there.

Discussion about HMAC vs KMAC vs (c)SHAKE in jabber.
Discussion about how ACE might need updating based upon the work that we are
contemplating. [JR]: thinks that it can be easily translated to CoAP/CBOR/COSE,
because we should sticking to HTTP/JSON/JOSE correctly.   Should avoid sins of
the past, which is deeply abstracted from one real protocol. [more was said]

[CB]: similar to what JR said. Look at the problem before we throw the baby out
with the bathwater.  There are some bug fixes in COSE which are not in JOSE. 
Let's start with this now.

[LJ]: Hum about what we have on the table?
[RD]: compared, but then recommended A<-B, or B<-A, or make a new C.

[MJ]: on the txauth list there has been many threads about how to handle
identity claims. XAuth did a better job of handling those claims than XYZ did. 
Note that the charter said that we weren't going to be new identity schemas, so
on that basis, I would start with XAuth. Otherwise, I would lift the identity
stuff from XAuth to XYZ. And make Dick co-author.

Roman asks what the WG needs to make a decision?
[LJ]: another option we could talk about is put together a DT?
[DH]: agrees, and invites RH
[JR]: agrees to join, but is not sure.
[LJ]: let's empty the queue.
[BM]: talks about his DRIP use case.
[JR]: garbled.

Kathleen Moriarty: Please do consider readability and don't merge the styles.
Mike Jones: I was asking to graft in some features - not change styles
Kathleen Moriarty: Great, that's what I was hoping for
Leif Johansson: yeah we're out of time
Marc Blanchet: RDAP (in regext) has a draft using oauth and openid connect for
authorization. I highly suggest that you contact the author (Scott Hollenbeck)
as it could be a good use case for gnap. Justin Richer: @Mike Yes, I agree that
it would be fairly easy to graft in XAuth features to XYZ as Kathleen
suggested. Mike Jones: All I was going to say was that if there's a design
team, I'm willing to participate

YS: will move forward with a small DT with a limited timeline with a high-level
proposal on how to combine the existing proposals.

[RD]: good plan and pin an interim meeting
[MJ]: if there is a DT, I will participate

JR = Justin Richer
YN = Yoav Nir
YS = Yaron Sheffer
CB = Carsten Bormann
MJ = Mike Jones
DH = Dick Hardt
LJ = Leif