Markdown Version | Session Recording

Session Date/Time: 31 Mar 2023 03:00

gnap

Summary

This GNAP meeting focused on updates to the core protocol and resource server documents. Key discussion points included the adoption of SHA-256 as the default hash, clarification of token rotation, updates to the resource server document, and addressing open issues regarding token management and multiple finish methods in interactions. The group agreed to move forward with a change to token management, defer handling of multiple finish methods to a potential extension, and aim for last call of the resource server draft by July.

Key Discussion Points

• Sb sp Extension (Adrian Famous): Discussed an extension for secure payment confirmation, focusing on its applicability for payment authorization within GNAP and its integration with web payments.
• Hash Algorithm: Consensus reached to switch the default hash algorithm to SHA-256, building upon previous work to align with the IANA registry for hash algorithms.
• Token Rotation: Clarified the differences between new and rotated tokens. Removed unnecessary repetition of previous key values in key rotation actions, simplifying the process and addressing potential security concerns.
• Resource Server (RS) Document: Presented an abstract token model for the resource server document, intended to be informative and non-normative.
• Token Management Endpoint: Current approach involves using access tokens as their own access tokens for management, posing challenges related to expired tokens and middleware. Alternative proposed to pass the token value as a body parameter and potentially use a secondary token for management endpoint protection.
• Multiple Finish Methods: The client's ability to send multiple finish methods was discussed and ultimately deferred to an extension.
• Implementation Status: Updates were provided on existing GNAP implementations, including open-source and proprietary versions. Adrian Family expressed interest in adapting the confluence confirm suite for GNAP.

Decisions and Action Items

• Decision: Adopt the proposed alternative for token management, passing the token value as a body parameter and using a secondary token for protection. Aim to make the secondary token mandatory.
  • Action Item: Editors to implement the token management changes in a new revision.
• Decision: Defer the handling of multiple finish methods to a potential extension.
• Action Item: Schedule an interim meeting within a month to discuss the token rotation changes.
• Action Item: Justin and Fabian to define the text for the Token Management changes as the secondary access token will follow the same structure as the continuation API.
• Action Item: Adrian Family to submit information about the Vein implementation for inclusion in the document or on the mailing list.
• Action Item: Get shepherd write-up and AD review for the core draft for IESG last call.

Next Steps

• Implement the agreed-upon changes to the core draft regarding token management.
• Prepare a new revision of the core draft incorporating these changes.
• Submit the updated core draft to IESG for last call.
• Schedule an interim meeting to discuss token rotation.
• Continue working towards working group last call for the resource server draft by July.