Session Date/Time: 28 Jul 2023 00:00

tigress

Summary

The tigress working group meeting focused on the two adopted documents: the requirements draft and the threat model. The discussion revolved around design directions for achieving tigress, specifically evaluating the HTTP extension proposal versus a WebDAV-based solution. Various concerns around round trips, connection integrity, identity preservation, and security implications of different approaches were debated. The group also heard about the OAuth working group and Verifiable Credentials that may apply.

Key Discussion Points

Requirements Document and Threat Model: A general call for review and feedback was made, despite no open issues on the adopted documents. Eric Apple inquired about potential conflicts between requirements for multiple round trips and correlation prevention.
Design Directions: Yogesh and Dimitry advocated for the original HTTP extension proposal, while the group also considered a WebDAV-based approach and JMAP as a potential foundation.
WebDAV Concerns: Discussions highlighted potential issues with using off-the-shelf WebDAV, particularly around resource access control, locking mechanisms, and the inherent identity assumptions within the protocol. Eric Skorla questioned the level of support for WebDAV and who would work on the solution.
Round Trip Handling in WebDAV: A key question was how to handle multi-message exchanges (round trips) in WebDAV, especially when the receiver needs to send information back to the sender.
Access Control: The importance of proper access control to prevent third-party interference with data was emphasized. Participants discussed the nuances of protecting the resources from external modifications not by the 2 participants.
Operational Considerations and Profiling: The discussion touched on the role of operational considerations and profiling in adapting existing protocols like WebDAV to meet tigress requirements.
Credential Definition: Kalia raised a question about the meaning of "credential" in this context, and it was clarified as a set of cryptographic tools along with metadata that lets the user access a resource.
Capability URLs vs. Tokens: Eric Aaronism and Aaron Parikhi discussed about the use of capability URLs and secret tokens as not good security practices.
Device Claim: Yogesh described his approach to solving the key exchange problem and his method of implementing device claim.

Decisions and Action Items

ACTION: Authors to add links to the adopted requirements draft and threat model to the mailing list for easier access.
ACTION: Brad will bring in more details to the mailing list in terms of other solution being proposed.
ACTION: John Bradley offered to provide information on WebAuthn and hybrid protocols on the mailing list.
ACTION: Eric and team to work together in the mailing list to drive alignment.
DECISION: The WG will schedule an interim meeting before the Prague IETF meeting.
ACTION: Participants were encouraged to contribute concrete proposals for different approaches via I-Ds or simple write-ups on the mailing list.

Next Steps

Encourage mailing list discussions with concrete proposals and feedback on existing documents.
Schedule an interim meeting to further discuss design directions and address open issues.