Ulf: I haven't received much
feedback since proposing this
... some expressed interest in exploring other options for
access restriction including WAMP
... we can discuss this and inform that separate study
... I started off with requirements for what we need
... it should be possible to read/write without a token (no
auth) for some small number of nodes, if the implementer
wishes
... it is possible to require access for write but read wide
open
... and other nodes require a token for both read and write
Peter: will all be tagged?
Ulf: all individual nodes, some or branch and inheritance for them
Ted: I wonder if want to have granular read, whether for instance if you can share that data outside the vehicle for instance
Ulf: hard to control what someone does with the data after
Ted: you can spot bad behavior and have recourse
Ulf: since you are obtaining the tokens from authorization server in the cloud
Ted: I'll write something on the issue thread describing this
Ulf: not so easy to control
... flexibility comes with complexity
... simpler often better in security
... different clients will be provided different parts of the
tree
... you can provide different client apps different data
views
... please add your ideas to this issue thread
... tags can be added in deployment phase, not in VSS YAML but
added after by OEM
... i chose 'validate' as the attribute name for the tags
... we are using JSON web tokens
... we have three possibilities, no tag, read or
read/write
... a resource inherits from its parents unless otherwise
specified
Adnan: what is the benefit for adding this?
Ulf: a client would obtain explicit approval from authorization server
Adnan: you said some can be accessed without a tag
Ulf: the guard would be able to check is there is a tag and enforce it, no tag means it will be served
Adnan: let's look at speed, and
let's say it is read
... what does that change in this process?
Ulf: in case of sensor, read is the only option
Adnan: I understand the token part but if this reinventing the Oauth method
Ulf: this is using Oauth
Adnan: tags are not part of Oauth
Ulf: no but it allows
extensions
... this is also influenced from what we inherit from
ViWi
... in ViWi everything is read/write protected
Adnan: if we have five clients,
each with different signal access rules
... for door lock status, read to get state and write to unlock
for remote access
... how do we differential with tags?
Ulf: the authorization server will set the access per client
Adnan: still not seeing the benefit, maybe an illustration for a given leaf and different clients
Ted: i can see scenarios will a given app needs to be able to handle different access across vehicle manufacturers or perhaps in same vehicle if eg valet instead of owner. tags would be part of layering topic Gunnar will hopefully lead us on next week
Ulf: other thing I wanted to
discuss is authorizationLevel 0-9
... this is put in tree as validate is
... added as access token in field, when client goes to
authorization server in cloud it can also request higher
authorization level
... 0 being the bare minimum signals generally made available
whereas 9 is highest including eg engine data
... this proposal meets our requirements and alternatives being
looked at should do the same
[Resume in two weeks after layering discussion]
Ted: I'll open registration where people can make suggestions
https://www.w3.org/auto/wg/wiki/Auto-f2f-mar-2020
Glenn: I have a conceptual idea
on how to fast track this project
... the objective is to have vehicle data in VSS format on a
public server so we can do demonstrations and reference
projects
... we have a dog food program at Geotab where employees give
permission to use their data for research projects
... we can extend that so some Geotab employees will be able to
provide data for this W3C project. vehicle manufacturers
involved in this group are welcome to do the same
... Harjot worked on a specific consent draft with our legal
team and can provide it for review
... we can probably have a document in a week or two that can
satisfy this narrow consent
Ted: happy to review it and get additional eyes from our attorney
Glenn: I will send to W3C Members
Peter: I would need to see how we would feel about it
Glenn: participants in this group would be able to participate and provide data under these terms with our Go device
https://www.w3.org/auto/wg/wiki/Vss_data
Ted: we can perhaps provide additional motivation in this doc so it will make sense to other readers
Harjot: that hasn't been done yet
Glenn: I am hearing encouragement
and look forward to comments
... there was considerable excitement at our previous f2f to
make this available
... this early step has been a bit of a legal hurdle
... we need a standard for anonymizing and see that as highly
customized
... Nicole has provided me 8-10 documents on aggregation and
anonymizing protocols. I will review and share pertinent
subset
... we will use ourselves on this server at MIT
... we can perhaps start on dummy data in graph server at
f2f
Peter: we should be able to demo the Gen2 open source project as well at f2f
[adjourned]