<scribe> scribenick: ted
<scribe> Scribe: Ted
Isaac: we introduced distinction
between short and long term grant tokens
... for long term we need proof of possession of private key in
order to get an access token
... we created a section on this proof
... as Ulf mentioned this was a main concern of the group
Gunnar: any updates on key generation part, how to get pair in the first place?
Isaac: to be honest, I think that
should be left open to implementers
... I don't see going into more details. if you have the
hardware/software support for key generation you can go for
long term otherwise short
Gunnar: point of the hardware part? [faint audio]
Isaac: long vs short term is
based on concerns raised previously, to handle vehicle having
connectivity issues which prompted long term use case for
offline
... in this scenario the application will send the key pair to
access grant server. there is no identity bound to it
... with access token server if you include this proof you can
get longer token
Gunnar: are there concerns with man-in-the-middle for initial key pair?
Isaac: we did not address
that
... we could include in the chapter a security model where we
acknowledge the risks we are mitigating and distinguish what we
are not and defer to implementers
Gunnar: I want us to describe a
secure method or what the actual exchange is and how to secure
it
... clarify what is out of scope and theoretical description of
issue so it can be addressed
Ulf: there is no risk in sharing public key
Gunnar: risk is in sending initial pair, someone can intercept and send their pair
Isaac: we have nothing on authentication for instance
Ted: are there more areas you wish to address before accepting the PR? as a reminder people can raise additional issues
Ulf: yes, let's proceed
... we have made updates from most comments
... instead of changing order of sections as you suggested, we
link to that topic
... I don't believe anything remains from comments that should
be raised to issue level initially
Peter proposes to accept PR
Adnan: ok for me
<magnusg> actually it was magnus :)
Peter: Ted please merge the PR
[no objection]
https://github.com/w3c/automotive/issues/
issue 306 - data model paragraph, now have permanent normative reference
Gunnar: there has been no input
on alternate taxonomies and we have to work with what we
have
... we can also encapsulate additional data in VSS
... ok with the proposed text but also want to push back
[brief revisit of debate on trying contain all types of data in VSS vs separate data models/taxonomies]
Peter: we are uninterested in the media case
Gunnar: there could be more data, take CVII as that identifies other possible data
MagnusF: private branches can be staging areas and later become candidate for inclusion in the main tree
Ted to create PR for 306 and 307 in VISS and Gen2 respectively
Peter: Adjourned