18:02:20 <RRSAgent> RRSAgent has joined #auto
18:02:20 <RRSAgent> logging to https://www.w3.org/2021/05/25-auto-irc
18:02:22 <Zakim> RRSAgent, make logs Public
18:02:23 <Zakim> Meeting: Automotive Working Group Teleconference
18:06:53 <tguild> Topic: Discovery
18:07:08 <tguild> Ted provides background, summary of conversation with Peter
18:07:28 <tguild> Gunnar: HTTP can handle multiple auth methods
18:08:05 <tguild> Isaac: HTTP can do base and digest auth or provide a challenge
18:08:44 <tguild> Gunnar: there is a longer list of auth methods than HTTP supports
18:08:59 <tguild> scribenick: tguild
18:09:30 <tguild> Present+ Carine, Ted, Peter, Gunnar, Isaac, MagnusG, Ulf
18:10:19 <tguild> Present+ Arman
18:11:16 <tguild> Ulf: not sure you've checked into issue where this is discussed as I proposed a solution for how a client can request the capabilities
18:12:47 <tguild> https://github.com/w3c/automotive/issues/385
18:13:23 <tguild> Ulf: we should have certain parts optional, next step is deciding what can be optional and then how a client can query on capabilities
18:13:43 <tguild> ...my proposal is to use 'static-metadata' in ch7.4 of core
18:14:05 <tguild> https://rawcdn.githack.com/w3c/automotive/3b84ac8b41586c1dbfc83aed5ca956a77a9f1445/spec/VISSv2_Core.html#metadata-request
18:14:58 <tguild> Ulf: server capability keyword could contain that information. request needs a path so maybe best would be to use the root node
18:15:17 <tguild> ...question then is what the response should contain?
18:15:50 <tguild> ...we could tag optional features in spec and provide those
18:16:39 <tguild> Peter: there is no way we can handle this with error messages?
18:16:52 <tguild> Ulf: yes but client trying and failing multiple requests is tedious
18:17:22 <tguild> Peter: having tag mechanism seems a bit complicated
18:18:09 <tguild> Ulf: if for filtering we have curve logging optional for example, and we have xyz tag for it then response would not include xyz if it doesn't support it
18:18:18 <tguild> Peter: I understand, just thinking it through
18:18:44 <tguild> ...it could work, any other comments?
18:23:31 <tguild> Ted: key issue is what the response should be imho
18:23:46 <tguild> Peter: so capabilities request itself would be mandatory
18:23:54 <tguild> Ulf: yes, it would have to be
18:24:41 <tguild> ...and this particular mechanism is already required so we would be overloading it modestly
18:25:30 <tguild> Gunnar: key question for me is are some features not needed by you and therefore even if deemed mandatory by spec you won't implement?
18:26:18 <tguild> ...what is going to prevent people from treating other features as optional?
18:28:34 <tguild> Ted: feasible people will create additional subscription filters besides what we define, what matters is client and server can communicate and choose what is understood and preferred
18:29:18 <tguild> Gunnar: if you want to introduce optional features, it needs to be clear in the specification (must, should etc)
18:29:45 <tguild> ... you need to name every optional feature so they can be communicated
18:31:13 <tguild> MagnusG: agree
18:31:38 <tguild> Ulf: should we give this some more time or go ahead and add to spec?
18:31:49 <tguild> Peter: should wait so Bosch guys can respond
18:32:32 <tguild> Gunnar: I'm wondering about an un-authenticated interface provide any capabilities about the server
18:32:38 <tguild> Ulf: agree with that concern
18:33:53 <tguild> Isaac: in TLS 1.2 handshake, you send capabilities in the clear. in 1.3 they want that encrypted as well
18:34:23 <tguild> ...any information provided to an attacker is useful not that I can think of how this can be misused offhand
18:38:15 <tguild> Ted: maybe mistake to try to provide client different auth methods this way but use for other optional features
18:39:03 <tguild> Ulf: access control I agree is more complicated. Bosch guys are doing auth more simply nor using role based access control
18:40:30 <tguild> ...maybe we can handle different auth scenarios more transparently to client or access grant is done once and not revokable
18:40:50 <tguild> ...that would make access grant server itself optional, token would not expire
18:41:54 <tguild> ...for the role based part, you could have a superuser role that allows client to do whatever
18:42:53 <tguild> ...sent that to Isaac earlier today
18:43:15 <tguild> Isaac: agree you can adapt a simpler scenario based on trust requirements
18:45:04 <tguild> Ted: that could work for access grant but Bosch must still be doing some granular access on signals
18:45:09 <tguild> Ulf: yes but not role based
18:53:11 <tguild> Ted: @@mixed-both
18:59:37 <tguild> Topic: Geofencing
19:00:37 <tguild> Ulf encourages Ted to share details on Spatial Data on the Web
19:01:22 <tguild> Ted: SDW folks meeting on Thursday and shared they have geofencing on their agenda, topic we asked them about
19:01:55 <tguild> ... we want a simple convention or standard for representing these fences, know at least BMW and Geotab are doing so in practice
19:02:26 <tguild> ...I'll share details for call @13GMT/15CEST to member-automotive@w3.org
19:03:15 <tguild> ...actually see they have call details public https://lists.w3.org/Archives/Public/public-sdwig/2021May/0032.html
19:04:48 <tguild> s/@@mixed-both/actually I could see some applications, such as from the OEM themselves, be trusted and not need access grant server but have persistent token whereas other applications due to privacy, business or other considerations be enabled or barred per trip and that can be handled out of band of our spec by access grant server/
19:04:55 <tguild> rrsagent, draft minutes
19:04:55 <RRSAgent> I have made the request to generate https://www.w3.org/2021/05/25-auto-minutes.html tguild