19:44:13 RRSAgent has joined #auto 19:44:13 logging to https://www.w3.org/2021/11/09-auto-irc 19:44:15 RRSAgent, make logs Public 19:44:16 Meeting: Automotive Working Group Teleconference 19:46:04 Present+ Ted 19:46:04 Present+ Ulf, Carine, Gunnar, MagnusG 19:46:04 Regrets+ Isaac 19:46:05 Topic: MQTT PR continued 19:46:06 present+ Peter 19:46:10 Chair: Peter, Ted 19:46:12 scribenick: ted 19:46:15 Ulf: the major change is scrapping VIN for an arbitrary identifier 19:46:19 Present+ Erik 19:46:22 … I changed the wording to vehicle identity 19:46:25 Ted suggests clarification that this is not necessarily VIN 19:46:28 Gunnar: when application use case is in-vehicle is it needed? 19:46:31 s/when application use case is in-vehicle is it needed?/there are cases where broker might be in-vehicle/ 19:46:35 Erik/Ulf think it is covered 19:46:38 Erik: diagram image rendering is a bit off 19:46:41 … font or clarity 19:46:42 Ulf: I did it in a pixel editor on the original diagram 19:46:45 [discussion on image edit and format] 19:46:49 s/is a bit off/is different for changed terms/ 19:46:52 https://github.com/w3c/automotive/pull/427 19:46:55 Ted to propose wording for his suggestion 19:46:58 Topic: Issues 19:47:01 https://github.com/w3c/automotive/issues 19:47:06 https://github.com/w3c/automotive/issues/382 19:47:09 Ulf: I proposed we have Signal Access Claim in the token as alternative to Role Based Access Control 19:47:09 … nothing more is said about how the topic is obtained, it is out of scope and left to the implementer 19:47:12 … this meets what has been asked for from Bosch side, less complex authentication 19:47:15 … Isaac came up with an idea to do essentially the same thing but more in-line with the existing mechanism 19:47:19 … I find it a fully valid proposal but found one issue. the main reason for introducing this new "flow" was to make an implementation that excludes policy document but also the authorization server 19:47:22 … this proposal goes beyond that. Sebastian took a look and prefers the earlier proposal that has the lower complexity 19:47:25 … Isaac commented further about HTTP API security 19:47:28 -> https://www.pingidentity.com/en/company/blog/posts/2020/everything-need-know-api-security-2020.html Article Isaac shared on Slack 19:47:31 https://github.com/w3c/automotive/issues/430 19:47:35 Ulf: how do we handle discoverability? 19:47:38 Ted: we discussed before (and punted iirc?) leveraging something like uPNP for discovey or similar to VID or SAC token, outside the scope and handled by configuration 19:47:42 Carine: we could settle on port numbers 19:47:42 Magnus: this is deployment specific and could be out of scope 19:47:45 Carine: it could be part of a manifest file, a way to discover in all vehicles. is it using default port or something else 19:47:49 … we could narrow the scope. it would be better to specify what is deployed 19:47:52 Erik: is it clear there would only be one access grant server or could there be multiple? 19:47:55 Ulf: there is one within an ecosystem 19:47:58 Erik: another issue is information about what VSS version is being used. if you just know the name of the VISS server, you can get the additional information from it 19:48:02 … VISS server can provide that 19:48:05 Ulf: I don't think we should specify how a client obtains address for the VISS server, it is up to the OEM 19:48:08 https://www.w3.org/TR/2018/CR-vehicle-information-service-20180213/ VISSv1 19:48:11 wss://wwwivi 19:50:47 present+ Isaac 19:50:56 ted has joined #auto 19:50:59 I have made the request to generate https://www.w3.org/2021/11/09-auto-minutes.html ted 19:52:12 Ted: when we discussed for v1, it was a problem for other W3C groups as well. the static local network hostname was not preferred and I can look to see if the cross group discussion reached a conclusion 19:52:13 Ulf: let's leave this open then 19:52:13 https://github.com/w3c/automotive/issues/429 19:52:14 Ulf: access token server could sign with its private key and provision clients with public key 19:52:16 … if you don't have a VIN the token could possibly go to any vehicle as valid 19:52:19 Ulf: we can have it as optional 19:52:22 … I'll generate a PR for Erik's idea, having it in the token 19:52:25 Erik: sounds good to me 19:52:29 https://github.com/w3c/automotive/issues/425 19:52:30 Ulf: VIN parameter should be optional here too 19:52:33 Present+ Isaac 19:52:36 [Isaac joins] 19:52:44 [return to issue 382, Ulf recaps conversation] 19:52:52 I have made the request to generate https://www.w3.org/2021/11/09-auto-minutes.html ted 19:53:26 Ulf: anyone who implements an access control model will ensure they meet their security criteria 19:57:55 Erik: would we remove or deprecate any of the flows? 19:58:12 Ulf: no, which is used up to implementer and they could use both 19:58:32 … ideal is to have interoperability from client perspective 19:59:59 Isaac: my understanding was to try to find a middle ground and align with what people are likely to do 20:00:14 … if people want to skip access grant server, ok we can simplify the flows 20:00:39 … my proposal was a small simplification to the proposed flow to align better with the earlier solution 20:00:44 Ulf: understand and appreciate that 20:01:12 … Bosch wanted something simpler and asked Sebastian to describe better what they want 20:01:35 … my understanding is that it isn't rigidly defined but want it flexible 20:02:31 … token is then the lowest common denominator 20:02:52 Isaac: how the token is protected can be with HMAC 20:03:49 Ulf: I can bring forward a PR and have a final discussion on the details 20:06:44 I have made the request to generate https://www.w3.org/2021/11/09-auto-minutes.html ted 20:07:14 Present+ Adnan 20:07:15 I have made the request to generate https://www.w3.org/2021/11/09-auto-minutes.html ted