►
From YouTube: CNCF Serverless Working Group 2020-10-15
Description
CNCF Serverless Working Group 2020-10-15
A
A
A
I'm
gonna
try
to
admit
that.
Do
me
a
favor.
Can
you
edit
that
for
me,
when
you
get
a
chance,
if
not
I'll
figure
it
out
later.
A
B
A
Hello,
hello,
kristoff.
A
Hello
and
who.
A
Wasn't
gonna
make
it
bye.
A
Thank
you,
simon
all
right
we
have
a
I.
I
really
struggled
to
find
topics
for
today's
call.
In
fact,
we
have
no
prs
to
review,
I
wasn't
sure
which
issues
to
discuss
so
I'm
looking
for
you
guys
to
help
fill
it
out
or
we
can
end
really
early.
One
of
the
two.
A
Yes,
I
think
we
all
need
to
create
more
work
for
us,
mario,
either.
A
H
A
A
I
A
All
right,
let's
go,
then
see
how
quickly
we
can
end
this
thing,
just
a
reminder:
if
you
have
an
ai,
please
look
at
when
you
get
a
chance
anything
from
the
community
that
people
want
to
bring
up,
no
okay
cool.
We
do
have
an
sdk
call
this
week.
I
last
time
I
checked
there
wasn't
anything
on
the
agenda.
Let's
just
quickly
check
yeah.
We
have
nothing
there.
A
So
if
you
want
to
do
something,
go
ahead
and
add
another
section
for
today's
agenda,
otherwise
we
may
not
have
a
call
where's
it
going
next.
Oh
yeah,
okay,
discovery
interrupt
next
week.
Call,
I
don't
think,
there's
anything
been
updated
in
the
discovery
doc.
So
please,
if
you
are
planning
on
doing
something
there
help
fill
this
out.
It's
on
my
to-do
list
as
well.
A
I
think
the
more
important
thing
at
this
point
in
time
is
for
everybody
to
actually
start
coding
more
than
anything
else.
The
way
I
kind
of
look
at
it
is
once
you
get
the
base
infrastructure
in
place.
The
rest
of
it
should
be
easy.
Hopefully,
so
please
start
coding
that
way.
You
can
find
errors
in
the
spec
and
try
to
get
those
ironed
out
before
the
proposed
interop
on
november
2nd,
which
is
only
a
couple
weeks
away,
all
right
and
tim
or
anything
from
the
workflow
side
of
things
you
want
to
mention.
K
K
We
also
created
a
couple
of
training
type
of
videos
that
mostly
for
just
a
community,
but
also
we
will
use
them
for
kubecon
and
just
overall
cubecom
this
year
we
have
a
project
booth
and
that
doing
that
this
intro
in
toronto
is
that
what
it's
called
thing
is
just
it's
a
pain,
so
putting
a
lot
of
hours
into
that.
A
Okay-
just
let
you
guys
know
since
he
mentioned
it,
we
did
not
sign
up
for
a
booth.
However,
I
did
sign
this
up,
for
I
think
it's
called
office
hours
I
have
unless
I
missed
it.
I
have
not
seen
the
sign
up
sheet
for
when
the
office
hours
might
be.
When
I
get
that
I'll
look
for
some
message
on
the
slack
channel,
because
I
suspect.
A
J
Yeah,
you
should
have
gotten
it.
You
know
I
actually
had
a
problem
with
this.
I
haven't
said
anything
to
cncf,
but
last
time
we
had
to
express
interest
and
then
once
the
deadline
was
over,
then
they
opened
the
calendar.
It
seems
like
this
time
as
soon
as
you
responded,
they
opened
the
calendar
to
you.
So
there
are
a
lot
of
times
that
were
gone
already
by
the
time.
A
A
So
if
you
can
send
me
the
email,
I'll
look
for
some
times
and
maybe
just
grab
one
and
if
it
doesn't
work,
we
can
always
adjust,
but
I
don't
anticipate
it
being
difficult.
Last
time
we
had
very
few
people
show
up,
so
we
just
need
somebody
to
you
know
warm
bodies
in
there
is
probably
all
we
need.
I
think
most
questions
should
be
easy,
so
all
right
all
right
with
that,
let's
keep
moving
forward.
As
I
said,
I
couldn't
we
have
no
prs
to
look
at
issues.
I
picked
out
just
a
couple.
A
A
Basically,
if
a
property
exists,
it
has
to
have
a
value
leave
that
leave
out
extensions
for
a
minute
because
there's
a
hole
there,
but
for
all
the
spec
properties.
You
can
assume
that
if
the
property
exists,
there
will
be
a
value
there.
It
will
not
be
null
at
least
that's
what
the
spec
kind
of
leans
towards,
but
this
issue
is
really
about.
A
Is
that
really
what
we
want,
and
so
let
me
pick
on
jem
and
klaus,
since
you
guys
commented
the
most
recently
on
this
to
get
your
opinion
on
what
we
might
do
with
the
situation.
If
anything
so
jim,
you
want
to
go
first
and
give
your
opinion
on
this,
not
really,
but
I
will,
I
guess.
L
Yeah
I
mean
when,
as
I
read
the
spec
it
doesn't,
it
doesn't
to
me
read
like
we
support
nulls
and
I
wouldn't
expect
to
receive
an
attribute
with
no
value.
I
I
think
my
bigger
concern
is,
if
you
do,
how
do
you
are
we
meant
to
propagate
that
through
all
the
different
transports
yeah?
So
if
we
were,
you
know
going
to
send
a
null
attribute
over
http.
What
would
we
put
in
the
header
for
that
you
know?
Does
it
then
make
everything
more
complex?
L
You
know
because
it
might
expect
the
word
null
in
in
a
header
attribute.
That
was
only
expected
to
be.
I
don't
know
a
number,
so
I
think
it
it
sort
of
is
a
bit
of
a
deeper
issue
than
than
it
might
appear,
but
I
would
lean
to
not
allowing
or
explicitly
saying
that
if,
if
an
attribute
is
defined,
it
should
have
a
value.
L
G
Yes,
so
basically
I
I
agree
to
what
jem
said,
so
it
just
would
like
to
emphasize
that
it's
not
about
the
empty
value.
It's
about
the
null
value
of
the
discussion,
so
I
I
realized
that
most
of
the
standard
context
attributes
also
state
that
they
shouldn't
be
an
empty
value.
But
that's,
I
think,
a
different
topic
so
and
I
agree
that
that
transporting
null
explicitly
would
be
then
a
challenge
for
each
and
every
protocol,
binding
and
format.
So
that's
also
what
I
wrote
here.
A
Us,
okay,
so
just
comments
before
I
get
to.
I
just
want
to
ask
a
clarifying
question
because
jem
correct
me
wrong,
but
you
seem
to
indicate
you
wanted
the
spec
to
be
more
clear
to
say
we
do
not
support
null
but
klaus.
You
start
off
saying
you
agree
with
jem,
but
then
you
ended
with.
We
should
allow
both
but
be
clear
that
null
is.
The
same
thing
is
not
present.
Well.
G
I
I
say
that
either
we
allow
it
and
treat
it
as
the
same
or
we
don't
allow
it
at
all
and
yeah.
Okay
got
it.
Okay,
pretty
much
the
same.
It's
just
a
subtlety
of
what
would
be
easier
for
the
the
sdks
and
for
handling
of
json
in
detail,
and
here
would
also
rely
on
on
feedback
from
the
sdk
implementers.
G
E
I
would
like
to
to
support
what
claustro
said
which
or
what
he
writes
there,
because
I
null
values.
I
don't
think
we
allow
them
anywhere,
but
if
null
appears
then
that's
some,
especially
for
json,
some
serializers
serialize
out
null.
E
If
the
object
is
not
present
and
if
you
have
a
a
strongly
typed
structure
which
you
might
have
first
for
for
a
cloud
event,
then
you
know
you
fill
all
the
values
that
you
want
to
go
and
fill
in,
and
you
omit
the
ones
that
you
don't
want
to
set
and
those
that
end
up
being
null
right
in
java
or
in
c
sharp
or
other
languages.
E
A
E
Yeah
because
the
field
wasn't
there
in
the
beginning
so,
but
is
the
case
I
just
want
to
want
to
make
not
too
complicated
for
for
the
for
the
innocent
is,
if
I
mean
literally,
if
you
code
up
a
poco
type
right
and
you
grab
just
grab
a
grab,
the
serializer
and
the
serializer
is
that
its
default
is
to
not
emit
the
values
but
to
to
write
them
out
onto
onto
the
wire
as
now.
Then,
then,
that's
what
you
should
that.
That's
the
situation
you're
in
and
I'm.
E
So
I'm
not
sure
we
should
make
it
really
difficult
for
those
folks
who
want
to
go
and
express
a
cloud
event
as
a
strongly
poke
was
probably
a
type
poker
type
in
their
in
their
app.
It
should
not
be
hard
for
them
to
write
compliant
cloud
events
either
way.
E
I
I'm
currently
having
a
side
job,
helping
a
soccer
professional
soccer
club,
their
I.t
stuff
and
then
so.
I'm
dealing
with
developers
who
are
just
doing
dynamics
every
day,
and
that
is
calibrating
my
perspective.
I
would
say
for
how
complicated
it
can
be
to
deal
with
jason.
So
I'm
I'm
I'm
a
little
disillusioned.
I
would
say.
A
A
F
A
F
You
can't
turn
a
a
struct
that
has
a
string,
and
you
say
inside
the
json
version
that
I'm
marshaling
into
this
struct
it
it
doesn't
know
how
to
turn
a
the
value
null
into
a
string.
It
just
blows
up:
okay,.
A
A
L
L
Is
it
going
to
say
yes
or
is
it
going
to
say
no,
I'm
going
to
get
a
different
answer?
If
that
was
subsequently,
I
don't
know
marshalled,
you
know
as
a
binary
through
http,
because
that
header
wouldn't
be
there,
so
it
just.
I
think
it's
just
going
to
lead
to
you're
going
to
have
to
provide
guidance
to
sdk
writers
as
to
how
they're
expected
to
handle
this
situation
to
get
a
consistent
application.
F
So
I
think
from
my
side
integrators
never
asking
questions
about
the
original
payload
they're
asking
questions
about
the
the
converted
nominal
form
of
the
event,
and
so
in
that
case
I
think
it
ends
up
being
the
same.
If,
if
something
was
set
to
nil,
the
parser
understands
that
that
should
just
ignore
it
and
not
set
that
value.
So
I
think
you
end
up
with
the
result.
The
resulting
exact
same
object
after
a
marshalling.
M
Yeah,
I'm
just
thinking
that
in
the
case
of
the
sdks
I'm
working
on
so
both
sdk,
rust
and
sdk
java,
this
requires
changing
the
main
apis,
because
then
we
because
now
the
assumption
is
only
there
is
something
there
isn't
anything
and
if
anything
is
null
or
not
present,
it
doesn't
make
any
difference
for
the
interface
itself.
So
this
this
will
require
changing
the
stuff.
M
No,
no,
if
I
can
add
something
to
be
honest,
I
I'm
not
even
sure
how
should
I,
for
example,
model
this
in
a
rust.
Like
I'm
saying,
I'm
saying
one
language,
but
I
have
I
have
no
real.
I
have
no
real
idea.
How
should
I
model
this
in
rust?
I
mean
what
happens
when
it's
not
present,
and
what
should
I
say
when
it's
surprising.
What
should
I
say
when
it's
not
so
the
language
doesn't
give
me
the
ability
to
to
model
the
null.
In
fact,
it
just
gives
me.
F
E
Yeah,
that's
that's
right,
if
you
so
in
the
case
in
the
martial
art
and
also
someone
who's
looking
at
as
a
strongly
typed
object
in
in
java
or
in
c
sharp
or
any
any
type
language
that
they
see,
no
difference
between
whether
you
sent
now
or
or
and
meant
to
set
null
or
whether
the
object
is
absent.
It's
it's
semantically,
identical.
A
Okay,
I'm
not
sure
who
I
guess
slinky,
that
those
answers
are
directed
towards
you.
Does
that
help
or
do
you
need
more
clarification.
M
No,
no,
I'm
fine
with
that.
I'm
just
saying
that
I
I
think
it
we
shouldn't
have
this
difference
at
the
apa
level,
if
you
understood
correctly
the
what's
the
discussion
here:
where
are
the
discussions
going.
A
Okay,
klaus,
I
think
your
hand
was
up
next.
G
B
Okay,
simon.
C
I
think
your
hand
was
up
next
yeah
thanks,
so
I
just
wanted
to
point
out
one
use
case
where
nile
is
actually
different
than
being
undefined
or
and
that's,
for
example,
if
you
send
patch
requests
or
use
the
json
merge
patch
semantics,
and
there
now
basically
says
if
you
know
this
property
and
you
have
a
value
for
that,
you
need
to
remove
it.
So
it's
in.
C
A
A
Okay,
I'm
going
to
assume
they're
old
okay,
so
I
think
what
I'm
hearing
is
add
language
to
the
json.
Only
spec.
Well,
okay,
two
things,
add
language
to
the
json
spec,
to
make
it
clear
that
null
and
absent
are
the
same
klaus.
You
were
thinking
that
we
may
need
to
add
something
to
the
main
specs
type
system
section,
but
I
think
those
are
the
scope
of
the
possible
changes.
We've
talked
about
so
far.
A
L
L
L
All
the
other
attributes
don't
allow
now,
as
it's
currently
schematic
if
people
are
using
this
and
schema
jenning
code,
chaining
off.
L
C
Okay,
simon,
your
hands
up
yeah,
so
yeah
I'm
just
getting
into
this,
but
I
don't
see
so
if
we
say
now
providing
null
or
is
the
same
as
not
providing
it
the
same,
then
we
could
just
disallow
null
at
all
and
we
would
get
the
same
behavior
and
don't
have
to
change
our
contract.
Basically,.
C
F
F
Correct
this,
this
is
intended
for
dumb
producers
and
smart
consumers.
I
think.
A
Okay,
I
remember
now,
when
I
raised
my
hand-
and
I
think
it
was
because
of
what
jem
said
earlier-
is
there's
no
way
for
a
consumer
then
to
distinguish
between
not
present
and
present
with
null,
and
it
gave
me
flashbacks
to
to
looking
at
query
parameters
in
golang
right
because
you
can
use
the
methods.
A
I
think
it's.
The
query
object
to
actually
just
you
know
say
give
me
the
value
and
there's
no
way
to
distinguish
between
empty
string
versus
the
the
the
property.
Wasn't
there
at
all.
You
know,
probably
not
there
at
all.
It's
always
going
to
return
every
string.
If
you
want
to
actually
find
out
where
the
query
parameter
is
there,
but
with
no
value
you
have
to
actually
go.
Look
at
the
the
the
map
itself
to
do
that,
and
it
just
got
me
wondering,
and
I
know
scott.
A
They
basically
show
them
what
it
was
basically
on
the
wire
for
the
most
part,
and
I
want
to
make
sure
that
we're
not
going
to
close
off
use
cases
where
someone
says
you
know
what
I
really
do
need
to
know
whether
the
whether
the
thing
was
present
with
null
versus
not
present
at
all.
For
some
reason,
I
just
I
would
be
sure
we're
not
missing
some
use
case
here.
F
Given
that
the
guidance
is
that
these
attributes
are
meant
for
routing
and
maybe
a
tagging
of
some
sort
of
event-
and
it's
not
the
payload
itself,
it's
a,
I
think,
you're-
probably
doing
it
wrong.
If
you
you're
expecting
the
existence
of
some
nil
value,
especially
because
the
spec
says
it
must
be
a
min
length.
One
we're
doing
a
special
case
here
for
serialization
between
wire
format
and
conical
form.
A
A
A
All
right
cool!
Thank
you,
sir.
I
appreciate
that.
Okay,
one
whoops,
I
can't
type
okay
yeah.
These
were
there
mainly
because
they
were
there
last
week.
A
The
only
reason
I
kind
of
kept
this
one
on
whether
epoch
should
be
global
or
not
is
because
of
the
conversation
you
and
I
had
scott
during
last
week's
call
where
we
were
talking
about
this,
and
I
was
then
we
got
into
the
the
discussion
point
about
how
if
we
made
this
change,
it's
gonna
really
really
make
it
hard
when
you
start
syncing
up
between
discovery,
endpoints
and
we
then
kind
of
landed,
I
think
in
a
position
of
well.
A
Maybe
we
shouldn't
talk
about
that
and
leave
that
as
either
exercise
for
later
or
it's
someone
else's
problem,
but
our
initial
job
should
be
to
focus
on
how
to
make
a
single
individual
discovery.
Endpoint
work
well,
okay,
and
so
what
I
want
to
do
is
to
bring
back
up
this
issue
to
say
two
things:
one
is
is
that
where
everybody's
head
everybody
else's
head
is
at
and
that
for
now
we
should
focus
on
just
a
single
discovery,
endpoint,
and
if
so,
what
do
people
think
about
this
issue
within
that
scope
and
just
refresh
everybody's
memory?
F
A
A
F
Yes,
on
a
per
service
level,
you
do,
but
only
for
the
produce,
the
services
that
you
produce.
That's
the
key
difference
elaborate
on
what
you
mean
by
produce.
F
A
A
Darn:
okay,
if
we
roll
back
the
put,
how
do
we
standardize
uploading.
A
F
F
F
F
Sorry
go
ahead,
maybe
their
bootstrapping
process
is,
you
know,
pulling
from
some
central
config
or
a
database
or
some
other
like
service
discovery,
endpoint
or
an
api
endpoint.
A
So
in
the
but
it-
but
you
did
mention
earlier
that
the
case
of
a
discovery
endpoint
being
sort
of
some
sort
of
aggregator
and
to
me
whether
that's
a
push
or
a
pull
model
to
get
the
information
into
the
aggregator.
A
A
No,
I'm
sorry,
it
wasn't
clear.
I
wasn't
thinking
about
the
what's
changed
from
a
sinking
of
discovery.
Endpoint
perspective.
I
was
actually
thinking
more
about
from
a
client
perspective.
Right.
I
have
a.
I
have
a
an
application
that
presents
some
services
to
a
user,
so
they
can
maybe
choose
one
right
and
but
periodically.
I
need
to
query
the
discovery
endpoint
that
I
hooked
up
to
to
know
whether
I
need
to
update
my
ui
right
with
a
new
list
or
you
know,
call
the
list
down
because
things
vanished.
F
A
F
F
C
Okay,
simon
your
hands
up
yeah,
I
agree
with
scott,
so
I'm
also
at
a
similar
problem
implementing
discovery
and
we
decided
to
go
with
the
cache
con,
basically
an
e-tag
as
a
solution
for
finding
out
if
content
changed
and
versioning.
If
you
need
to
have
the
really
the
details
on
it,
but
we
we
weren't
considering
having
epochs
and
logical
clocks
for
this,
because
eventual
consistency
would
be
okay
for
basically
getting
a
synchronized
state.
C
A
All
right
I'll
tell
you
what
that
that
helps.
So,
thanks
for
the
discussion,
scott
and
simon,
let
me
go
back
and
rework
this,
because
you
made
some
good
arguments
there,
scott,
and
I
think
you,
I
think
you
convinced
me
that
yeah
separate
value
would
be
probably
better
and
easier
to
implement
and
maybe
even
safer.
It's
okay!
Let
me
go
back
and
rework
that.
So
thank
you.
A
Okay,
the
only
other
thing
on
the
list
I
thought
might
be
interesting
was
this
one,
because
I
don't
know
whether
I
don't
remember
where
we
landed
on
this
one?
Does
anybody
remember
what
what,
if
anything,
you
want
to
do
with
this
one?
Here's
the
the
original
thing,
because
I
had
this
vague
recollection
that
we
may
have
said
it's
out
of
scope
for
us.
O
I
can
help
you
refresh
that
yeah,
okay,
yeah,
please
yeah,
that's
correct,
so
we
thought
that
it's
probably
not
the
best
fit
right
now
and
we
would.
We
basically
said
that
we'll
revisit
this
concept
in
future,
but
not
not
for
now
for
sure.
A
F
I
thought
we
also
said
that
we
would
consider
it
as
an
extension,
like
an
official
extension.
O
Yeah
yep,
I
agree
with
that
as
well,
but
but
I
think
we
need
to
address
the
concept
of
extensions
in
general
before
we
think,
or
we
classify
anything
as
extension
right
so
that
entire
topic
is
open
right
now
or
is
it
not?
I
don't
know
well
when
you
say
do,
can
you
elaborate
a
little
on
what
you
mean
by
deal
with
extensions,
so
the
extension
fields
we
we
still
have
to
discuss
on?
How
do
we
want
to
handle
the
concept
of
extension
fields
within
the
specification
right
now
or
do
we
already
know
that.
A
N
F
E
That's
right,
but,
but
just
so
specifically
on
this
one
sorry,
I
wasn't
paying
attention
for
two
minutes.
The
the
workbook
spec
is
effectively
mandating.
The
same
is
building
on
the
same
mechanism
that
http
itself
builds
on,
which
is
the
authorization
header
and
is
not
trying
to
invent
anything
new.
E
So
so
the
authorization
header
is
defined
in
what
72,
34
or
35,
and
that's
the
exact
mechanism
that
we're
that
we're
building
on
and
then
what
the
spec
says.
What
the
spec
says
is
that
it's
assuming
some
some
token-based
scheme,
even
oauth
2,
which
is
you
know
the
most
widely
used
framework
that
we
all
use
for
for
web
for
web
authorization,
makes
makes
no
firm,
has
no
firm
mandate
for
using
jots
or
not,
but
it
leaves
you
open
which
of
the
which
format.
E
So
if
you
look
at
or2
oauth2
will
will
have,
has
extensions
that
tell
you
that
it's
a
it's
a
jwt,
but
it
doesn't
ultimately
for
the
relationship
between
the
issuer
of
the
token
and
the
consumer.
Of
the
token,
the
the
the
party,
that's
actually
putting
the
token
into
the
into
the
message,
doesn't
need
to
know
what
format
that
token
has.
E
I
I
think
I
think
that
the
spec
as
it
stands
is,
is
we're
not
we're
not
inventing
anything
beyond
what
http
prescribes,
and
I
don't
think
we
should.
We
should
invent
anything
beyond
what
http
prescribes
it's
32,
it's
30
to
72
35.
E
E
Because
because
that's
the
webhook
spec
is
an
extension
of
our
http
binding
and
really
defines
how
you
deliver
a
a
cloud
event
via
post
to
a
particular
endpoint.
So
it
basically
is
a
constraint
on
the
http
binding
http
binding
allows
you
to
bind
the
cloud
event
to
any
http
message,
whether
that's
a
request
or
a
response,
and
and
doesn't
care
about
which
the
what
the
the
method
is
for
for
web
hooks.
We
need
to
have
something:
that's
a
bit
more
specific
for
delivering
events
out
in
a
push
fashion.
E
E
But
it's
referring
to
the
security
mechanism
that
is
defined
in
rfc
7235
and
then
also
points
to
off
to
as
the
as
the
framework
around
it.
But
I
don't
think
we
need
to
have
anything
special
because
that
that
that
authorization
header
is
not
expressed
in
the
cloud
event.
It's
out
of
band.
F
I
think
the
thing
that
I'm
considering
is
it
would
be
nice
to
have
this.
You
know,
go
through
some
other
cue
of
some
other
protocol
and
then
land
it
still
with
a
proof
of
origin
to
some
target
web
hook.
F
So
how
do
we
make
this
lossless
through
protocol
transformations.
E
Oh
so
you're
you're
you're
asking
for
something
else:
you're
asking
for
a
for
a
signature
for
the
cloud
event.
F
F
E
We've
we
have
discussed
this,
so
we
generally
have
discussed
the
the
problem
of
of
both
encryption
and
signature
for
cloud
events,
and
several
of
us
here
have
been
around
for
a
while
and
have
seen
the
ship
of
soap
sync
over
w
security
and
the
brutal
complexity
that
it
has,
and
so
we
have
decided
to
scope
out
in
basically
message
level
security,
both
signature
and
encryption
from
cloud
events,
1
0.
E
That
was
a
very
conscious
decision,
because
we
exactly
w
star
evolved
into
c
star,
because
it
it
turns
out
that
you
know
so
probably
wasn't
a
terrible
idea.
Until
all
the
security
stuff
came
around
where
people
then
started
building,
you
know
tls
on
top
of
w
star
and
all
it
was
terrible.
It
was
not
the
xml
scott,
so
we've
we've
decided
to
punt
on
this,
the
but
you're
you're,
already
kind
of
hinting
at
something.
That
is
probably
a
good
path,
and
that
is
s
mine.
E
Where
I
can.
I
can
see
that
were
that
we
would
create
something
that
allows
cloud
events
to
be
encoded
with
s
mime
and
that
that
s
mime
packets
can
then
be
routed.
So
that's
that's.
Ultimately,
I
think
where
that
might
land,
but
we
have,
we
have
decided
not
to
tackle
that
problem.
A
Okay,
manuel
your
hands
up.
H
Yeah,
I
think
we
pretty
much
summarized
where
we
got
to
last
week,
but
I
just
wanted
to
raise
that
this
was
about
really
the
signature
or
it
has
evolved
into
this.
Originally,
it
was
based
really
on
the
authorization
header,
but
I
think
the
use
case
would
have
been
to
authenticate
with
somebody
further
down
the
line.
H
So
if
you
communicate
through
a
web
hook
with
an
event
gateway-
and
that
is
that
event
is
propagated
to
a
consumer,
then
the
consumer
has
no
means
to
check
whether
the
message,
the
event,
the
content
had
been
messed
with.
So
this
is,
I
think,
where
it
came
from,
and
I
don't
think
that
the
authorization
header
here
helps
s
mime.
Yes,
sig
message,
signature,
maybe
also,
but
as
fm
would
that
work
across
all
transports
of
cloud
events.
E
We
so
if
we
decided
that
we
wanted
to
create
an
s
mine
binding
for
for
cloud
events
and
if
we
then
made
effectively
a
a
binary
pass-through
of
the
cloud
event
through
the
infrastructure.
E
I
can
see
that
working,
but
it's
something
that
we
have
to
go
and
spec
out.
So
I'm
I'm.
So
as
as
things
stand
right
now,
the
the
cloud
event
would
probably
not
translate.
O
Okay,
nice,
your
hands
up,
I
I
don't
know
it's
probably
kicking
my
ocds
into
action,
but
somehow
does
this
feel
wrong
to
have
something
as
sensitive
as
authorization
part
of
the
standard
spec
I
mean
even
as
an
extension
yeah.
I
don't
know
it
might
be.
Just
me,
though,.
E
But
that's
that
was
the
point.
That
was
the
point.
It's
like
that
we're
referring
to
it,
we're
referring
to
rfc
7235,
effectively
and
say
that's
http's
problem
and
then
we're
referring
to
oauth
and
saying
and
saying
yup
how
you
acquire
a
token
go.
Go,
look,
go
look
here!
We
don't
want
to
go
and
define
anything
related
to
security
here,
but
we
want
to
go
and
effectively
just
refer
to
existing
mechanisms
and
then
on
the
point
of
of
authenticating
it
down
against
against
a
downstream
entity.
E
E
I'm
not
sure
it's
real
because
most
of
the
messaging
systems
that
I
that
I'm
seeing
are
effectively
surrounded
by
gatekeepers
and
if
you're
allowed
to
put
a
message
into
the
system,
then
and
and
the
system
supports
routing,
then
the
system
will
effectively
you
know,
route
the
message
to
whatever
the
destination
is
and
having
having
a
system
which
kind
of
routes
you
four
hops
and
then
the
message
kind
of
stops
at
one
at
one
gate
where
it
says
the
message
can't
pass
here.
O
O
E
What
you
can't
do
is
you
can't
give
an
intermediary
the
keys
to
the
castle
to
a
downstream
entity,
because
nothing,
nothing
prevents
that
intermediary
for
from
then
from
then
reusing
your
credentials.
F
Well,
clemens,
how
do
you
deal
with?
Let's
see
you
have
these
guards
in
the
pipes
and
stuff?
But
if
you
use
cloud
events
to
act
as
a
router
and
you
don't
use
the
gatekeeped
cues
anymore
and
there's
a
bunch
of
mixed
messages
on
a
single
pipe,
you
don't
you,
you
lose
the
ability
to
gatekeep.
E
E
So
if
you
have
the
particular
case
that
you
really
want
to
make
sure
that
you
have
that
the
data
is
can
be
authenticated,
then
nothing
stops
you
from
crafting
the
payload
of
the
event
such
that
you
can
go
and
verify
it.
On
the
other
side,.
F
E
Yeah,
I
I
because
I
think,
that's
a
the
reason
why
we
the
the
reason
why
we
create
the
the
cloud
events
metadata
or
we
have
it.
Is
that
because
we
want
to
make
it
possible
for
for
arbitrary,
well,
not
arbitrary,
but
cloud
events
supporting
infrastructure
using
arbitrary
protocols,
the
ones
that
we
support
to
have
a
shared
understanding
of
what
to
do
with
those
events
and
how
to
dispatch
them.
But
it's
so
it's
it's
more,
a
spec
that
is
helping
you
to
help
foster
interoperability.
E
Then
you
know
having
the
the
originator
of
the
event
the
producer
of
the
event
and
the
consumer
of
the
event
deal
with
their
with
their
end-to-end
relationship,
because
the
end-to-end
relationship
is
ultimately
about
what
what's
in
that
event
in
terms
of
payload,
and
they
can
do
whatever
they
want.
One
of
the
print
one
of
the
principles
that
you'll
find
in
most
messaging
systems
is
that
end-to-end
security
is
generally
only
happening
at
the
endpoints,
with
the
broker
having
no
business
in
in
dealing
with
it
at
all.
E
It's
end-to-end
security
is
often
something
that's
that's
only
being
done
by
the
clients,
but
the
only
server
piece
may
be.
Some
shared
key
store,
but
that's
it
so
I
would.
I
would
follow
the
same
principle
here
and
say
you
know
if
you
really
want
to
have
end-to-end
security,
including
validation
of
who
sent
that
event.
That's
something
that
should
be
handled
end-to-end,
which
means
it's
it's
handled,
based
on
the
payload.
A
Okay,
so
we're
almost
out
of
time
I
apologize,
it
was
you
that
was
suggesting
you
may
be
able
to
respond
right.
Yes,
okay,
do
you
feel,
like
you
understand,
which
way
to
respond,
because
I
kind
of
got
the
sense
that
maybe
there's
a
pr
here,
someplace
to
add
additional
guidance
someplace,
maybe
in
the
primer
or
maybe
one
of
our
specs,
I
don't
know
yeah.
Do
you
feel
like
you
have
a
I'm
sorry
go
ahead
comments.
A
Be
great,
thank
you
very
much.
Okay.
So,
with
that
where's,
my
cursor
there,
it
is
okay,
okay,
so,
okay,
so
we
need
to
do
that
cool.
Thank
you
very
much,
okay.
That
was,
I
think,
that's
it
for
the
agenda.
I
don't
think
we
have
time
to
discuss
anything
else.
One
last
person
last
thing
erica.
Have
you
michael?
Are
you
still
on
the
call?
M
A
Meantime
does
anybody
have
any
topics
for
the
sdk
subgroup,
because
I
believe
that
the
spec
or
the
agenda's
still
empty,
so
I'm
suggesting
that
we
cancel
the
sdk
call
immediately
following
this
one?
Is
there
any
objection
to
that
or
does
anybody
have
any
topics.