►
From YouTube: IETF-GNAP-20230607-1400
Description
GNAP meeting session at IETF
2023/06/07 1400
https://datatracker.ietf.org/meeting//proceedings/
A
Yeah
I
wonder
what
happened?
Are
you
still
seeing
like
places
where
the
spec
is
unclear.
A
B
B
But
at
least
it
it
makes
sense
from
what
I'm
doing
it
makes
sense,
but
then
I'm
not
entirely
sure
someone
that's
not
participated
in
in
the
writing.
Of
it
will
understand
everything
and
I'm,
not
sure
it's,
but
at
least
it's
going
well.
Hi
Justin.
C
No
no
slides
prepared
for
the
day
we've
got.
The
the
only
change
was
the
the
set
of
diffs
that
went
into
the
latest
Draft,
so
I
figured.
We
could
talk
about
that
directly,
maybe
view
the
diff
itself
directly,
but
no
slides.
On
top
of
that.
B
B
A
A
A
C
Oh
okay,
oh
good,
good
I
was
afraid
we
were
going
to
have
it
be.
Was
that
that's
a
single
mutex,
audio
Kodak?
If
I
remember
my
multimedia
codec
days.
C
All
right
is
Leif
gonna
be
joining
us.
Do
you
know.
A
A
Well,
not
Quorum,
but
then
we
will
need
to
run
things
on
the
mailing
list.
That's
always
required,
but
this
time
it's
not
only
formality.
We
need
to
get
some
packing
to
move
forward
to
the
isg.
C
Yeah
we
posted
to
the
list
after
making
the
changes,
but
nobody
nobody
responded
at
that
time,
yeah
happy
to
go
through
them
today.
Do
you
want
to
share
or
should
I.
C
C
A
C
All
right,
okay,
so
there
were
a
couple
of
changes
in
the
latest
draft,
most
of
them
most
of
them
small
editorial
things
like
rotating
the
token's
value,
instead
of
rotating
the
token
just
being
more
precise
there,
the
biggest
change
you
can
actually
see,
starting
in
this
example,
and
that's
the
token
management
like
we
talked
about
in
Yokohama,
instead
of
token
management,
now
being
based
on
just
a
URI,
it
is
now
set
up
much
like
the
continuation
response
in
that
there's,
a
URI
and
an
access
token
structure.
C
That
goes
with
that.
The
access
token
is
mandatory
here
it
is.
This
is
the
text
that
defines
it
so
the
manage
field
when
it
comes
back
with
an
access,
token
object.
It
means
that
you.
C
Basically,
you
get
a
special
access
token
just
for
managing
the
access
token
and
and
for
nothing
else
previously,
we
had
used
the
token
itself
to
call
the
token
management
API,
but
there
was
pushback
on
that
during
last
call
and
after
discussion,
we
we
backed
that
off
and
now
are
using
a
separate
access
token
for
accessing
that
API.
C
This
is
a
little
bit
more
complicated,
but
it
is
parallel
with
the
rest
of
the
with
a
lot
of
other
functions
in
the
draft
and
in
fact,
most
of
this
text
we
took
from
the
continuation
token
text.
That's
already
been
discussed
at
length
in
the
group,
so
two
Fields
here,
the
URI
that
you
call
and
then
the
access
token
that
you
use
to
call
that
it
has
the
same
constraints
that
the
continuation
token
has,
which
is
to
say
it
must
be
bound
to
the
client's.
C
C
The
token
management
token
so
basically,
this
is
a
special
use
token,
and
if
it
stops
working
then
it
just
it
stops
working.
There's
you!
You
have
to
go,
get
a
new
access
token
from
from
the
grant,
API
and
then
I
have
that's.
C
Yep
yep,
you
don't
returning
the
manage
field
is
optional
entirely,
so
you
can.
You
can
completely
have
an
access
token
that
just
dies
or
is
manually
revoked
or
anything
like
that,
and
then
you
don't
have
to
worry
about
this
and
this
one
of
the
reasons
that
we
were.
We
were
comfortable
with
doing
this.
Is
that
that's
how
most
of
the
implementations
we've
seen
so
far
are
built?
C
They
just
have
simple
tokens
that
expire
and
then
then,
that's
the
that's
the
end
of
it,
but
the
feedback
we
got
from
the
from
the
thin
Bose
folks
and
from
the
the
Gen
folks,
gen
digital
is
that
if
they
were
to
implement
this,
then
what
we
had
had
in
the
draft
previously,
where
we
were
using
the
same
token
value
was,
was
not
going
to
be
easily
implementable
for
them,
but
separating
it
out
as
a
separate
field
that
they
could
track
was
a
pattern
that
that
you
know
we've
already
already
done
in
a
lot
of
ways.
C
It's
similar
to
the
oauth
2
refresh
token,
with
slightly
different
properties,
but
a
a
similar
idea
of
using
a
separate
value
to
control
access
to
to
token
management.
This.
C
So
we
now
no
longer
have
this.
If
it's
sender
constrained,
if
it's
Bearer
blah
blah
blah,
it's
always
just
the
token
management
access
token.
That's
always
the
one
that's
used
and
similar
to
the
continuing
continuation
API.
You
must
uniquely
identify
a
token
being
managed
from
the
token
management,
URI,
token
management
access,
token
or
a
combination
of
both
of
those.
So
just
like
the
can,
just
like
the
Grant
Management
API,
it's
the
same
same
set
of
constraints
which.
C
Yeah
I
I
think
so
as
well,
we're
putting
less
weight
on
just
the
API
and
allowing
or
sorry
just
the
URI
and
allowing
the
as
to
make
some
deployment
decisions.
There.
C
C
Yeah,
the
actual
management
apis
themselves
are
not
changed,
sort
of
what
the
as
has
to
do
with
it
is
simpler
now,
because
we
don't
have
to
have
all
of
this.
If
the
tokens
expired,
then
you
can
still
rotate
it,
which
was
the
source
of
contention,
and
we
also
don't
have
to
have
the
if
it's
a
bearer
token,
then
don't
treat
it
like
a
bearer
token
text,
which
is
which
was
also
confusing
to
people
I.
Think
a
lot
of
this
comes
from
this
being
a
less
a
much
less
exercise.
C
C
And
those
are
really
the
main
changes
you
know
there's
a
little.
Oh,
there
is
key
rotation
which
I
can
go
into
in
a
bit
once
we're
done
with
this
topic.
A
Before
we
move
into
irritation,
do
we
still
have
any
outstanding
issues.
C
Hearing
yep
all
issues
are
closed.
A
C
Yeah
there
was
one
other
issue
that
got
raised
about
interaction,
responses
and
sort
of
bundling
the
Finish
methods,
and
things
like
that-
and
we
talked
with
the
author
about
that
on
GitHub
and
proposed
that
that
might
fit
as
an
extension
and
they
agreed.
C
C
All
right,
so,
if
we're
okay
on
that
topic,
I
can
talk
about
the
the
key
rotation
changes.
C
So
there
was
actually
a
a
security
report
on
HTTP
message:
signatures
about
how
we
were
proposing
it
being
getting
used,
namely
signing
the
signature
value
in
order
to
compound
signatures
and
that's
what
we
were
using
to
do
key
rotation
in
gnap,
and
so
we
fixed
we
fixed
HTTP
signatures
there
weren't.
Actually
any
protocol
changes
there,
but
the
advice
on
how
to
apply
it
changed
a
bunch
that
of
course
affected
both
gnap,
which
we
have
here.
C
C
So
in
any
event,
key
rotation.
Previously,
you
would
just
sign
the
old
signature
value
so
yeah,
and
that
was
it
so.
C
C
So
previously
you
could
get
away
with
just
with
just
this
line
and
now
we're
saying
no,
you
actually
have
to
tie
it
to
the
entire
message,
because
you
don't
get
the
transitive
signature
property
that
we
thought
we
were
getting
before
so
you're
still
doing,
HTTP
signatures
you're
still
applying
two
signatures
in
order,
but
you
just
also
have
to
tie
it
to
the
rest
of
the
message
in
order
for
it
to
be
considered,
secure.
C
No
because
this
is
all
stuff
that
you
would
have
to
do
to
apply
the
first
signature
anyway,.
C
C
And
the
up
and
the
examples
here
are
updated
from
from
the
script
that
generates
all
of
these.
C
A
That
their
authorization
had
signed.
C
A
C
So
this
is
the
call
to
the
the,
since
this
is
key
rotation.
This
is
a
call
to
the
either
the
token
management
endpoint
or
the
Grant
Management
endpoints.
C
So
those
are
both
token
protected,
which
means
that
the
access
token
itself
is
bound
to
the
key
and
so
signing
the
authorization.
Header
value
shows
that
you
are
presenting
this
token
value,
underneath
this
particular
key.
C
With
HP
signatures,
we
were
very
deliberate
about
not
using
the
authorization
header
to
carry
the
signature
itself,
which
previous
drafts
of
the
signature
the
signature
scheme
did
allowed,
that
which
I
think
does
conflate
the
different
layers.
A
C
So
fappy
has
the
HTTP
signatures
or
signed
HTTP
requests
or
subsection,
so
there's
the
core
fappy
and
then
there's
a
couple
of
sort
of
additional
documents.
One
of
them
is
about
signed
HTTP,
which
uses
both
HTTP
signatures
and
all
of
the
oauth
Jose
methods,
like
you
know,
jar
and
charm
and
Par
and
all
of
this
other
stuff.
In
order
to
to
tie
everything
together,.
C
Thank
you,
so
flappy
has
a
similar
requirement
to
sign
to
sign
the
authorization
header,
but
also
you
know,
method,
method,
I,
don't
remember
if
they
do
Target
URI
or
just
at
authorization.
C
And
yeah,
that's
that's!
That's
pretty
much!
The
set
of
changes
there's
a
couple
of
editorial
updates,
but
those
are
the
two.
Those
are
the
two
big
ones.
C
And
that
should
address
all
of
the
things
that
came
up
in
last
call,
both
in
ganapa
and
in
HTTP
Sig,
that
we
depend
on.
C
So
hopefully
we
can
get
it
into
at
least
at
least
80
review
space
before
San
Francisco
and
yes,
maybe
I'm
optimistic,
but
maybe
iesg
review
bye.
Then
at
least
for
court.
C
Well,
we
do
have
the
the
RS
draft,
not
a
lot
of
changes
on
that,
but.
C
We
need
to
add
the
we've
got
the
token
model
section,
so
we
need
to
add
this
token
management.
Token.
To
that,
that's
the
only
thing
that
jumps
to
mind
soft.