# Solid Authorization Panel January 20th, 2021 ## Meeting - https://meet.jit.si/solid-authorization ## Present - Justin B - Henry Story - Elf Pavlik - Sarven C - Dmitri - Josh Collins - Martynas - EricP ## Agenda - Survey Review - PRs - VC Group Membership - https://github.com/solid/authorization-panel/pull/157 - Functional Requirements - https://github.com/solid/authorization-panel/pull/152 - Previous [meeting notes PR](https://github.com/solid/authorization-panel/pull/158) ## Minutes ### VC Group Membership - https://github.com/solid/authorization-panel/pull/157 DZ: Reminder: VC on their own isn't a replacement for access control. RS shouldn't know about the group credential, but instead would check against the capability exchanged for the group membership. DZ: Example: Age restricted items (e.g. must be over 14 years old) - how do we express that in authorization terms. Something is restricted - to access it you need the capability - to get the capability you need to present the verifiable credential. Capabilities + VC are the recommended way. DZ: Recommended spec - Authorization capabilities for Linked Data (ZCAP) SC: see links in https://github.com/solid/authorization-panel/issues/121#issuecomment-746441736 ### Functional Requirements PR - Should have a requirement associated with each use case HS: LDP UCR document lists requirements that are struck through as they were not implemented. It seems we should have a good list of use cases and requirements, which give an idea of what needs to be done over the long term. Unless people disagree with use cases (arguing that they should never be done). Which ones get implemented in Spec V1 becomes a matter of prioritization and choice at spec writing and implementation time. (Perhaps this should just made clear in the Requirements secution) Discussion on PR ### Meeting Notes PR HS: Propose to PR notes moving forward, since we don't have a scribe and the notes are often partial. This allows the notes to be filled in and clarified after the call. Justin: Question should it just be checked in immediately and the PRs on the checked in version? Or should notes be PRed and then checked in? ## last minute Emmet: do the resource servers do the auth, or does one need a seperate auth server?