# Meeting on 2024-01-26 ## Attendees * Atul Tulshibagwale (SGNL) * Rifaat Shekh-Yusef (EY) * Brian Campbell (Ping) * Arndt Schwenkschuster (Microsoft) * Naveen CM (Yahoo) * Mike Jenkins (NSA) * Pieter Kasselman (Microsoft) ## Agenda ### Need for this meeting ### How long should be the TraTs lifetime * (Atul) I've seen similar tokens have about 5 minutes lifetime * (Naveen) We initially went with 2 minutes, but some teams want to reuse tokens for up to 5 minutes * (Atul) How long does it take to reissue the token? * (Naveen) It is based on public-private keys, so takes a few milliseconds to reissue, hence the need to reuse * (Arndt) I would look into self-issuing the tokens in the API gateway to reduce network latency * (Naveen) We wanted to keep it in one system to prevent possibility of compromise * (Atul) Is the few milliseconds latency that significant in a transaction that lasts > 5 minutes * (Naveen) I just wanted to know the general guideline * (Arndt) This is going to be a primary use case of TraTs, people would have a gateway that swaps the access token for a TraT ### [Header PR](https://github.com/oauth-wg/oauth-transaction-tokens/pull/64) * (Brian) The last sentence is inaccurate, so it will be ignored or cause incompatibilities / people rejecting valid JWTs. I'd suggest not having that last sentence, or make it accurate * (Atul) I will remove the sentence that is problematic, because the JWT format is always the same. * (Brian) The HTTP reference is way out of date. Needs to be updated * (Brian) If you are standardizing a HTTP header, you need to request registration, which may be a larger effort. I have done a "client certificate" field value, which is standardized in RFC9440, which is similar to this, so we can take a similar approach * (Arndt) Is there a header that we can reuse? * (Arndt) Are we talking about the IANA registration? * (Brian) Yes * (Arndt) Here are two links on how to go about the registration: [HTTP Fields](https://www.iana.org/assignments/http-fields/http-fields.xhtml) and [2](https://github.com/protocol-registries/http-fields) * (Arndt) Should we plan for having only one value or multiple values. Any transaction that involves two principals may require two transaction tokens * (Brian) One of the criteria for requesting a header, is to specify whether it can occur multiple times, or have multiple values * (Brian) A single instance and single value is preferable at this time * (Rifaat) Is there an existing header that we can use? * (Arndt) I didn't see an existing header that could be appropriate. I searched for "token", or "transaction" and did not find anything useful * (Rifaat) We should do comprehensive due diligence before we propose a new header * (Arndt) As a part of the registration, we can ask the maintainers of the registry whether there is something we can reuse ### Identity Chaining Name Change * I am going to send an email to the editors to get approval to include them as proponents of the change ### Wimse charter * The [Wimse charter](https://notes.ietf.org/Eg7vhJqUT_eyPI9LfJ9SXg?view) has solidified and is probably going to go to ISG for approval, so please review * (Atul) The TraT draft was talked about as one that can move from OAuth to Wimse, when is that discussion likely to take place? * (Pieter, Rifaat) Let's see if Wimse group gets formed, and then we can discuss this ### Aaron's Draft * (Pieter) I've invited Aaron to the next week's meeting * (Pieter) The draft is about taking id-chaining and putting more specific details about claims and scopes for specific applications (e.g. SaaS deployments) * (Pieter) Aaron can provide details next week