# Meeting on 1-12-2024 ## Issue [#58](https://github.com/oauth-wg/oauth-transaction-tokens/issues/58) * There is value in allowing the requester to be able to say "I want this data to be immutable" * We should not be prescriptive in that the TraT server * (Atul) Should we have the field in the request be called something other than "azd"? * (George) We can have a different name in the request * (George) calling it azd helps it correlate to RAR, but RAR is a super open framework, so we don't have to go that route * (Kelley) The TraT server should have a policy, which allows the requester to specify the values from the request details that must / should be included in the `azd` * (George) It's possible for a requester to be rejected (we need to specify that in the spec) ## Issue [#61](https://github.com/oauth-wg/oauth-transaction-tokens/issues/61) * (George) Checked with Brian too, and he too suggested using the `scope` parameter * (George) If I'm the API gateway, and I know this is a "money transfer" transaction, how do I convey that to the TraT server * (Atul) We can just go with `scope` in the request and use the `purp` field in the TraT * (George) We need some processing rules * (Geroge) It could be a direct pass through or it could be some transformation of it * (George) We could soften the language in the PR to say that "the scope value should be used to determine the purp value" ## Issuse [#60](https://github.com/oauth-wg/oauth-transaction-tokens/issues/60) * (George) We could just be silent about how the TraT requester authenticates to the TraT service * (George) We could update the example to not have the `actor_token` or just leave it as is * Conclusion: Update the example to remove `actor_token` and be silent about the client authentication part * (Atul) Add a sub-section in Security Considerations to address how the requester authenticates to the TraT service. We could give options, and specify that if you are using JWTs, you could use `actor_token` to do it * (George / Kelley) Should we open a new issue that specifies to require client authentication? ## Process for making changes * (George) We have shared the PR on the mailing list, and we haven't received responses * (George) We should just merge the PR and then share the diffs with the mailing list * (George) Adoption by the WG was just consent to working on this problem / spec, which is different from making changes to the spec * ## Issue [#56](https://github.com/oauth-wg/oauth-transaction-tokens/issues/56) * (George) Brian is arguing that we don't need `sub_id`, we can just use `sub` * (George) The `iss` claim should be omitted from the TraT, but it makes the signing and verification of the JWT more complicated * (George) There may be more than one TraT server in a trust domain * (George) The issuer of the TraT may not be authoritative for the `sub` * (Atul and George) Leave this change out of PR#57, and solicit opinion on the list and create another PR ## Other * (Atul) We also need to address the header issue (where to put the TraT in an HTTP request)