# Meeting Notes 10-06-23 ## Agenda Issues: * Originator and purpose need to be added * How do services authenticate the Txn-Token? * Identity Chaining * Separate Nested Tokens Draft * WIMSE * Q about Transaction Tokens ## Notes ### How to authenticate the Txn-Token? * I have always thought about Txn-Token in the context of a single trust domain * (Pieter) Do we need to give guidance about it? * (George) We could say the issuer claim is in it, and clients should use the issuer discovery mechanism * (George) As long as the issuer claim is required, then can you use it to discover the public key? And specify a mechanism. A number of people have "vault", and there are ways to get the public key from there * (Justin) Spiffe uses something like this, but it is super platform specific * (Justin) The approach of "use this id, and do your magic to find the key" is appropriate * (Arndt) We have `kid` in the header * ## Aud example * (George) We need to update the example in many ways * Move context out as discussed * Add audience * Refer previous notes for other changes ## Working on Action Items * Assign the issue to yourself if you start working on the related PR. ## Identity Chaining * (Arndt) We have two open items, we got reviews from Brian, and those need to be taken care of ## Separate Nested Tokens Draft * (Atul) Need to work on a draft * (Arndt) Is the cutoff date for adoption? * (George) It's for presentation at Prague * (George) We can just present it as a topic, without coming up with a draft ## WIMSE * (Justin) BoF might be a non-WG forming at this time. * (Justin) So one of the outputs should be a discussion on whether a WG should be formed. * (Justin) I'd like to focus on the use-cases doc, the token container draft, and the presentation from the Spiffe Tokens WG * (Justin) The remainder is what is the WG that can come out of WIMSE * (Pieter) I've mapped all possible standards that could be relevant to WIMSE, so I could present that in the BoF * ## Transaction Tokens used as proof? * (Arndt) Can Txn-Tokens be used as proof for later verification? * (Arndt) Potentially with nested access token? * (Atul) We're specifically saying we should not embed access tokens * (George) Can we use a verifiable credential? * (George) VCs can have anything in them. E.g. a wallet instance * (George) People are talking about using VCs like a movie ticket (not assigned to one user). So this could give you cryptographic proof, with a little more information in it. * (George) Txn-Tokens could also be used, but needs a little exploration ## Action Items * Add clarification about how to identify the public key of the Txn-Token * Add originator and purpose claims * Remove "leaf" term from the draft * Update the example in the draft