The operating model we are moving to, starting with upcoming protocol 0.6 is one where Authorized Agents identify themselves to PIP/CB with public key cryptography. In this model, there need not be a pre-exchange of shared secrets (see #58 for discussion around authentication for GET and rate-limiting) and so a centralized directory model would stream-line onboarding for new participants.
@kevinr and I have designed on some digital napkins a model for these directories which would be a move away from the domain-based discovery of GET /.well-known/data-rights.json:
AA directory
business registration information
business contact
technical contact
public key for signed requests
CB directory
business registration information
business contact
technical contact
either:
link to metadata discovery endpoint
metadata which used to be in data-rights.json:
API base endpoint
supported rights actions (?)
implemented protocol version
My first-pass idea is to just host these on github-pages in a repository with strong ACLs and review requirements, but we could have some other models for this as requirements develop. Creating this issue to link to for future conversations.
rrix
commented
1 year ago
The operating model we are moving to, starting with upcoming protocol 0.6 is one where Authorized Agents identify themselves to PIP/CB with public key cryptography. In this model, there need not be a pre-exchange of shared secrets (see #58 for discussion around authentication for GET and rate-limiting) and so a centralized directory model would stream-line onboarding for new participants.
@kevinr and I have designed on some digital napkins a model for these directories which would be a move away from the domain-based discovery of
GET /.well-known/data-rights.json:AA directory
CB directory
My first-pass idea is to just host these on github-pages in a repository with strong ACLs and review requirements, but we could have some other models for this as requirements develop. Creating this issue to link to for future conversations.