There seems to be consensus that OPES services would have to be
authorized explicitly and must not be transparent to both end-points.
This is in line with the discussion we had at the OPES BOF in
Minneapolis and is also reflected in the group description on the web
page ("Intermediary services provided in this way are not transparent:
They have to be authorized by either the content requester or the
provider, corresponding to who the service being provided for"). Looks
like this should be made explicit in a charter.
However, it's not yet clear whether we've consensus that such services
have to be authorized by BOTH or by EITHER ONE of the end-points.
There certainly are services that have to be authorized by both sides.
But it seems there are also services that can be authorized by only
one of the end-points.
Services that basically extend the origin web server, such as dynamic
assembling of pages on behalf of the content provider, probably do NOT
have to be authorized by the user.
What about, for example, a service that does NOT modify the content
itself (i.e. the response), but modifies the request and is executed
on behalf of and with permission of the user (e.g. to replace cookies,
make the request anonymous,...)? Seems like the content provider would
not have to give permission for such services.
Comments? Possible to reach consensus on this one?
-Markus