Note on the role of capabilities in the VO

[Markus Demleitner]

Dear IVOA,

In the context of TAP 1.1 and the authenticated endpoints, we have
laboured a bit with the way we have been modelling complex service
interfaces; for that we've had the TAP 1.0 model (single access URL
with bespoke child resources) and a fairly different model that
evolved through VOSI and DALI (using capabilities as building
blocks).

TAP 1.1 made the incompatibility of the two approaches quite evident,
and so something had to be done.  A first attempt to resolve the
problem we made at the Santiago interop proved problematic and was
abandoned in College Park.

Then, at a meeting on Authentication and Authorisation held in
Trieste last January in the context of ASTERICS, a rough consensus
among the participants (which included some of the authors of TAP
1.1) was reached on how to go on.  I had promised back then to spell
that out, also in order to see how far the consensus really goes.

This turned out to be somewhat more involved that I had anticipated,
but now here is a first stab: "On the Use of Capabilities in the VO",
http://www.ivoa.net/documents/caproles/20190315/.

Since this has fairly wide-ranging (if somewhat technical)
implications, I'd appreciate if people could at least skim the
document.  In particular, I believe there are no operational changes
*yet* resulting from the note's findings and proposals, because the
patterns identified as problematic haven't actually been adopted in
running, widespread code relying on interoperability.  If
that turns out to be wrong, the conclusions might change.

So, in particular if you run servers or clients relying on VOSI
endpoints, I'd be happy to hear your feedback.

There'll also be a longer piece on this in one of the Registry
sessions in Paris.

        -- Markus