CMI 5 Subgroup Meeting Notes – Nov 10th, 2023 - AICC/CMI-5_Spec_Current GitHub Wiki

cmi5 Subgroup Meeting Notes – Nov 10th, 2023

Attendee List

  • Andy Johnson
  • Ang Boon Chang
  • Bill McDonald
  • Brian Miller
  • George Vilches
  • Megan Bohland
  • Thomas Turrell-Croft

Notes

The group discussed the following items:

Rejection vs Voiding vs Ignoring of Statements out sequence - What do mean when the AU must send statements between these 2 statements (Initialized and Terminated) and what the LMS must do when they are not.

  • The LMS MUST Void statements that are NOT rejected AND conflict with the Statement API requirements…
  • (Eventual consistency)
  • LMS must reject statements sent before Initialized and

"Derived Requirements" (from CATAPULT documentation):

8.1.2.0-2 (d): The LMS must reject xAPI requests that use an authorization token prior to it being fetched, or after a session has been terminated or abandoned.

  • The LMS must track that the token was generated and reject tokens that were not created by fetch.
  • 'The authorization token returned by the "fetch" URL MUST be limited to the duration of a specific user session.'
  • Implication is that the Token is LRS Specific
  • The concept of a “session” is LMS specific – the fetch authorization token is basically a “session token”
  • What is the length of a session?
  • Expiry of a Token (length of time) is a more important from a security standpoint

8.1.2.0-5 (d): The LMS must reject HTTP requests made to the endpoint that do not contain the authorization token in the Authorization headers.

All Previous cmi5 Meeting Minutes/Notes

https://github.com/AICC/CMI-5_Spec_Current/wiki

cmi5 on GitHub:

http://aicc.github.io/CMI-5_Spec_Current/

cmi5 Working Group Wiki

⚠️ **GitHub.com Fallback** ⚠️