[wot-security] minutes - 5 March 2018 from Kazuyuki Ashimura on 2018-03-19 (public-wot-ig@w3.org from March 2018)

From: Kazuyuki Ashimura <ashimura@w3.org>
Date: Mon, 19 Mar 2018 22:19:39 +0900
To: Public Web of Things IG <public-wot-ig@w3.org>
Message-ID: <CAJ8iq9U4zC-9CBzC4-vPPr_hvDoKFB=PN3MKcEc4Bym8nXkJsg@mail.gmail.com>
available at:
  https://www.w3.org/2018/03/05-wot-sec-minutes.html

also as text below.

Thanks a lot for taking these minutes, Michael Koster!

Kazuyuki

---

   [1]W3C

      [1] http://www.w3.org/

                               - DRAFT -

                              WoT Security

05 Mar 2018

   [2]Agenda

      [2] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Agenda

Attendees

   Present
          Kaz_Ashimura, Elena_Reshetova, Michael_Koster,
          Michael_McCool, Tomoaki_Mizushima, Barry_Leiba,
          Zoltan_Kis

   Regrets

   Chair
          McCool

   Scribe
          kaz, mjkoster

Contents

     * [3]Topics
         1. [4]agenda
         2. [5]review minutes
         3. [6]review PRs
         4. [7]f2f wiki
         5. [8]security review of working group documents
     * [9]Summary of Action Items
     * [10]Summary of Resolutions
     __________________________________________________________

   <inserted> scribenick: kaz

agenda

   mccool: any update on lifecycle?
   ... updates the agenda

   <scribe> scribenick: mjkoster

review minutes

   [11]prev minutes

     [11] https://www.w3.org/2018/02/26-wot-sec-minutes.html

   mccool: update action items: decided to create a security
   metadata strawman
   ... objections to accepting minutes?

   (none)

review PRs

   PR #63: initial text for lifecycle

   [12]https://github.com/w3c/wot-security/pull/63

     [12] https://github.com/w3c/wot-security/pull/63

   discuss moving to Architecture document

   <inserted> (pr 63 merged)

   PR #74: metadata PR

   [13]https://github.com/w3c/wot-security/pull/74

     [13] https://github.com/w3c/wot-security/pull/74

   mccool: Several things above the example TD
   ... adding security to the base TD
   ... what if different interactions need different security?
   ... array of named configurations in the base document
   ... can refer to a named configuration in a form or describe a
   configurtion in the form
   ... the example uses different security for reads vs. writes
   ... writes need an additional API key

   + { + "href": "coaps://mylamp.example.com:5683/status", +
   "mediaType": "application/json", + "method": "coap:post", +
   "security": ["ocf-config","apikey-config"] + }, +

   mccool: no security is also allowed

   elena: are there examples of what some of the security bindings
   would look like?

   mccool: for example, OCF is a collection of mechanisms
   ... the OCF tag would be a tag for all of the metadata

   elena: how would you identify the specific set of credentials
   needed

   mccool: it's not represented now
   ... there is just one scheme with OCF
   ... it is a sub-scheme of a general type of authorization
   ... not quite figured out the structure of what is under what,
   e.g. bearer token
   ... all of the relations are not well identified yet
   ... there is currently identifier and scheme
   ... scheme and schema are unfortunately similar names and could
   introduce confusion

   elena: still having trouble seeing the end to end flow, where
   do the credentials come from and do we need to describe that?

   mccool: not sure how it works in OCF, like is there an AS?

   zoltan: it is solution-specific in OCF

   elena: probably need to provide a URL

   mccool: is it an interoperability problem?

   zoltan: still working on it in OCF

   mccool: maybe discuss at the OCF meeting
   ... kerberos style seems to be common
   ... describes high level kerberos protocol with AS,
   token,refresh...
   ... also need to incorporate oauth flow

   <kaz> [[ "security": ["basic-config","apikey-config"] ]]


     "security": [{
       "@id": "token-config",
       "type": "token",
       "scheme": "bearer",
       "alg": "ES256",
       "as": "https://plugfest.thingweb.io:8443/"
     }],
   ]]


     "security": [{
       "@id": "proxy-config",
       "type": "http-proxy",
       "scheme": "basic",
       "href": "http://plugfest.thingweb.io:8087"
     }],
   ]]

   mccool: updated examples
   ... proxy has a secondary auth scheme
   ... use both schemes together

   <kaz> [14]Matthias' comment within issue 73

     [14] https://github.com/w3c/wot-security/issues/73

   mccool: OCF has ACLs that provide access control for read vs.
   write
   ... 2 design choices for OCF

   <kaz> (currently [[ "writable": false, ]] in the TD Example)

   mccool: can query the device for its metadata
   ... or configure the security state machine using a protocol
   binding form construct

   zoltan: 1st stage use device specific driver, 2nd stage look at
   a metadata approach

   mccool: agree
   ... looking at oauth2 flows
   ... openID Connect is user oriented
   ... not sure user ID stuff belongs in TD
   ... there are some experimental features to add to TD, we may
   need a way to identify experimental features
   ... what should we do on this PR?

   <kaz> [15]security metadata strawman pr

     [15] https://github.com/w3c/wot-security/pull/74

   <McCool>
   [16]https://github.com/mmccool/wot-security/blob/mechanisms/wot
   -security-metadata.md

     [16] https://github.com/mmccool/wot-security/blob/mechanisms/wot-security-metadata.md

   mccool: make a set of github issues for discussion and try to
   organize a session at the F2F

   elena: have TD present for the discussion

   mccool: hoping for a single track discussion
   ... plugfest wiki page

f2f wiki

   <kaz> [17]f2f input

     [17] https://www.w3.org/WoT/IG/wiki/F2F_meeting,_24-29_March_2018,_Prague,_Czech_Republic#Input

   mccool: add another topic for the F2F to discuss security
   metadata vocabulary
   ... what about priorities for the discussion at the F2F?
   ... #1 is life cycle
   ... metadata is important
   ... validation, use cases
   ... (marking up the Wiki page with priority numbers)
   ... prioritize the metadata work
   ... over the publication schedule to next update of the
   security WG note
   ... the metadata has implementation dependencies

security review of working group documents

   mccool: TD, scripting, protocol binding
   ... we need to discuss in the context of life cycle

   elena: what is node-wot?

   zoltan: nodejs implementation of web of things

   mccool: open source implementation

   [18]https://github.com/thingweb/node-wot

     [18] https://github.com/thingweb/node-wot

   mccool: examples are there in the repo
   ... other information is needed for usage and setup
   ... out of time
   ... next week, review scripting API
   ... 2 more meetings before the F2F
   ... can anyone do analysis of TD and protocol bindings for
   security?

   elena: plan for scripting API discussion in 2 weeks

   mccool: next week, review metadata and TD security
   ... make early draft of the F2F schedule by next week
   ... AOB?
   ... adjourned

Summary of Action Items

Summary of Resolutions

   [End of minutes]
     __________________________________________________________


    Minutes formatted by David Booth's [19]scribe.perl version
    1.152 ([20]CVS log)
    $Date: 2018/03/19 12:05:47 $

     [19] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
     [20] http://dev.w3.org/cvsweb/2002/scribe/
Received on Monday, 19 March 2018 13:20:53 UTC