- From: Kazuyuki Ashimura <ashimura@w3.org>
- Date: Mon, 19 Mar 2018 22:19:39 +0900
- To: Public Web of Things IG <public-wot-ig@w3.org>
available at: https://www.w3.org/2018/03/05-wot-sec-minutes.html also as text below. Thanks a lot for taking these minutes, Michael Koster! Kazuyuki --- [1]W3C [1] http://www.w3.org/ - DRAFT - WoT Security 05 Mar 2018 [2]Agenda [2] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Agenda Attendees Present Kaz_Ashimura, Elena_Reshetova, Michael_Koster, Michael_McCool, Tomoaki_Mizushima, Barry_Leiba, Zoltan_Kis Regrets Chair McCool Scribe kaz, mjkoster Contents * [3]Topics 1. [4]agenda 2. [5]review minutes 3. [6]review PRs 4. [7]f2f wiki 5. [8]security review of working group documents * [9]Summary of Action Items * [10]Summary of Resolutions __________________________________________________________ <inserted> scribenick: kaz agenda mccool: any update on lifecycle? ... updates the agenda <scribe> scribenick: mjkoster review minutes [11]prev minutes [11] https://www.w3.org/2018/02/26-wot-sec-minutes.html mccool: update action items: decided to create a security metadata strawman ... objections to accepting minutes? (none) review PRs PR #63: initial text for lifecycle [12]https://github.com/w3c/wot-security/pull/63 [12] https://github.com/w3c/wot-security/pull/63 discuss moving to Architecture document <inserted> (pr 63 merged) PR #74: metadata PR [13]https://github.com/w3c/wot-security/pull/74 [13] https://github.com/w3c/wot-security/pull/74 mccool: Several things above the example TD ... adding security to the base TD ... what if different interactions need different security? ... array of named configurations in the base document ... can refer to a named configuration in a form or describe a configurtion in the form ... the example uses different security for reads vs. writes ... writes need an additional API key + { + "href": "coaps://mylamp.example.com:5683/status", + "mediaType": "application/json", + "method": "coap:post", + "security": ["ocf-config","apikey-config"] + }, + mccool: no security is also allowed elena: are there examples of what some of the security bindings would look like? mccool: for example, OCF is a collection of mechanisms ... the OCF tag would be a tag for all of the metadata elena: how would you identify the specific set of credentials needed mccool: it's not represented now ... there is just one scheme with OCF ... it is a sub-scheme of a general type of authorization ... not quite figured out the structure of what is under what, e.g. bearer token ... all of the relations are not well identified yet ... there is currently identifier and scheme ... scheme and schema are unfortunately similar names and could introduce confusion elena: still having trouble seeing the end to end flow, where do the credentials come from and do we need to describe that? mccool: not sure how it works in OCF, like is there an AS? zoltan: it is solution-specific in OCF elena: probably need to provide a URL mccool: is it an interoperability problem? zoltan: still working on it in OCF mccool: maybe discuss at the OCF meeting ... kerberos style seems to be common ... describes high level kerberos protocol with AS, token,refresh... ... also need to incorporate oauth flow <kaz> [[ "security": ["basic-config","apikey-config"] ]] "security": [{ "@id": "token-config", "type": "token", "scheme": "bearer", "alg": "ES256", "as": "https://plugfest.thingweb.io:8443/" }], ]] "security": [{ "@id": "proxy-config", "type": "http-proxy", "scheme": "basic", "href": "http://plugfest.thingweb.io:8087" }], ]] mccool: updated examples ... proxy has a secondary auth scheme ... use both schemes together <kaz> [14]Matthias' comment within issue 73 [14] https://github.com/w3c/wot-security/issues/73 mccool: OCF has ACLs that provide access control for read vs. write ... 2 design choices for OCF <kaz> (currently [[ "writable": false, ]] in the TD Example) mccool: can query the device for its metadata ... or configure the security state machine using a protocol binding form construct zoltan: 1st stage use device specific driver, 2nd stage look at a metadata approach mccool: agree ... looking at oauth2 flows ... openID Connect is user oriented ... not sure user ID stuff belongs in TD ... there are some experimental features to add to TD, we may need a way to identify experimental features ... what should we do on this PR? <kaz> [15]security metadata strawman pr [15] https://github.com/w3c/wot-security/pull/74 <McCool> [16]https://github.com/mmccool/wot-security/blob/mechanisms/wot -security-metadata.md [16] https://github.com/mmccool/wot-security/blob/mechanisms/wot-security-metadata.md mccool: make a set of github issues for discussion and try to organize a session at the F2F elena: have TD present for the discussion mccool: hoping for a single track discussion ... plugfest wiki page f2f wiki <kaz> [17]f2f input [17] https://www.w3.org/WoT/IG/wiki/F2F_meeting,_24-29_March_2018,_Prague,_Czech_Republic#Input mccool: add another topic for the F2F to discuss security metadata vocabulary ... what about priorities for the discussion at the F2F? ... #1 is life cycle ... metadata is important ... validation, use cases ... (marking up the Wiki page with priority numbers) ... prioritize the metadata work ... over the publication schedule to next update of the security WG note ... the metadata has implementation dependencies security review of working group documents mccool: TD, scripting, protocol binding ... we need to discuss in the context of life cycle elena: what is node-wot? zoltan: nodejs implementation of web of things mccool: open source implementation [18]https://github.com/thingweb/node-wot [18] https://github.com/thingweb/node-wot mccool: examples are there in the repo ... other information is needed for usage and setup ... out of time ... next week, review scripting API ... 2 more meetings before the F2F ... can anyone do analysis of TD and protocol bindings for security? elena: plan for scripting API discussion in 2 weeks mccool: next week, review metadata and TD security ... make early draft of the F2F schedule by next week ... AOB? ... adjourned Summary of Action Items Summary of Resolutions [End of minutes] __________________________________________________________ Minutes formatted by David Booth's [19]scribe.perl version 1.152 ([20]CVS log) $Date: 2018/03/19 12:05:47 $ [19] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm [20] http://dev.w3.org/cvsweb/2002/scribe/
Received on Monday, 19 March 2018 13:20:53 UTC