[wot-security] minutes - 27 July 2020 from Kazuyuki Ashimura on 2020-08-04 (public-wot-ig@w3.org from August 2020)

From: Kazuyuki Ashimura <ashimura@w3.org>
Date: Tue, 04 Aug 2020 14:24:17 +0900
To: public-wot-ig@w3.org, public-wot-wg@w3.org
Message-ID: <87sgd3htku.wl-ashimura@w3.org>
available at:
  https://www.w3.org/2020/07/27-wot-sec-minutes.html

also as text below.

Thanks a lot for taking the minutes, Farshid!

Kazuyuki

---
   [1]W3C

      [1] http://www.w3.org/

                               - DRAFT -

                              WoT Security

27 Jul 2020

   [2]Agenda

      [2] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#27_July_2020

Attendees

   Present
          Clerley_Silveira, Cristiano_Aguzzi, David_Ezell,
          Farshid_Tavakolizadeh, Kaz_Ashimura, Michael_McCool,
          Oliver_Pfaff, Tomoaki_Mizushima

   Regrets
          Elena_Reshetova

   Chair
          McCool

   Scribe
          FarshidT

Contents

     * [3]Topics
         1. [4]Agenda
         2. [5]minutes of last week
         3. [6]OAuth2 TD update
         4. [7]Best practices document
         5. [8]closing
     * [9]Summary of Action Items
     * [10]Summary of Resolutions
     __________________________________________________________

   <kaz> scribenick: FarshidT

Agenda

   <kaz> Agenda:
   [11]https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#27_July_
   2020

     [11] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#27_July_2020

minutes of last week

   <McCool_>
   [12]https://www.w3.org/2020/07/20-wot-sec-minutes.html

     [12] https://www.w3.org/2020/07/20-wot-sec-minutes.html

   [13]minutes

     [13] https://www.w3.org/2020/07/20-wot-sec-minutes.July-20

   no objections on publishing the minutes

OAuth2 TD update

   PR 927:
   [14]https://github.com/w3c/wot-thing-description/pull/927

     [14] https://github.com/w3c/wot-thing-description/pull/927

   McCool: still draft. Did not update the ontology.
   ... Cristiano was going to look into token/authorization token
   issue

   Cristiano: already created a table summarizing the endpoint
   requirement for each flow
   ... Farshid noted that using authorization endpoint also for
   device may add confusion

   Farshid: clients may set authorization endpoint of auth server
   in place of device authorization one.

   McCool: the device_authorization name is not very nice
   ... can simply reuse the authorization endpoint for device, as
   flow field clarified that this is a different endpoint

   Farshid: the "authorization" endpoint is the name of an
   endpoint provided by the server, this has nothing to do with
   device authorization

   McCool:
   [15]https://github.com/w3c/wot-thing-description/pull/927#issue
   comment-664363727
   ... updating the PR.

     [15] https://github.com/w3c/wot-thing-description/pull/927#issuecomment-664363727

   Farshid: what about when having multiple flows inside a schema
   ([16]https://github.com/w3c/wot-thing-description/issues/929)?

     [16] https://github.com/w3c/wot-thing-description/issues/929)?

   Cristiano: yes, it will add complications, even for AND/OR
   combinations.

   McCool: can go back and look at this. For now, want to have
   self-contained specification.
   ... have to check if any application will require an AND scheme
   combining device and another flow.
   ... the vocabulary is insistent with the body. Have to discuss
   with TD/ontology team to fix the issue regarding flow names.

   <kaz> [17]TD Issue 929 - Multiple OAuth 2.0 flows

     [17] https://github.com/w3c/wot-thing-description/issues/929

   McCool: comment regarding device_authorization and vocab for
   flows:
   [18]https://github.com/w3c/wot-thing-description/pull/927#issue
   comment-664374807

     [18] https://github.com/w3c/wot-thing-description/pull/927#issuecomment-664374807

Best practices document

   McCool: since some flows are no longer recommended in TD, we
   should also update the security best practices
   ([19]https://github.com/w3c/wot-security-best-practices)

     [19] https://github.com/w3c/wot-security-best-practices)

   <McCool_> [20]Issue 5 - Recommended OAuth2 flows

     [20] https://github.com/w3c/wot-security-best-practices/issues/5

   <kaz> [21]Issue 6 - Reference for MQTT

     [21] https://github.com/w3c/wot-security-best-practices/issues/6

   <kaz> [22]Issue 7 - Update with discovery and directory
   recommendations/

     [22] https://github.com/w3c/wot-security-best-practices/issues/7

   McCool: we also need security best practices for directory and
   discovery in general
   ... need to update security practices document by July 2021,
   after discovery specs are in place

closing

   McCool: will discuss multiple flows and OR/AND scheme issues
   next time.
   ... will not merge the PR in the meantime.

   <kaz> [adjourned]

Summary of Action Items

Summary of Resolutions

   [End of minutes]
     __________________________________________________________


    Minutes manually created (not a transcript), formatted by
    David Booth's [23]scribe.perl version ([24]CVS log)
    $Date: 2020/07/28 06:35:56 $

     [23] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
     [24] http://dev.w3.org/cvsweb/2002/scribe/
Received on Tuesday, 4 August 2020 05:24:24 UTC