W3C home > Mailing lists > Public > public-wot-ig@w3.org > August 2020

[wot-security] minutes - 17 August 2020

From: Kazuyuki Ashimura <ashimura@w3.org>
Date: Wed, 26 Aug 2020 21:01:05 +0900
Message-ID: <871rjt62gu.wl-ashimura@w3.org>
To: public-wot-ig@w3.org, public-wot-wg@w3.org
available at:
  https://www.w3.org/2020/08/17-wot-sec-minutes.html

also as text below.

Thanks a lot for taking the minutes, Clerley!

Kazuyuki

---
   [1]W3C

      [1] http://www.w3.org/

                               - DRAFT -

                              WoT Security

17 Aug 2020

   [2]Agenda

      [2] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#17_August_2020

Attendees

   Present
          Clerley_Silveira, Cristiano_Aguzzi, David_Ezell,
          Elena_Reshetova, Farshid_Tavakolizadeh, Kaz_Ashimura,
          Michael_McCool, Oliver_Pfaff, Tomoaki_Mizushima,
          Zoltan_Kis

   Regrets

   Chair
          McCool

   Scribe
          clerley

Contents

     * [3]Topics
         1. [4]Meeting agenda
         2. [5]Prior meeting minutes approval.
         3. [6]TD PR on OAuth2
         4. [7]Other TD PRs
         5. [8]TD PR 944
         6. [9]Directory security
     * [10]Summary of Action Items
     * [11]Summary of Resolutions
     __________________________________________________________

   <kaz> scribenick: clerley

Meeting agenda

   Farshid: Some concerns about OAuth2. Will add to the agenda.

Prior meeting minutes approval.

   <kaz> [12]Aug-10 minutes

     [12] https://www.w3.org/2020/08/10-wot-sec-minutes.html

   Reshetova: Had an issue accessing the Conexxus Threat Model
   template.

   Meeting minutes for August, 10 2020 approved.

   McCool: OAuth2 PR has been merged. Created a few issues.

TD PR on OAuth2

   <inserted> [13]TD PR 927

     [13] https://github.com/w3c/wot-thing-description/pull/927

   McCool: Would like to clean up the OAuth2 security scheme.
   Would like some feedback from the group.
   ... Create a new issue related to the device authorization
   element.

   Farshid: For consistency, "device authorization" should be
   camel case.

   McCool: Discuss the issue during the TD call

   <McCool>
   [14]https://github.com/w3c/wot-thing-description/issues/953

     [14] https://github.com/w3c/wot-thing-description/issues/953

   Cristino: Would like to discuss validation of variant records.

   McCool: Created a issue and linked to an issue defined in
   "Scripting"

   <McCool>
   [15]https://github.com/w3c/wot-thing-description/issues/954

     [15] https://github.com/w3c/wot-thing-description/issues/954

Other TD PRs

   <kaz> [16]TD PRs

     [16] https://github.com/w3c/wot-thing-description/pulls

   McCool: Would like to assign some reviewers to PRs.
   ... Does not think they are ready yet.
   ... Looked through the proofChain. Listed some issues.

   <kaz> [17]TD PR 943 - WIP: Add proof and proofChain sections

     [17] https://github.com/w3c/wot-thing-description/pull/943

   McCool: Extension should specify the context file.
   ... Normalization of the TD spec. For some things, order of
   types do not matter. But for others, it does.
   ... For proofChain, order must be preserved.
   ... Need reviewers for PR 943.
   ... Worked with "Linked Data Signatures" to improve their spec.
   Does not think the spec is clear.

   Farshid: Thinks both can be defined as array. If order does not
   matter, an array can be used.
   ... During initialization order matter.

   McCool: Explicitly called proof set. For sets, order does not
   matter.

   <kaz> [18]TD Preview from PR 943 - 5.3.1.1 Thing

     [18] https://pr-preview.s3.amazonaws.com/mmccool/wot-thing-description/pull/943.html#thing

   McCool: 5.3.1.1. needs to be reviewed. The text related to
   arrays is not correct.

   <kaz> [19]Diff

     [19] https://pr-preview.s3.amazonaws.com/w3c/wot-thing-description/943/32ba69e...mmccool:92f1510.html#thing

   <kaz> [20]Linked Data Proofs

     [20] https://w3c-ccg.github.io/ld-proofs/

   McCool: TD spec section 7.1 must be updated. Currently not
   clear. It does not provide enough information.
   ... Should discuss with Task Force.
   ... "LD Proof" PR needs more detail to handle all the options.

TD PR 944

   <kaz> [21]TD PR 944

     [21] https://github.com/w3c/wot-thing-description/pull/944

   McCool: Created a PR "and/or". Decided to use "anyOf" or
   "allOf" to follow the proper terminology.
   ... Farshid to create an issue.

   Farshid: If flagged then it can be deprecated in 2.0

   Cristino: Why define a scheme for anyOf and allOf.

   McCool: Would like to add an example.

   <FarshidT> example for security combination:
   [22]https://github.com/w3c/wot-discovery/blob/71612e81f987ba43f
   6943f9fd542d15492bcefdb/directory.td.json

     [22] https://github.com/w3c/wot-discovery/blob/71612e81f987ba43f6943f9fd542d15492bcefdb/directory.td.json

   Farshid: Shows example of device flow and code and a
   combination.

   Cristino: Would like to link to example. That way the preview
   can be displayed directly from the PR.

   McCool: Agrees with the suggestion.
   ... Added example to PR with multiple security schemes. No need
   to make up name for "things"

   Farshid: If you would like to make it compact, create an array
   with the flows and remove the existing data type.

   <kaz> [23]McCool's comment to TD PR 944 including an example TD

     [23] https://github.com/w3c/wot-thing-description/pull/944#issuecomment-674862824

   McCool: The spec will allow for an string, security scheme or
   an array. if we just allow array then, it becomes string or
   security scheme.
   ... That would have to be changed in version 2.0.

   <kaz> [24]Diff from TD PR 945

     [24] https://pr-preview.s3.amazonaws.com/w3c/wot-thing-description/945/32ba69e...mmccool:e924552.html#thing

   Farshid: Concern about how to mandate oneOf or allOf. Why not
   define in the JSON schema?

   McCool: Has not changed the JSON schema to account for the
   changes. JSON schemas are non-normative, there is no standard
   for JSON schemas.
   ... Similar issue with the variant record.

   <kaz> [25]TD Issue 955 - Better validate "oneOf" choices

     [25] https://github.com/w3c/wot-thing-description/issues/955

Directory security

   Farshid: Does not think the token needs to be mandatory. None
   of the endpoint is needed, the back-end software will swap the
   authorization token and get the access token

   McCool: please raise an issue about that

   Adjourn

Summary of Action Items

Summary of Resolutions

   [End of minutes]
     __________________________________________________________


    Minutes manually created (not a transcript), formatted by
    David Booth's [26]scribe.perl version ([27]CVS log)
    $Date: 2020/08/18 13:30:22 $

     [26] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
     [27] http://dev.w3.org/cvsweb/2002/scribe/
Received on Wednesday, 26 August 2020 12:01:12 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 26 August 2020 12:01:13 UTC