- From: Kazuyuki Ashimura <ashimura@w3.org>
- Date: Tue, 28 Jul 2020 15:41:04 +0900
- To: public-wot-ig@w3.org, public-wot-wg@w3.org
available at:
https://www.w3.org/2020/07/20-wot-sec-minutes.html
also as text below.
Thanks a lot for taking the minuts, Cristiano!
Kazuyuki
---
[1]W3C
[1] http://www.w3.org/
- DRAFT -
WoT Security
20 Jul 2020
Attendees
Present
Kaz_Ashimura, Michael_McCool, Oliver_Pfaff,
Farshid_Tavakolizadeh, Cristiano_Aguzzi,
Toamoaki_Mizushima, David_Ezell
Regrets
Elena_Reshetova
Chair
McCool
Scribe
Cristiano
Contents
* [2]Topics
1. [3]Previous minutes
2. [4]Review OAuth2 PR against TD
3. [5]Issue 929
4. [6]Issue 901
5. [7]TD Issue 923
* [8]Summary of Action Items
* [9]Summary of Resolutions
__________________________________________________________
<kaz> scribenick: cris_
Previous minutes
[10]July-13
[10] https://www.w3.org/2020/07/13-wot-sec-minutes.html
McCool: keeping track of who is scribing
... reviewing previous minutes
... check PR 28, ok it was merged
... minutes ok?
... minutes accepted
Review OAuth2 PR against TD
<kaz> [11]wot-thing-description PR 927
[11] https://github.com/w3c/wot-thing-description/pull/927
McCool: I created the PR about OAuth2.0. it was discussed in
the TD call but we waited to merge it to have a final pass
today
... In the PR I also updated the ontology
... I added mandatory fields for each flows
<kaz> [12]PR Preview - 5.3.3.8 OAuth2SecurityScheme
[12] https://pr-preview.s3.amazonaws.com/mmccool/wot-thing-description/pull/927.html#oauth2securityscheme
McCool: I also added more statements about the usage of the
OAuth security schema. I hope it helps
Oliver: I am not sure that both authorization and token MUST be
defined.
McCool: we have two separate fields in TD, I am still not
completely sure if the two endpoint must be specified
Farshid: I think that we need both
Cristiano: I'll check that
McCool: if authorization and token are kind of redundant we
have to state that
... review the PR
... I changed the wot-security ontology file
... we need to be backward compatible.
Kaz: possible feedback on the security note?
McCool: we have to put a note about implicit and password flow
being deprecated.
TD Issue 929
<kaz> [13]TD Issue 929 - Multiple OAuth 2.0 flows in security
definitions
[13] https://github.com/w3c/wot-thing-description/issues/929
Farshid: I propose a way to factorize common security
configurations
McCool: the problem is that if we have multiple optional
security schemes for an affordance ..
... we have create one form for each one
... I think your solution is reasonable
... we probably also add a way to have an AND composition on
the security schema
... any other comments?
<inserted> [14]McCool's comment
[14] https://github.com/w3c/wot-thing-description/issues/929#issuecomment-660997673
McCool: ok, now let's go over TD related issue that might have
also security implications
TD Issue 901
<kaz> [15]wot-thing-description Issue 901 - Clarifying use of
multiple security schemes in the security term
[15] https://github.com/w3c/wot-thing-description/issues/901
McCool: it looks that in OpenAPI uses OR instead of AND (like
our proposal)
... the AND was designed to work with proxies
... we can also have one scheme for authorization and for
access
... we might define a different field to state proxy security
configuration
Oliver: I think we need both (AND and OR) combination of
security schemas
Cristiano: what about we have multiple proxies?
McCool: we have again use cases for OR and AND combination of
Security schemas
... the real issue is that the OR combination causes
redundancy.
... we need to solve that
... trying to define different option to express ORs and ANDs
in a concise way
... one is array of arrays. One problem is that the nesting
change the meaning
... Another option can be to use a wrapper object
... honestly it seems a little bit strange. Plus is not
backward compatible
... evaluating farshid's solution
... it seems like a linked list.
... finally we could define an "or" in securityDefinitions
... also "and"
... we can do complex boolean expressions with this approach
Cristiano: I like this approach
Farshid: should deprecate security field as array?
McCool: better not, for backward compatibility
Cristiano: do we really need "and" security schema? we can
leverage on the array
<kaz> [16]McCool's comment to Issue 901
[16] https://github.com/w3c/wot-thing-description/issues/901#issuecomment-661021134
McCool: you can but if go deeper you need a may to define inner
ANDs.
Cristiano: right
McCool: we are out of the time. please comment on the issue
with you considerations
TD Issue 923
<inserted> [17]wot-thing-description Issue 923 - How to
describe Philips Hue security scheme
[17] https://github.com/w3c/wot-thing-description/issues/923
McCool: lastly let's go quick on the last items of the agenda.
We are going to discuss about that in the next call
... ege provide an interesting example when the key is in the
URL. We need a way to express template values
... feel free to comment
... there are also related issues about OAuth 2.0
... also another issue on dynamic TDs
... let's close the meeting
<kaz> [adjourned]
Summary of Action Items
Summary of Resolutions
[End of minutes]
__________________________________________________________
Minutes manually created (not a transcript), formatted by
David Booth's [18]scribe.perl version ([19]CVS log)
$Date: 2020/07/21 08:41:33 $
[18] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
[19] http://dev.w3.org/cvsweb/2002/scribe/
Received on Tuesday, 28 July 2020 06:41:10 UTC