[wot-security] minutes - 25 May 2020 from Kazuyuki Ashimura on 2020-06-08 (public-wot-ig@w3.org from June 2020)

From: Kazuyuki Ashimura <ashimura@w3.org>
Date: Mon, 08 Jun 2020 10:48:09 +0900
To: public-wot-ig@w3.org, public-wot-wg@w3.org
Message-ID: <87sgf6wco6.wl-ashimura@w3.org>
available at:
  https://www.w3.org/2020/05/25-wot-sec-minutes.html

also as text below.

Thanks a lot for taking the minutes, Zoltan!

Kazuyuki

---
   [1]W3C

      [1] http://www.w3.org/

                               - DRAFT -

                              WoT Security

25 May 2020

Attendees

   Present
          Kaz_Ashimura, Michael_McCool, Oliver_Pfaff, Zoltan_Kis,
          Cristiano_Aguzzi, Daniel_Peintner, Michael_Lagally,
          Tomoaki_Mizushima, David_Ezell

   Regrets
          Elena_Reshetova

   Chair
          McCool

   Scribe
          zkis

Contents

     * [2]Topics
         1. [3]past minutes
         2. [4]PRs
         3. [5]OAuth2 issue in Scripting
     * [6]Summary of Action Items
     * [7]Summary of Resolutions
     __________________________________________________________

   <kaz> scribenick: zkis

past minutes

   May 18 minutes and May 4 minutes to be reviewed

   <kaz> [8]May-18

      [8] https://www.w3.org/2020/05/18-wot-sec-minutes.html

   McCool: any objections accepting these?

   accepted

   <kaz> [9]May-4

      [9] https://www.w3.org/2020/05/04-wot-sec-minutes.html

   <inserted> (typos within May-4 minutes are fixed; and approved)

PRs

   <McCool> [10]https://github.com/w3c/wot-security/pull/175

     [10] https://github.com/w3c/wot-security/pull/175

   [past minutes accepted]

   <McCool> [11]https://github.com/w3c/wot-security/pull/176

     [11] https://github.com/w3c/wot-security/pull/176

   Oliver: one of these is obsolete

   McCool: we can add direct references, but we should instead add
   references to ReSpec

   Zoltan: that is right

   McCool: we could accept this but later move references from
   localBiblio to ReSpec references

   [12]https://www.specref.org/

     [12] https://www.specref.org/

   McCool: we should have (linked) terms for User Data etc
   ... some issues about citing references
   ... maybe merge this and fix it in a separate PR?

   Oliver: OK

   Lagally: should respect the style guide for W3C docs
   ... about the specific term User Data - should we define that
   in the Architecture doc?

   McCool: create an issue for that

   Lagally: we also need a definition for that

   McCool: Elena maybe, or I could look into it
   ... merging into the Working branch for now

   <McCool> [13]Manual of Style

     [13] https://w3c.github.io/manual-of-style/

OAuth2 issue in Scripting

   [14]https://github.com/w3c/wot-scripting-api/issues/214

     [14] https://github.com/w3c/wot-scripting-api/issues/214

   McCool: to make sure all flows are implemented

   <McCool> [15]https://github.com/w3c/wot-security/issues/173

     [15] https://github.com/w3c/wot-security/issues/173

   McCool: we need to read into the OAuth spec
   ... Cristiano and Daniel are involved, please drive through

   Cristiano: presents
   [16]https://github.com/w3c/wot-scripting-api/issues/214
   ... user needs to do manual login
   ... how to put that flow in node-wot
   ... problem: only possible if the script runs in the browser
   ... this defines the context for this issue
   ... we need to decide how to handle the interaction between the
   user and runtime
   ... then, if it happens transparently or not
   ... and which way, e.g. with an init function?
   ... MM suggested solving the issue at protocol level

     [16] https://github.com/w3c/wot-scripting-api/issues/214

   <mlagally> [Here's the terminology issue for the architecture
   specification:
   [17]https://github.com/w3c/wot-architecture/issues/508]

     [17] https://github.com/w3c/wot-architecture/issues/508]

   Cristiano: the user could be represented by service, but never
   seen this flow code implemented by others

   McCool: we don't necessarily need to add the flow to browser,
   it could be a user agent, possibly a very simple one
   ... the question is if the device is a server, should we use a
   web dashboard or what?
   ... for each flow we need a use case; state reasons when we
   don't support them

   Cristiano: ok
   ... where the use cases are posted?

   McCool adding comment to
   [18]https://github.com/w3c/wot-scripting-api/issues/214

     [18] https://github.com/w3c/wot-scripting-api/issues/214

   <dape> code flow mentioned in TD, see
   [19]https://w3c.github.io/wot-thing-description/#oauth2security
   scheme

     [19] https://w3c.github.io/wot-thing-description/#oauth2securityscheme

   Lagally: use cases are collected in the Architecture task force
   ... the OAuth scenario matches several domains and scenarios
   ... we should document these flows somewhere we can reference
   them from

   Oliver: we should not try to use OAuth flow for everything but
   check which use cases correlate to which flows
   ... there is server, resource server and caller (browser or
   app)
   ... if we replace the resource server with an IoT device, it's
   (?)
   ... if we replace the caller, then (?)
   ... if we look at the auth flow and matching people with
   devices won't work

   Cristiano: agree on that

   McCool: TD describes resources available on the device

   Zoltan: we really need the use cases defined, I am not
   convinced the human user should be involved in the flows

   McCool: right - assuming we need to support the human user flow

   Oliver: the oauth spec is quite implicit, not explicit, whether
   is it a human user

   Cristiano: yes, I also found it unclear
   ... every other owner interprets it's the user

   Zoltan: we have 2 options, solving it with provisioning, the
   other is solving with a UI, depending who is the provider

   McCool: include this in the lifecycle and onboarding topic

   Cristiano: the problem is when the token provider says they are
   expired, then we need to involve the resource owner

   Zoltan: there could be an error in that case, either at the end
   user, or at the provider's management system

   McCool: or do automatic refreshing of tokens
   ... which is anyway a good security practice

   McCool captured some comments in the github issue

   McCool: we have several possibilities ahead: 1. we need to
   capture the various use cases
   ... for instance as an md file
   ... create a use case in...

   Lagally: the Architecture repo, please

   McCool is creating a new use case in Architecture.

   (link to commit)

   McCool: next step is to create PRs based on this

   Cristiano: I could do that

   McCool: discussing the Invited Expert status of Cristiano

   Cristiano: there are issues/questions about that

   McCool: will work with Kaz for the procedure
   ... AOB?

   [adjourned]

Summary of Action Items

Summary of Resolutions

   [End of minutes]
     __________________________________________________________


    Minutes manually created (not a transcript), formatted by
    David Booth's [20]scribe.perl version ([21]CVS log)
    $Date: 2020/05/28 13:35:26 $

     [20] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
     [21] http://dev.w3.org/cvsweb/2002/scribe/
Received on Monday, 8 June 2020 01:47:33 UTC