[wot-security] minutes - 19 April 2021

available at:
  https://www.w3.org/2021/04/19-wot-sec-minutes.html

also as text below.

Thanks a lot for taking the minutes, Philipp!

Kazuyuki

---
   [1]W3C

      [1] https://www.w3.org/

                              WoT Security

19 April 2021

   [2]IRC log.

      [2] https://www.w3.org/2021/04/19-wot-sec-irc

Attendees

   Present
          Kaz_Ashimura, Michael_McCool, Philipp_Blum,
          Tomoaki_Mizushima

   Regrets
          -

   Chair
          McCool

   Scribe
          citrullin, kaz

Contents

    1. [3]Joint call with scripting
    2. [4]Canonicalization and signing
    3. [5]Object security
    4. [6]OAuth2 flows

Meeting minutes

  Joint call with scripting

   McCool: We could have a joint call for two hours. But let's
   take a look into the topics first.

   [7]Security TaskForce related issues

      [7] https://github.com/w3c/wot-scripting-api/issues/315

   [8]Discovery TaskForce related issues

      [8] https://github.com/w3c/wot-scripting-api/issues/314

   McCool: I guess we should comment on the issue what we have to
   deal with.

   McCool adds a note into the security wiki. Logistics still
   under discussion.

  Canonicalization and signing

   McCool: The problem with canonicalization are default values.
   … the preprocessor may filled in the default values, if they
   are not given.

   McCool adds a comment to the wiki regarding this issue.

   Philipp: There should be an issue for it, so that we can think
   about it more in detail.

  Object security

   [9]Consider how to support object security

      [9] https://github.com/w3c/wot-security/issues/185

   McCool: .local domain are problematic to secure.
   … there are still information which can get leaked, even if the
   body is encrypted. Query parameter for example.

   Philipp: We may can use DIDs here and store the related keys
   etc. attached to the DID in a DLT.

   <McCool> [10]https://tools.ietf.org/html/rfc7165

     [10] https://tools.ietf.org/html/rfc7165

   McCool: We don't have experience with that and it probably
   takes too much time to get this experience.

   Kaz: I agree that we might want to use DID for that. But I
   agree that it would take too much time for the current v 1.1
   specs.

   McCool: There is a way to distribute keys via DID. But this
   goes beyond IoT.

   Philipp: Newer versions of HTTP allow encryption of headers.
   Not sure about queries though.

   McCool: TLS relies on global domains. And that doesn't work in
   .local.
   … for now we have to allow http for discovery.

   Philipp: So the might have to say in the best-practices, if you
   want to have object security you should put the queries into
   the body.

   McCool: Problem is that discovery supports queries in the URL
   and therefore they cannot get encrypted. SparkQL on the other
   hand allows the queries in the body.

   <McCool> [11]https://krellian.com/

     [11] https://krellian.com/

  OAuth2 flows

   Philipp: I think we can remove the submitter etc.

   McCool: Yes, there are some things which can get simplified and
   removed.
   … have you made a PR for the use-case document?

   Philipp: No, I haven't. We should talk with Michael Lagally
   first, I think.

   [12]OAuth2 flow issue

     [12] https://github.com/w3c/wot-security/issues/194

   [13]OAuth2 flow PR

     [13] https://github.com/w3c/wot-security-best-practices/pull/10

   <kaz> [14]wot-security-best-practices PR 10 - Move OAuth2 flow
   from usecases to security-best-practices

     [14] https://github.com/w3c/wot-security-best-practices/pull/10

   Kaz: please note the default branch for the
   wot-security-best-practices repo has been also rename to "main"

   [adjourned]


    Minutes manually created (not a transcript), formatted by
    [15]scribe.perl version 127 (Wed Dec 30 17:39:58 2020 UTC).

     [15] https://w3c.github.io/scribe2/scribedoc.html

Received on Monday, 24 May 2021 09:24:03 UTC