- From: Kazuyuki Ashimura <ashimura@w3.org>
- Date: Mon, 24 May 2021 18:23:54 +0900
- To: public-wot-ig@w3.org, public-wot-wg@w3.org
available at: https://www.w3.org/2021/04/19-wot-sec-minutes.html also as text below. Thanks a lot for taking the minutes, Philipp! Kazuyuki --- [1]W3C [1] https://www.w3.org/ WoT Security 19 April 2021 [2]IRC log. [2] https://www.w3.org/2021/04/19-wot-sec-irc Attendees Present Kaz_Ashimura, Michael_McCool, Philipp_Blum, Tomoaki_Mizushima Regrets - Chair McCool Scribe citrullin, kaz Contents 1. [3]Joint call with scripting 2. [4]Canonicalization and signing 3. [5]Object security 4. [6]OAuth2 flows Meeting minutes Joint call with scripting McCool: We could have a joint call for two hours. But let's take a look into the topics first. [7]Security TaskForce related issues [7] https://github.com/w3c/wot-scripting-api/issues/315 [8]Discovery TaskForce related issues [8] https://github.com/w3c/wot-scripting-api/issues/314 McCool: I guess we should comment on the issue what we have to deal with. McCool adds a note into the security wiki. Logistics still under discussion. Canonicalization and signing McCool: The problem with canonicalization are default values. … the preprocessor may filled in the default values, if they are not given. McCool adds a comment to the wiki regarding this issue. Philipp: There should be an issue for it, so that we can think about it more in detail. Object security [9]Consider how to support object security [9] https://github.com/w3c/wot-security/issues/185 McCool: .local domain are problematic to secure. … there are still information which can get leaked, even if the body is encrypted. Query parameter for example. Philipp: We may can use DIDs here and store the related keys etc. attached to the DID in a DLT. <McCool> [10]https://tools.ietf.org/html/rfc7165 [10] https://tools.ietf.org/html/rfc7165 McCool: We don't have experience with that and it probably takes too much time to get this experience. Kaz: I agree that we might want to use DID for that. But I agree that it would take too much time for the current v 1.1 specs. McCool: There is a way to distribute keys via DID. But this goes beyond IoT. Philipp: Newer versions of HTTP allow encryption of headers. Not sure about queries though. McCool: TLS relies on global domains. And that doesn't work in .local. … for now we have to allow http for discovery. Philipp: So the might have to say in the best-practices, if you want to have object security you should put the queries into the body. McCool: Problem is that discovery supports queries in the URL and therefore they cannot get encrypted. SparkQL on the other hand allows the queries in the body. <McCool> [11]https://krellian.com/ [11] https://krellian.com/ OAuth2 flows Philipp: I think we can remove the submitter etc. McCool: Yes, there are some things which can get simplified and removed. … have you made a PR for the use-case document? Philipp: No, I haven't. We should talk with Michael Lagally first, I think. [12]OAuth2 flow issue [12] https://github.com/w3c/wot-security/issues/194 [13]OAuth2 flow PR [13] https://github.com/w3c/wot-security-best-practices/pull/10 <kaz> [14]wot-security-best-practices PR 10 - Move OAuth2 flow from usecases to security-best-practices [14] https://github.com/w3c/wot-security-best-practices/pull/10 Kaz: please note the default branch for the wot-security-best-practices repo has been also rename to "main" [adjourned] Minutes manually created (not a transcript), formatted by [15]scribe.perl version 127 (Wed Dec 30 17:39:58 2020 UTC). [15] https://w3c.github.io/scribe2/scribedoc.html
Received on Monday, 24 May 2021 09:24:03 UTC