- From: Kazuyuki Ashimura <ashimura@w3.org>
- Date: Tue, 11 Aug 2020 16:36:57 +0900
- To: public-wot-ig@w3.org, public-wot-wg@w3.org
available at:
https://www.w3.org/2020/08/03-wot-sec-minutes.html
also as text below.
Thanks a lot for taking the minutes, Clerley!
Kazuyuki
---
[1]W3C
[1] http://www.w3.org/
- DRAFT -
WoT Security
03 Aug 2020
[2]Agenda
[2] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#3_August_2020
Attendees
Present
Kaz_Ashimura, Michael_McCool, Clerley_Silveira,
Elena_Reshetova, Farshid_Tavakolizadeh,
Tomoaki_Mizushima, David_Ezell
Regrets
Chair
McCool
Scribe
clerley
Contents
* [3]Topics
1. [4]Prev minutes
2. [5]OAuth2 update
3. [6]Document updates
4. [7]Issues
* [8]Summary of Action Items
* [9]Summary of Resolutions
__________________________________________________________
<kaz> scribenick: clerley
Prev minutes
<kaz> [10]July-27
[10] https://www.w3.org/2020/07/27-wot-sec-minutes.html
McCool: Meeting minutes for July 27 reviewed
Meeting minutes for July 27 approved. No objections.
OAuth2 update
<McCool>
[11]https://github.com/w3c/wot-thing-description/pull/927
[11] https://github.com/w3c/wot-thing-description/pull/927
<kaz> [12]PR 927 preview - 5.3.3.8 OAuth2SecurityScheme
[12] https://pr-preview.s3.amazonaws.com/mmccool/wot-thing-description/pull/927.html#oauth2securityscheme
McCool: Update the OAuth section, added flow. Added
clarification for the auth flow. Several available only one
should be used.
... Only one flow should be selected. Client should not fix
multiple flows. Add citation to best practice document.
<kaz> [For the client flow authorization MUST NOT be included.
]
Farshid: wondering about "For the client flow authorization
MUST NOT be include."
McCool: remark - Wot thing description HTML had all the line
feeds removed.
... Took out the reference to the best practices document.
<kaz> [13]TD draft - index.template.html
[13] https://github.com/w3c/wot-thing-description/blob/master/index.template.html
McCool: Updated the "device authorization" section and added a
reference to WOT security guidelines.
Farshid: No objections but wrote a remark. If they see "device
authorization" vs "authorization" a developer could be
confused.
McCool: Unless a developer is guided by an author, they may not
have read the design specification. They may see authorization
and just use it.
<kaz> [14]Farshid's comment on PR 927 for wot-thing-description
[14] https://github.com/w3c/wot-thing-description/pull/927#issuecomment-667929599
McCool: It could be a frequent error just because a developer
may not be aware of authorization vs "device authorization".
... If we don't have the two tags, the error cannot happen.
Farshid: For most of the flow, the device authorization is used
but, if the developer sees the authorization they may use that.
McCool: Make the "device authorization" a MUST NOT. That will
force the developer to use the Authorization flow.
... If we keep both "device authorization" vs authorization and
"device authorization" is tagged as MUST NOT, the validation
tool could catch that error
Farshid: One suggestion is to add the "device authorization"
and expand the description to clarify.
McCool: Should use device_authorization so that validation tool
can catch the error.
Kaz: maybe this is overkill for OAuth2SecurityScheme, but at
some point, we should consider the difference between the user
and the device authorizations.
McCool: Could call it the "client authorization"
... If there are other flows, they would have to add the tags
in the extension.
... Would like to keep simple and not add tags if it is not
needed.
... Add a citation to the device flow to the table to make it
normative.
Kaz: at the moment, it would be good to add an Editor's note to
record Farshid's point here
<FarshidT> openapi's oauth2 endpoint table:
[15]https://swagger.io/docs/specification/authentication/oauth2
/
[15] https://swagger.io/docs/specification/authentication/oauth2/
Farshid: Sending a link with information about OpenAPI, how
they define the endpoints. Maybe we can follow similar style.
McCool: Will discuss that possibility later. For now, updated
the authorization section.
... Adding the table Farshid had in the comments would be a
good idea.
... Updated the issue #927 comments.
<inserted> [16]McCool's comment
[16] https://github.com/w3c/wot-thing-description/pull/927#issuecomment-668001326
Farshid: Is it possible to add more columns to the table.
McCool: Originally it was created for the "ontology" file. The
script broke and has not been fixed yet. The script does not
"know" about new columns if we manually add them to
index.template.html.
... It would be easier to add a new table separately.
... Would like to go ahead and do the merge. The longer he goes
without merging the harder it will be and he will have to play
catch up.
... Is it acceptable to add an editor's note? The group agreed!
Document updates
<kaz> [17]wot-security PR 174
[17] https://github.com/w3c/wot-security/pull/174
McCool: Two branches "working" and "master". He would like to
merge "working" into "master" to consolidate the two branches.
<kaz> [18]diff
[18] https://pr-preview.s3.amazonaws.com/w3c/wot-security/174/4b8ced6...f29f8d8.html
McCool: Believes the "working" version is more up to date.
... Any objections to deleting the working branch? No
objections!
... PRs will be done against the master branch.
Issues
<kaz> [19]wot-security issues
[19] https://github.com/w3c/wot-security/issues
<kaz> [20]issue 173 - Consider OAuth2 "device" flow
[20] https://github.com/w3c/wot-security/issues/173
McCool: Attempted to link the issue but, it is not possible if
linking across repositories.
<kaz> [21]wot-thing-description PR 927
[21] https://github.com/w3c/wot-thing-description/pull/927
McCool: Added a note that PR is available.
<kaz> [22]issue 169 - Security review of Lifecycle model and
diagram
[22] https://github.com/w3c/wot-security/issues/169
McCool: Would like to close the Lifecycle model.
Elena: Thinks the group should speak to Oliver. She has not
been reviewing for a while.
McCool: Adding consideration that Lifecycle issue should be
closed.
<kaz> [23]issue 177 - Review oAuth2.0 use case
[23] https://github.com/w3c/wot-security/issues/177
<kaz> [24]OAuth2 Flows use case proposal
[24] https://github.com/w3c/wot-usecases/blob/master/USE-CASES/oauth.md
McCool: Look at the OAuth2 spec to find out if there is any
security consideration. Other than that, there is nothing else
the needs to be changed.
... The group will have one more week to review. Close the
issue in the next meeting. (Consider closing the issue).
<kaz> [25]issue 170 - Review Conexxus Security and Privacy
Threat Model and Implementation Recommendations
[25] https://github.com/w3c/wot-security/issues/170
Clerley: Send the Conexxus threat model to McCool.
<kaz> [26]issue 166 - Add integrity protection to TDs
[26] https://github.com/w3c/wot-security/issues/166
McCool: Will create a PR for integrity protection..
Adjourn.
Summary of Action Items
Summary of Resolutions
[End of minutes]
__________________________________________________________
Minutes manually created (not a transcript), formatted by
David Booth's [27]scribe.perl version ([28]CVS log)
$Date: 2020/08/04 05:17:06 $
[27] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
[28] http://dev.w3.org/cvsweb/2002/scribe/
Received on Tuesday, 11 August 2020 07:37:02 UTC