[wot-security] minutes - 3 August 2020

available at:
  https://www.w3.org/2020/08/03-wot-sec-minutes.html

also as text below.

Thanks a lot for taking the minutes, Clerley!

Kazuyuki

---
   [1]W3C

      [1] http://www.w3.org/

                               - DRAFT -

                              WoT Security

03 Aug 2020

   [2]Agenda

      [2] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#3_August_2020

Attendees

   Present
          Kaz_Ashimura, Michael_McCool, Clerley_Silveira,
          Elena_Reshetova, Farshid_Tavakolizadeh,
          Tomoaki_Mizushima, David_Ezell

   Regrets

   Chair
          McCool

   Scribe
          clerley

Contents

     * [3]Topics
         1. [4]Prev minutes
         2. [5]OAuth2 update
         3. [6]Document updates
         4. [7]Issues
     * [8]Summary of Action Items
     * [9]Summary of Resolutions
     __________________________________________________________

   <kaz> scribenick: clerley

Prev minutes

   <kaz> [10]July-27

     [10] https://www.w3.org/2020/07/27-wot-sec-minutes.html

   McCool: Meeting minutes for July 27 reviewed

   Meeting minutes for July 27 approved. No objections.

OAuth2 update

   <McCool>
   [11]https://github.com/w3c/wot-thing-description/pull/927

     [11] https://github.com/w3c/wot-thing-description/pull/927

   <kaz> [12]PR 927 preview - 5.3.3.8 OAuth2SecurityScheme

     [12] https://pr-preview.s3.amazonaws.com/mmccool/wot-thing-description/pull/927.html#oauth2securityscheme

   McCool: Update the OAuth section, added flow. Added
   clarification for the auth flow. Several available only one
   should be used.
   ... Only one flow should be selected. Client should not fix
   multiple flows. Add citation to best practice document.

   <kaz> [For the client flow authorization MUST NOT be included.
   ]

   Farshid: wondering about "For the client flow authorization
   MUST NOT be include."

   McCool: remark - Wot thing description HTML had all the line
   feeds removed.
   ... Took out the reference to the best practices document.

   <kaz> [13]TD draft - index.template.html

     [13] https://github.com/w3c/wot-thing-description/blob/master/index.template.html

   McCool: Updated the "device authorization" section and added a
   reference to WOT security guidelines.

   Farshid: No objections but wrote a remark. If they see "device
   authorization" vs "authorization" a developer could be
   confused.

   McCool: Unless a developer is guided by an author, they may not
   have read the design specification. They may see authorization
   and just use it.

   <kaz> [14]Farshid's comment on PR 927 for wot-thing-description

     [14] https://github.com/w3c/wot-thing-description/pull/927#issuecomment-667929599

   McCool: It could be a frequent error just because a developer
   may not be aware of authorization vs "device authorization".
   ... If we don't have the two tags, the error cannot happen.

   Farshid: For most of the flow, the device authorization is used
   but, if the developer sees the authorization they may use that.

   McCool: Make the "device authorization" a MUST NOT. That will
   force the developer to use the Authorization flow.
   ... If we keep both "device authorization" vs authorization and
   "device authorization" is tagged as MUST NOT, the validation
   tool could catch that error

   Farshid: One suggestion is to add the "device authorization"
   and expand the description to clarify.

   McCool: Should use device_authorization so that validation tool
   can catch the error.

   Kaz: maybe this is overkill for OAuth2SecurityScheme, but at
   some point, we should consider the difference between the user
   and the device authorizations.

   McCool: Could call it the "client authorization"
   ... If there are other flows, they would have to add the tags
   in the extension.
   ... Would like to keep simple and not add tags if it is not
   needed.
   ... Add a citation to the device flow to the table to make it
   normative.

   Kaz: at the moment, it would be good to add an Editor's note to
   record Farshid's point here

   <FarshidT> openapi's oauth2 endpoint table:
   [15]https://swagger.io/docs/specification/authentication/oauth2
   /

     [15] https://swagger.io/docs/specification/authentication/oauth2/

   Farshid: Sending a link with information about OpenAPI, how
   they define the endpoints. Maybe we can follow similar style.

   McCool: Will discuss that possibility later. For now, updated
   the authorization section.
   ... Adding the table Farshid had in the comments would be a
   good idea.
   ... Updated the issue #927 comments.

   <inserted> [16]McCool's comment

     [16] https://github.com/w3c/wot-thing-description/pull/927#issuecomment-668001326

   Farshid: Is it possible to add more columns to the table.

   McCool: Originally it was created for the "ontology" file. The
   script broke and has not been fixed yet. The script does not
   "know" about new columns if we manually add them to
   index.template.html.
   ... It would be easier to add a new table separately.
   ... Would like to go ahead and do the merge. The longer he goes
   without merging the harder it will be and he will have to play
   catch up.
   ... Is it acceptable to add an editor's note? The group agreed!

Document updates

   <kaz> [17]wot-security PR 174

     [17] https://github.com/w3c/wot-security/pull/174

   McCool: Two branches "working" and "master". He would like to
   merge "working" into "master" to consolidate the two branches.

   <kaz> [18]diff

     [18] https://pr-preview.s3.amazonaws.com/w3c/wot-security/174/4b8ced6...f29f8d8.html

   McCool: Believes the "working" version is more up to date.
   ... Any objections to deleting the working branch? No
   objections!
   ... PRs will be done against the master branch.

Issues

   <kaz> [19]wot-security issues

     [19] https://github.com/w3c/wot-security/issues

   <kaz> [20]issue 173 - Consider OAuth2 "device" flow

     [20] https://github.com/w3c/wot-security/issues/173

   McCool: Attempted to link the issue but, it is not possible if
   linking across repositories.

   <kaz> [21]wot-thing-description PR 927

     [21] https://github.com/w3c/wot-thing-description/pull/927

   McCool: Added a note that PR is available.

   <kaz> [22]issue 169 - Security review of Lifecycle model and
   diagram

     [22] https://github.com/w3c/wot-security/issues/169

   McCool: Would like to close the Lifecycle model.

   Elena: Thinks the group should speak to Oliver. She has not
   been reviewing for a while.

   McCool: Adding consideration that Lifecycle issue should be
   closed.

   <kaz> [23]issue 177 - Review oAuth2.0 use case

     [23] https://github.com/w3c/wot-security/issues/177

   <kaz> [24]OAuth2 Flows use case proposal

     [24] https://github.com/w3c/wot-usecases/blob/master/USE-CASES/oauth.md

   McCool: Look at the OAuth2 spec to find out if there is any
   security consideration. Other than that, there is nothing else
   the needs to be changed.
   ... The group will have one more week to review. Close the
   issue in the next meeting. (Consider closing the issue).

   <kaz> [25]issue 170 - Review Conexxus Security and Privacy
   Threat Model and Implementation Recommendations

     [25] https://github.com/w3c/wot-security/issues/170

   Clerley: Send the Conexxus threat model to McCool.

   <kaz> [26]issue 166 - Add integrity protection to TDs

     [26] https://github.com/w3c/wot-security/issues/166

   McCool: Will create a PR for integrity protection..

   Adjourn.

Summary of Action Items

Summary of Resolutions

   [End of minutes]
     __________________________________________________________


    Minutes manually created (not a transcript), formatted by
    David Booth's [27]scribe.perl version ([28]CVS log)
    $Date: 2020/08/04 05:17:06 $

     [27] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
     [28] http://dev.w3.org/cvsweb/2002/scribe/

Received on Tuesday, 11 August 2020 07:37:02 UTC