[wot-security] minutes - 10 August 2020 from Kazuyuki Ashimura on 2020-08-18 (public-wot-wg@w3.org from August 2020)

From: Kazuyuki Ashimura <ashimura@w3.org>
Date: Tue, 18 Aug 2020 20:35:56 +0900
To: public-wot-ig@w3.org, public-wot-wg@w3.org
Message-ID: <87lficchk3.wl-ashimura@w3.org>
available at:
  https://www.w3.org/2020/08/10-wot-sec-minutes.html

also as text below.

Thanks a lot for taking the minutes, Oliver!

Kazuyuki

---
   [1]W3C

      [1] http://www.w3.org/

                               - DRAFT -

                              WoT Security

10 Aug 2020

Attendees

   Present
          Kaz_Ashimura, Farshid_Tavakolizadeh, Michael_McCool,
          Oliver_Pfaff, Clerley_Silveira, Cristiano_Aguzzi,
          Tomoaki_Mizushima, David_Ezell

   Regrets
          Elena_Reshetova

   Chair
          McCool

   Scribe
          Oliver

Contents

     * [2]Topics
         1. [3]Prev minutes
         2. [4]OAuth2 updates
         3. [5]Issue 166 - TD Issue 940
         4. [6]TD Issue 901
         5. [7]Issue 170
         6. [8]Issue 168
     * [9]Summary of Action Items
     * [10]Summary of Resolutions
     __________________________________________________________

   <kaz> scribenick: Oliver

   Minutes to be taken by Oliver

Prev minutes

   <kaz> [11]August-3

     [11] https://www.w3.org/2020/08/03-wot-sec-minutes.html

   <kaz> [12]Issue 169 - Security review of Lifecycle model and
   diagram

     [12] https://github.com/w3c/wot-security/issues/169

   Minutes of the meeting on 2020-08-03 reviewed with no
   objections; they are considered published

   Oliver to review issue #169 on the component lifecycle and
   provide feedback

OAuth2 updates

   <kaz> [13]wot-thing-description PR 927

     [13] https://github.com/w3c/wot-thing-description/pull/927

   <kaz> [14]Preview - 5.3.3.8 OAuth2SecurityScheme

     [14] https://pr-preview.s3.amazonaws.com/mmccool/wot-thing-description/pull/927.html#oauth2securityscheme

   Status of the issue #927 about the OAuth2SecurityScheme section
   (WoT Description) reviewed; notes therein added. Some minor
   cleanup is still needed then merging can happen

   <kaz> (McCool changed the state of PR927 to "Draft")

Issue 166 - TD Issue 940

   Issue #166 in WoT Security (Integrity protection for TDs) was
   cloned to #940 in WoT Description to create awareness in TD

   <inserted> [15]Issue 166

     [15] https://github.com/w3c/wot-security/issues/166

   <kaz> [16]wot-thing-description TD Issue 940

     [16] https://github.com/w3c/wot-thing-description/issues/940

   <kaz> [17]Linked Data Proofs 1.0 draft

     [17] https://w3c-ccg.github.io/ld-proofs/

   Note added to TD Issue #940 about Id-proof (planned section on
   "proofChains")

   <kaz> [18]McCool's comments to TD Issue 940

     [18] https://github.com/w3c/wot-thing-description/issues/940#issuecomment-671325684

   Team comments to be provided as notes to #940

TD Issue 901

   <kaz> [19]TD Issue 901

     [19] https://github.com/w3c/wot-thing-description/issues/901

   Issue #901 in WoT Thing Description repo about multiple
   security schemes reviewed (esp. with respect OR/AND)

   Options:
   1. Array of arrays: [["sc1","sc2"],"sc3"]. Problem: nesting
   depth changes AND to OR; special rule that array of one element
   can be treated as a string may not work
   2. Wrapper object: { "and": ["sc1", "sc2"], "or": "sc3"}.
   Breaks compatibility.
   3. Farshid's suggestion above: {"scheme1": { "scheme2": {}}}.
   This is like a LISP CADR list... breaks compatibility.
   4. Another option would be to define "or" (and maybe "and" for
   completeness) schemes in "securityDefinitions"

   Proposed next step: create PR for option 4, this PR should be
   incorporated in TD 1.1

   Additional consideration: can be array-of-flows be made
   compatible?

   Other additional consideration: more compact notion for AND/OR

   The alternative notations come with challenges with respect to
   backward compatibility and parsing complexity. Closer
   examinations are needed

   Michael to care about creating the above mentioned PR

   <kaz> [20]McCool's updated comments

     [20] https://github.com/w3c/wot-thing-description/issues/901#issuecomment-671334655

Issue 170

   Reviewed issue #170 (WoT Security) about the Conexxus
   Security&Privacy use case

   <kaz> [21]Issue 170

     [21] https://github.com/w3c/wot-security/issues/170

   <kaz> [22]Conexxus documents

     [22] https://www.conexxus.org/documentation-guidelines-templates

   Added a note providing a link to a (publicly available)
   developer document on conexxus.com

   <kaz> [23]McCool's comment including links to Conexxus Threat
   Model template documents

     [23] https://github.com/w3c/wot-security/issues/170#issuecomment-671336193

Issue 168

   <kaz> [24]Issue 168

     [24] https://github.com/w3c/wot-security/issues/168

   With respect to issue #168, the current understanding is to add
   the HTML file from now on

   McCool will create a PR for HTML to include "security and
   privacy considerations" sections (as blank sections at the
   moment)

   <inserted> [25]McCool's comment about that point

     [25] https://github.com/w3c/wot-security/issues/168#issuecomment-671338489

   Meeting closed

   [adjourned]

Summary of Action Items

Summary of Resolutions

   [End of minutes]
     __________________________________________________________


    Minutes manually created (not a transcript), formatted by
    David Booth's [26]scribe.perl version ([27]CVS log)
    $Date: 2020/08/11 07:33:43 $

     [26] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
     [27] http://dev.w3.org/cvsweb/2002/scribe/
Received on Tuesday, 18 August 2020 11:36:01 UTC