- From: Kazuyuki Ashimura <ashimura@w3.org>
- Date: Wed, 26 Aug 2020 21:01:05 +0900
- To: public-wot-ig@w3.org, public-wot-wg@w3.org
available at: https://www.w3.org/2020/08/17-wot-sec-minutes.html also as text below. Thanks a lot for taking the minutes, Clerley! Kazuyuki --- [1]W3C [1] http://www.w3.org/ - DRAFT - WoT Security 17 Aug 2020 [2]Agenda [2] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#17_August_2020 Attendees Present Clerley_Silveira, Cristiano_Aguzzi, David_Ezell, Elena_Reshetova, Farshid_Tavakolizadeh, Kaz_Ashimura, Michael_McCool, Oliver_Pfaff, Tomoaki_Mizushima, Zoltan_Kis Regrets Chair McCool Scribe clerley Contents * [3]Topics 1. [4]Meeting agenda 2. [5]Prior meeting minutes approval. 3. [6]TD PR on OAuth2 4. [7]Other TD PRs 5. [8]TD PR 944 6. [9]Directory security * [10]Summary of Action Items * [11]Summary of Resolutions __________________________________________________________ <kaz> scribenick: clerley Meeting agenda Farshid: Some concerns about OAuth2. Will add to the agenda. Prior meeting minutes approval. <kaz> [12]Aug-10 minutes [12] https://www.w3.org/2020/08/10-wot-sec-minutes.html Reshetova: Had an issue accessing the Conexxus Threat Model template. Meeting minutes for August, 10 2020 approved. McCool: OAuth2 PR has been merged. Created a few issues. TD PR on OAuth2 <inserted> [13]TD PR 927 [13] https://github.com/w3c/wot-thing-description/pull/927 McCool: Would like to clean up the OAuth2 security scheme. Would like some feedback from the group. ... Create a new issue related to the device authorization element. Farshid: For consistency, "device authorization" should be camel case. McCool: Discuss the issue during the TD call <McCool> [14]https://github.com/w3c/wot-thing-description/issues/953 [14] https://github.com/w3c/wot-thing-description/issues/953 Cristino: Would like to discuss validation of variant records. McCool: Created a issue and linked to an issue defined in "Scripting" <McCool> [15]https://github.com/w3c/wot-thing-description/issues/954 [15] https://github.com/w3c/wot-thing-description/issues/954 Other TD PRs <kaz> [16]TD PRs [16] https://github.com/w3c/wot-thing-description/pulls McCool: Would like to assign some reviewers to PRs. ... Does not think they are ready yet. ... Looked through the proofChain. Listed some issues. <kaz> [17]TD PR 943 - WIP: Add proof and proofChain sections [17] https://github.com/w3c/wot-thing-description/pull/943 McCool: Extension should specify the context file. ... Normalization of the TD spec. For some things, order of types do not matter. But for others, it does. ... For proofChain, order must be preserved. ... Need reviewers for PR 943. ... Worked with "Linked Data Signatures" to improve their spec. Does not think the spec is clear. Farshid: Thinks both can be defined as array. If order does not matter, an array can be used. ... During initialization order matter. McCool: Explicitly called proof set. For sets, order does not matter. <kaz> [18]TD Preview from PR 943 - 5.3.1.1 Thing [18] https://pr-preview.s3.amazonaws.com/mmccool/wot-thing-description/pull/943.html#thing McCool: 5.3.1.1. needs to be reviewed. The text related to arrays is not correct. <kaz> [19]Diff [19] https://pr-preview.s3.amazonaws.com/w3c/wot-thing-description/943/32ba69e...mmccool:92f1510.html#thing <kaz> [20]Linked Data Proofs [20] https://w3c-ccg.github.io/ld-proofs/ McCool: TD spec section 7.1 must be updated. Currently not clear. It does not provide enough information. ... Should discuss with Task Force. ... "LD Proof" PR needs more detail to handle all the options. TD PR 944 <kaz> [21]TD PR 944 [21] https://github.com/w3c/wot-thing-description/pull/944 McCool: Created a PR "and/or". Decided to use "anyOf" or "allOf" to follow the proper terminology. ... Farshid to create an issue. Farshid: If flagged then it can be deprecated in 2.0 Cristino: Why define a scheme for anyOf and allOf. McCool: Would like to add an example. <FarshidT> example for security combination: [22]https://github.com/w3c/wot-discovery/blob/71612e81f987ba43f 6943f9fd542d15492bcefdb/directory.td.json [22] https://github.com/w3c/wot-discovery/blob/71612e81f987ba43f6943f9fd542d15492bcefdb/directory.td.json Farshid: Shows example of device flow and code and a combination. Cristino: Would like to link to example. That way the preview can be displayed directly from the PR. McCool: Agrees with the suggestion. ... Added example to PR with multiple security schemes. No need to make up name for "things" Farshid: If you would like to make it compact, create an array with the flows and remove the existing data type. <kaz> [23]McCool's comment to TD PR 944 including an example TD [23] https://github.com/w3c/wot-thing-description/pull/944#issuecomment-674862824 McCool: The spec will allow for an string, security scheme or an array. if we just allow array then, it becomes string or security scheme. ... That would have to be changed in version 2.0. <kaz> [24]Diff from TD PR 945 [24] https://pr-preview.s3.amazonaws.com/w3c/wot-thing-description/945/32ba69e...mmccool:e924552.html#thing Farshid: Concern about how to mandate oneOf or allOf. Why not define in the JSON schema? McCool: Has not changed the JSON schema to account for the changes. JSON schemas are non-normative, there is no standard for JSON schemas. ... Similar issue with the variant record. <kaz> [25]TD Issue 955 - Better validate "oneOf" choices [25] https://github.com/w3c/wot-thing-description/issues/955 Directory security Farshid: Does not think the token needs to be mandatory. None of the endpoint is needed, the back-end software will swap the authorization token and get the access token McCool: please raise an issue about that Adjourn Summary of Action Items Summary of Resolutions [End of minutes] __________________________________________________________ Minutes manually created (not a transcript), formatted by David Booth's [26]scribe.perl version ([27]CVS log) $Date: 2020/08/18 13:30:22 $ [26] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm [27] http://dev.w3.org/cvsweb/2002/scribe/
Received on Wednesday, 26 August 2020 12:01:09 UTC