- From: Kazuyuki Ashimura <ashimura@w3.org>
- Date: Wed, 26 Aug 2020 21:01:05 +0900
- To: public-wot-ig@w3.org, public-wot-wg@w3.org
available at:
https://www.w3.org/2020/08/17-wot-sec-minutes.html
also as text below.
Thanks a lot for taking the minutes, Clerley!
Kazuyuki
---
[1]W3C
[1] http://www.w3.org/
- DRAFT -
WoT Security
17 Aug 2020
[2]Agenda
[2] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#17_August_2020
Attendees
Present
Clerley_Silveira, Cristiano_Aguzzi, David_Ezell,
Elena_Reshetova, Farshid_Tavakolizadeh, Kaz_Ashimura,
Michael_McCool, Oliver_Pfaff, Tomoaki_Mizushima,
Zoltan_Kis
Regrets
Chair
McCool
Scribe
clerley
Contents
* [3]Topics
1. [4]Meeting agenda
2. [5]Prior meeting minutes approval.
3. [6]TD PR on OAuth2
4. [7]Other TD PRs
5. [8]TD PR 944
6. [9]Directory security
* [10]Summary of Action Items
* [11]Summary of Resolutions
__________________________________________________________
<kaz> scribenick: clerley
Meeting agenda
Farshid: Some concerns about OAuth2. Will add to the agenda.
Prior meeting minutes approval.
<kaz> [12]Aug-10 minutes
[12] https://www.w3.org/2020/08/10-wot-sec-minutes.html
Reshetova: Had an issue accessing the Conexxus Threat Model
template.
Meeting minutes for August, 10 2020 approved.
McCool: OAuth2 PR has been merged. Created a few issues.
TD PR on OAuth2
<inserted> [13]TD PR 927
[13] https://github.com/w3c/wot-thing-description/pull/927
McCool: Would like to clean up the OAuth2 security scheme.
Would like some feedback from the group.
... Create a new issue related to the device authorization
element.
Farshid: For consistency, "device authorization" should be
camel case.
McCool: Discuss the issue during the TD call
<McCool>
[14]https://github.com/w3c/wot-thing-description/issues/953
[14] https://github.com/w3c/wot-thing-description/issues/953
Cristino: Would like to discuss validation of variant records.
McCool: Created a issue and linked to an issue defined in
"Scripting"
<McCool>
[15]https://github.com/w3c/wot-thing-description/issues/954
[15] https://github.com/w3c/wot-thing-description/issues/954
Other TD PRs
<kaz> [16]TD PRs
[16] https://github.com/w3c/wot-thing-description/pulls
McCool: Would like to assign some reviewers to PRs.
... Does not think they are ready yet.
... Looked through the proofChain. Listed some issues.
<kaz> [17]TD PR 943 - WIP: Add proof and proofChain sections
[17] https://github.com/w3c/wot-thing-description/pull/943
McCool: Extension should specify the context file.
... Normalization of the TD spec. For some things, order of
types do not matter. But for others, it does.
... For proofChain, order must be preserved.
... Need reviewers for PR 943.
... Worked with "Linked Data Signatures" to improve their spec.
Does not think the spec is clear.
Farshid: Thinks both can be defined as array. If order does not
matter, an array can be used.
... During initialization order matter.
McCool: Explicitly called proof set. For sets, order does not
matter.
<kaz> [18]TD Preview from PR 943 - 5.3.1.1 Thing
[18] https://pr-preview.s3.amazonaws.com/mmccool/wot-thing-description/pull/943.html#thing
McCool: 5.3.1.1. needs to be reviewed. The text related to
arrays is not correct.
<kaz> [19]Diff
[19] https://pr-preview.s3.amazonaws.com/w3c/wot-thing-description/943/32ba69e...mmccool:92f1510.html#thing
<kaz> [20]Linked Data Proofs
[20] https://w3c-ccg.github.io/ld-proofs/
McCool: TD spec section 7.1 must be updated. Currently not
clear. It does not provide enough information.
... Should discuss with Task Force.
... "LD Proof" PR needs more detail to handle all the options.
TD PR 944
<kaz> [21]TD PR 944
[21] https://github.com/w3c/wot-thing-description/pull/944
McCool: Created a PR "and/or". Decided to use "anyOf" or
"allOf" to follow the proper terminology.
... Farshid to create an issue.
Farshid: If flagged then it can be deprecated in 2.0
Cristino: Why define a scheme for anyOf and allOf.
McCool: Would like to add an example.
<FarshidT> example for security combination:
[22]https://github.com/w3c/wot-discovery/blob/71612e81f987ba43f
6943f9fd542d15492bcefdb/directory.td.json
[22] https://github.com/w3c/wot-discovery/blob/71612e81f987ba43f6943f9fd542d15492bcefdb/directory.td.json
Farshid: Shows example of device flow and code and a
combination.
Cristino: Would like to link to example. That way the preview
can be displayed directly from the PR.
McCool: Agrees with the suggestion.
... Added example to PR with multiple security schemes. No need
to make up name for "things"
Farshid: If you would like to make it compact, create an array
with the flows and remove the existing data type.
<kaz> [23]McCool's comment to TD PR 944 including an example TD
[23] https://github.com/w3c/wot-thing-description/pull/944#issuecomment-674862824
McCool: The spec will allow for an string, security scheme or
an array. if we just allow array then, it becomes string or
security scheme.
... That would have to be changed in version 2.0.
<kaz> [24]Diff from TD PR 945
[24] https://pr-preview.s3.amazonaws.com/w3c/wot-thing-description/945/32ba69e...mmccool:e924552.html#thing
Farshid: Concern about how to mandate oneOf or allOf. Why not
define in the JSON schema?
McCool: Has not changed the JSON schema to account for the
changes. JSON schemas are non-normative, there is no standard
for JSON schemas.
... Similar issue with the variant record.
<kaz> [25]TD Issue 955 - Better validate "oneOf" choices
[25] https://github.com/w3c/wot-thing-description/issues/955
Directory security
Farshid: Does not think the token needs to be mandatory. None
of the endpoint is needed, the back-end software will swap the
authorization token and get the access token
McCool: please raise an issue about that
Adjourn
Summary of Action Items
Summary of Resolutions
[End of minutes]
__________________________________________________________
Minutes manually created (not a transcript), formatted by
David Booth's [26]scribe.perl version ([27]CVS log)
$Date: 2020/08/18 13:30:22 $
[26] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
[27] http://dev.w3.org/cvsweb/2002/scribe/
Received on Wednesday, 26 August 2020 12:01:09 UTC