Re: [wot-security] minutes - 6 July 2020

available at:
  https://www.w3.org/2020/07/06-wot-sec-minutes.html

also as text below.

Thanks,

Kazuyuki

---
   [1]W3C

      [1] http://www.w3.org/

                               - DRAFT -

                              WoT Security

06 Jul 2020

   [2]Agenda

      [2] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#6_July_2020

Attendees

   Present
          Kaz_Ashimura, Michael_McCool, Elena_Reshetova,
          Cristiano_Aguzzi, Tomoaki_Mizushima, David_Ezell

   Regrets

   Chair
          McCool

   Scribe
          kaz

Contents

     * [3]Topics
         1. [4]Prev minutes
         2. [5]f2f minutes
         3. [6]Requirements
         4. [7]AOB?
     * [8]Summary of Action Items
     * [9]Summary of Resolutions
     __________________________________________________________

   <scribe> scribenick: kaz

Prev minutes

   [10]June-1 minutes

     [10] https://www.w3.org/2020/06/01-wot-sec-minutes.html

   McCool: talked about OAuth2
   ... any objections to accept the minutes?

   (none)

   McCool: approved

f2f minutes

   [11]vf2f minutes

     [11] https://www.w3.org/2020/06/22-26-wot-vf2f-minutes.html

   McCool: typo of [[e'll]] for [[we'll]]

   <McCool>
   [12]https://github.com/w3c/wot/blob/master/PRESENTATIONS/2020-0
   6-online-f2f/2020-06-22-Security-McCool.pdf

     [12] https://github.com/w3c/wot/blob/master/PRESENTATIONS/2020-06-online-f2f/2020-06-22-Security-McCool.pdf

   McCool: presentation link to be placed at the top of the
   session

   Kaz: ok

   McCool: talked about 4 issues
   ... signing TDs
   ... need to follow up with a concrete PR
   ... for the future agenda
   ... another typo for [[referencable]]

   Kaz: will check the whole minutes using the spell checker again

   <scribe> ACTION: kaz to check the vf2f minutes using the spell
   checker

   McCool: DIDs, OAuth2, ...
   ... Lagally had input from the viewpoint of profiles
   ... then End-to-End security
   ... another typo for [[havea]]
   ... any objections to accept the minutes?

   (none)

   McCool: accepted

Requirements

   McCool: OAuth2 flow?

   Cristiano: added a PR on OAuth2 flow to the wot-usecases repo

   [13]OAuth2 Flows use case

     [13] https://github.com/w3c/wot-usecases/blob/master/USE-CASES/oauth.md

   McCool: (adds some clarification to the "Expected Data"
   section)
   ... one thing not mentioned here is scope
   ... one is various URLs, 2nd is bare tokens, and then scopes
   ... BTW, the spelling for OAuth should be "OAuth" (capital "O"
   and capital "A")
   ... (adds another note to the bottom of the "Motivation"
   section as well)
   ... reasonable summary for the scope here?

   Cristiano: seems OK

   McCool: to support OAuth 2.0, all the devices must support TLS
   connection
   ... also verify an access token
   ... both producer and consumer
   ... and here "token" means a bearer token
   ... (updates the "Motivation" section with some more
   clarifications)
   ... (clarifications on the "Actors")

   Kaz: btw, there is "Thing Descriptor" but did you actually
   meant "Thing Description"?

   Cristiano: yes

   McCool: (fixed the typo)
   ... (discussion on the sequence flow diagram)
   ... steps A and B defines what is known as authorization grant
   type of flow.
   ... what is important to realize here is that ot all of these
   interactions are meant to take place over a network protocol.

   Cristiano: there are the owner of the data and the owner of the
   service

   McCool: a bit confused here
   ... want to specify which is which
   ... (adds clarification)
   ... in some cases, interaction with a human through a user
   interface may be intended
   ... (and modifies the four basic features for OAuth 2.0)
   ... code, implicit, password (of resource owner), client
   (credentials of the client)
   ... (and adds some more notes)
   ... btw, do we expect HTTP is the protocol to be used here?

   Cristiano: basically yes

   McCool: (modifies the description for the "Description" section
   as well)

   Kaz: maybe we should think about delegates who handle the
   authentication for the resource owners too?

   McCool: yeah
   ... should add another term for that
   ... (creating a pullrequet based on the discussion today)

   [14]PR 26 for wot-usecases

     [14] https://github.com/w3c/wot-usecases/pull/26

   McCool: and merged it
   ... we'll need testing requirements too
   ... would like to get requirements for OAuth2 flows as well
   ... thank you very much for your initial input, Cristiano
   ... let's have further discussion next time
   ... are there any other PRs?
   ... this OAuth2 flows use case should be finalized
   ... if you have any ideas, you can create an issue and/or a
   pullrequest
   ... to be discussed next time
   ... if you could create sequence diagrams as well, that would
   be great

   Cristiano: can try

   McCool: also let's talk about the deprecated flows next time
   ... Cristiano will generate flow diagrams
   ... and people should review the proposal

AOB?

   Cristiano: discovery call today?

   McCool: yes

   [adjourned]

Summary of Action Items

   [NEW] ACTION: kaz to check the vf2f minutes using the spell
   checker

Summary of Resolutions

   [End of minutes]
     __________________________________________________________


    Minutes manually created (not a transcript), formatted by
    David Booth's [15]scribe.perl version ([16]CVS log)
    $Date: 2020/07/07 11:22:12 $

     [15] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
     [16] http://dev.w3.org/cvsweb/2002/scribe/

Received on Tuesday, 14 July 2020 09:03:02 UTC