- From: Kazuyuki Ashimura <ashimura@w3.org>
- Date: Tue, 14 Jul 2020 18:04:15 +0900
- To: public-wot-ig@w3.org, public-wot-wg@w3.org
available at: https://www.w3.org/2020/07/06-wot-sec-minutes.html also as text below. Thanks, Kazuyuki --- [1]W3C [1] http://www.w3.org/ - DRAFT - WoT Security 06 Jul 2020 [2]Agenda [2] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#6_July_2020 Attendees Present Kaz_Ashimura, Michael_McCool, Elena_Reshetova, Cristiano_Aguzzi, Tomoaki_Mizushima, David_Ezell Regrets Chair McCool Scribe kaz Contents * [3]Topics 1. [4]Prev minutes 2. [5]f2f minutes 3. [6]Requirements 4. [7]AOB? * [8]Summary of Action Items * [9]Summary of Resolutions __________________________________________________________ <scribe> scribenick: kaz Prev minutes [10]June-1 minutes [10] https://www.w3.org/2020/06/01-wot-sec-minutes.html McCool: talked about OAuth2 ... any objections to accept the minutes? (none) McCool: approved f2f minutes [11]vf2f minutes [11] https://www.w3.org/2020/06/22-26-wot-vf2f-minutes.html McCool: typo of [[e'll]] for [[we'll]] <McCool> [12]https://github.com/w3c/wot/blob/master/PRESENTATIONS/2020-0 6-online-f2f/2020-06-22-Security-McCool.pdf [12] https://github.com/w3c/wot/blob/master/PRESENTATIONS/2020-06-online-f2f/2020-06-22-Security-McCool.pdf McCool: presentation link to be placed at the top of the session Kaz: ok McCool: talked about 4 issues ... signing TDs ... need to follow up with a concrete PR ... for the future agenda ... another typo for [[referencable]] Kaz: will check the whole minutes using the spell checker again <scribe> ACTION: kaz to check the vf2f minutes using the spell checker McCool: DIDs, OAuth2, ... ... Lagally had input from the viewpoint of profiles ... then End-to-End security ... another typo for [[havea]] ... any objections to accept the minutes? (none) McCool: accepted Requirements McCool: OAuth2 flow? Cristiano: added a PR on OAuth2 flow to the wot-usecases repo [13]OAuth2 Flows use case [13] https://github.com/w3c/wot-usecases/blob/master/USE-CASES/oauth.md McCool: (adds some clarification to the "Expected Data" section) ... one thing not mentioned here is scope ... one is various URLs, 2nd is bare tokens, and then scopes ... BTW, the spelling for OAuth should be "OAuth" (capital "O" and capital "A") ... (adds another note to the bottom of the "Motivation" section as well) ... reasonable summary for the scope here? Cristiano: seems OK McCool: to support OAuth 2.0, all the devices must support TLS connection ... also verify an access token ... both producer and consumer ... and here "token" means a bearer token ... (updates the "Motivation" section with some more clarifications) ... (clarifications on the "Actors") Kaz: btw, there is "Thing Descriptor" but did you actually meant "Thing Description"? Cristiano: yes McCool: (fixed the typo) ... (discussion on the sequence flow diagram) ... steps A and B defines what is known as authorization grant type of flow. ... what is important to realize here is that ot all of these interactions are meant to take place over a network protocol. Cristiano: there are the owner of the data and the owner of the service McCool: a bit confused here ... want to specify which is which ... (adds clarification) ... in some cases, interaction with a human through a user interface may be intended ... (and modifies the four basic features for OAuth 2.0) ... code, implicit, password (of resource owner), client (credentials of the client) ... (and adds some more notes) ... btw, do we expect HTTP is the protocol to be used here? Cristiano: basically yes McCool: (modifies the description for the "Description" section as well) Kaz: maybe we should think about delegates who handle the authentication for the resource owners too? McCool: yeah ... should add another term for that ... (creating a pullrequet based on the discussion today) [14]PR 26 for wot-usecases [14] https://github.com/w3c/wot-usecases/pull/26 McCool: and merged it ... we'll need testing requirements too ... would like to get requirements for OAuth2 flows as well ... thank you very much for your initial input, Cristiano ... let's have further discussion next time ... are there any other PRs? ... this OAuth2 flows use case should be finalized ... if you have any ideas, you can create an issue and/or a pullrequest ... to be discussed next time ... if you could create sequence diagrams as well, that would be great Cristiano: can try McCool: also let's talk about the deprecated flows next time ... Cristiano will generate flow diagrams ... and people should review the proposal AOB? Cristiano: discovery call today? McCool: yes [adjourned] Summary of Action Items [NEW] ACTION: kaz to check the vf2f minutes using the spell checker Summary of Resolutions [End of minutes] __________________________________________________________ Minutes manually created (not a transcript), formatted by David Booth's [15]scribe.perl version ([16]CVS log) $Date: 2020/07/07 11:22:12 $ [15] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm [16] http://dev.w3.org/cvsweb/2002/scribe/
Received on Tuesday, 14 July 2020 09:03:02 UTC