- From: Kazuyuki Ashimura <ashimura@w3.org>
- Date: Mon, 08 Jun 2020 10:48:09 +0900
- To: public-wot-ig@w3.org, public-wot-wg@w3.org
available at: https://www.w3.org/2020/05/25-wot-sec-minutes.html also as text below. Thanks a lot for taking the minutes, Zoltan! Kazuyuki --- [1]W3C [1] http://www.w3.org/ - DRAFT - WoT Security 25 May 2020 Attendees Present Kaz_Ashimura, Michael_McCool, Oliver_Pfaff, Zoltan_Kis, Cristiano_Aguzzi, Daniel_Peintner, Michael_Lagally, Tomoaki_Mizushima, David_Ezell Regrets Elena_Reshetova Chair McCool Scribe zkis Contents * [2]Topics 1. [3]past minutes 2. [4]PRs 3. [5]OAuth2 issue in Scripting * [6]Summary of Action Items * [7]Summary of Resolutions __________________________________________________________ <kaz> scribenick: zkis past minutes May 18 minutes and May 4 minutes to be reviewed <kaz> [8]May-18 [8] https://www.w3.org/2020/05/18-wot-sec-minutes.html McCool: any objections accepting these? accepted <kaz> [9]May-4 [9] https://www.w3.org/2020/05/04-wot-sec-minutes.html <inserted> (typos within May-4 minutes are fixed; and approved) PRs <McCool> [10]https://github.com/w3c/wot-security/pull/175 [10] https://github.com/w3c/wot-security/pull/175 [past minutes accepted] <McCool> [11]https://github.com/w3c/wot-security/pull/176 [11] https://github.com/w3c/wot-security/pull/176 Oliver: one of these is obsolete McCool: we can add direct references, but we should instead add references to ReSpec Zoltan: that is right McCool: we could accept this but later move references from localBiblio to ReSpec references [12]https://www.specref.org/ [12] https://www.specref.org/ McCool: we should have (linked) terms for User Data etc ... some issues about citing references ... maybe merge this and fix it in a separate PR? Oliver: OK Lagally: should respect the style guide for W3C docs ... about the specific term User Data - should we define that in the Architecture doc? McCool: create an issue for that Lagally: we also need a definition for that McCool: Elena maybe, or I could look into it ... merging into the Working branch for now <McCool> [13]Manual of Style [13] https://w3c.github.io/manual-of-style/ OAuth2 issue in Scripting [14]https://github.com/w3c/wot-scripting-api/issues/214 [14] https://github.com/w3c/wot-scripting-api/issues/214 McCool: to make sure all flows are implemented <McCool> [15]https://github.com/w3c/wot-security/issues/173 [15] https://github.com/w3c/wot-security/issues/173 McCool: we need to read into the OAuth spec ... Cristiano and Daniel are involved, please drive through Cristiano: presents [16]https://github.com/w3c/wot-scripting-api/issues/214 ... user needs to do manual login ... how to put that flow in node-wot ... problem: only possible if the script runs in the browser ... this defines the context for this issue ... we need to decide how to handle the interaction between the user and runtime ... then, if it happens transparently or not ... and which way, e.g. with an init function? ... MM suggested solving the issue at protocol level [16] https://github.com/w3c/wot-scripting-api/issues/214 <mlagally> [Here's the terminology issue for the architecture specification: [17]https://github.com/w3c/wot-architecture/issues/508] [17] https://github.com/w3c/wot-architecture/issues/508] Cristiano: the user could be represented by service, but never seen this flow code implemented by others McCool: we don't necessarily need to add the flow to browser, it could be a user agent, possibly a very simple one ... the question is if the device is a server, should we use a web dashboard or what? ... for each flow we need a use case; state reasons when we don't support them Cristiano: ok ... where the use cases are posted? McCool adding comment to [18]https://github.com/w3c/wot-scripting-api/issues/214 [18] https://github.com/w3c/wot-scripting-api/issues/214 <dape> code flow mentioned in TD, see [19]https://w3c.github.io/wot-thing-description/#oauth2security scheme [19] https://w3c.github.io/wot-thing-description/#oauth2securityscheme Lagally: use cases are collected in the Architecture task force ... the OAuth scenario matches several domains and scenarios ... we should document these flows somewhere we can reference them from Oliver: we should not try to use OAuth flow for everything but check which use cases correlate to which flows ... there is server, resource server and caller (browser or app) ... if we replace the resource server with an IoT device, it's (?) ... if we replace the caller, then (?) ... if we look at the auth flow and matching people with devices won't work Cristiano: agree on that McCool: TD describes resources available on the device Zoltan: we really need the use cases defined, I am not convinced the human user should be involved in the flows McCool: right - assuming we need to support the human user flow Oliver: the oauth spec is quite implicit, not explicit, whether is it a human user Cristiano: yes, I also found it unclear ... every other owner interprets it's the user Zoltan: we have 2 options, solving it with provisioning, the other is solving with a UI, depending who is the provider McCool: include this in the lifecycle and onboarding topic Cristiano: the problem is when the token provider says they are expired, then we need to involve the resource owner Zoltan: there could be an error in that case, either at the end user, or at the provider's management system McCool: or do automatic refreshing of tokens ... which is anyway a good security practice McCool captured some comments in the github issue McCool: we have several possibilities ahead: 1. we need to capture the various use cases ... for instance as an md file ... create a use case in... Lagally: the Architecture repo, please McCool is creating a new use case in Architecture. (link to commit) McCool: next step is to create PRs based on this Cristiano: I could do that McCool: discussing the Invited Expert status of Cristiano Cristiano: there are issues/questions about that McCool: will work with Kaz for the procedure ... AOB? [adjourned] Summary of Action Items Summary of Resolutions [End of minutes] __________________________________________________________ Minutes manually created (not a transcript), formatted by David Booth's [20]scribe.perl version ([21]CVS log) $Date: 2020/05/28 13:35:26 $ [20] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm [21] http://dev.w3.org/cvsweb/2002/scribe/
Received on Monday, 8 June 2020 01:47:31 UTC