- From: Kazuyuki Ashimura <ashimura@w3.org>
- Date: Mon, 24 May 2021 18:23:54 +0900
- To: public-wot-ig@w3.org, public-wot-wg@w3.org
available at:
https://www.w3.org/2021/04/19-wot-sec-minutes.html
also as text below.
Thanks a lot for taking the minutes, Philipp!
Kazuyuki
---
[1]W3C
[1] https://www.w3.org/
WoT Security
19 April 2021
[2]IRC log.
[2] https://www.w3.org/2021/04/19-wot-sec-irc
Attendees
Present
Kaz_Ashimura, Michael_McCool, Philipp_Blum,
Tomoaki_Mizushima
Regrets
-
Chair
McCool
Scribe
citrullin, kaz
Contents
1. [3]Joint call with scripting
2. [4]Canonicalization and signing
3. [5]Object security
4. [6]OAuth2 flows
Meeting minutes
Joint call with scripting
McCool: We could have a joint call for two hours. But let's
take a look into the topics first.
[7]Security TaskForce related issues
[7] https://github.com/w3c/wot-scripting-api/issues/315
[8]Discovery TaskForce related issues
[8] https://github.com/w3c/wot-scripting-api/issues/314
McCool: I guess we should comment on the issue what we have to
deal with.
McCool adds a note into the security wiki. Logistics still
under discussion.
Canonicalization and signing
McCool: The problem with canonicalization are default values.
… the preprocessor may filled in the default values, if they
are not given.
McCool adds a comment to the wiki regarding this issue.
Philipp: There should be an issue for it, so that we can think
about it more in detail.
Object security
[9]Consider how to support object security
[9] https://github.com/w3c/wot-security/issues/185
McCool: .local domain are problematic to secure.
… there are still information which can get leaked, even if the
body is encrypted. Query parameter for example.
Philipp: We may can use DIDs here and store the related keys
etc. attached to the DID in a DLT.
<McCool> [10]https://tools.ietf.org/html/rfc7165
[10] https://tools.ietf.org/html/rfc7165
McCool: We don't have experience with that and it probably
takes too much time to get this experience.
Kaz: I agree that we might want to use DID for that. But I
agree that it would take too much time for the current v 1.1
specs.
McCool: There is a way to distribute keys via DID. But this
goes beyond IoT.
Philipp: Newer versions of HTTP allow encryption of headers.
Not sure about queries though.
McCool: TLS relies on global domains. And that doesn't work in
.local.
… for now we have to allow http for discovery.
Philipp: So the might have to say in the best-practices, if you
want to have object security you should put the queries into
the body.
McCool: Problem is that discovery supports queries in the URL
and therefore they cannot get encrypted. SparkQL on the other
hand allows the queries in the body.
<McCool> [11]https://krellian.com/
[11] https://krellian.com/
OAuth2 flows
Philipp: I think we can remove the submitter etc.
McCool: Yes, there are some things which can get simplified and
removed.
… have you made a PR for the use-case document?
Philipp: No, I haven't. We should talk with Michael Lagally
first, I think.
[12]OAuth2 flow issue
[12] https://github.com/w3c/wot-security/issues/194
[13]OAuth2 flow PR
[13] https://github.com/w3c/wot-security-best-practices/pull/10
<kaz> [14]wot-security-best-practices PR 10 - Move OAuth2 flow
from usecases to security-best-practices
[14] https://github.com/w3c/wot-security-best-practices/pull/10
Kaz: please note the default branch for the
wot-security-best-practices repo has been also rename to "main"
[adjourned]
Minutes manually created (not a transcript), formatted by
[15]scribe.perl version 127 (Wed Dec 30 17:39:58 2020 UTC).
[15] https://w3c.github.io/scribe2/scribedoc.html
Received on Monday, 24 May 2021 09:24:00 UTC