WoT Security

27 Jul 2020



Clerley_Silveira, Cristiano_Aguzzi, David_Ezell, Farshid_Tavakolizadeh, Kaz_Ashimura, Michael_McCool, Oliver_Pfaff, Tomoaki_Mizushima


<kaz> scribenick: FarshidT


<kaz> Agenda: https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#27_July_2020

minutes of last week

<McCool_> https://www.w3.org/2020/07/20-wot-sec-minutes.html


no objections on publishing the minutes

OAuth2 TD update

PR 927: https://github.com/w3c/wot-thing-description/pull/927

McCool: still draft. Did not update the ontology.
... Cristiano was going to look into token/authorization token issue

Cristiano: already created a table summarizing the endpoint requirement for each flow
... Farshid noted that using authorization endpoint also for device may add confusion

Farshid: clients may set authorization endpoint of auth server in place of device authorization one.

McCool: the device_authorization name is not very nice
... can simply reuse the authorization endpoint for device, as flow field clarified that this is a different endpoint

Farshid: the "authorization" endpoint is the name of an endpoint provided by the server, this has nothing to do with device authorization

McCool: https://github.com/w3c/wot-thing-description/pull/927#issuecomment-664363727
... updating the PR.

Farshid: what about when having multiple flows inside a schema (https://github.com/w3c/wot-thing-description/issues/929)?

Cristiano: yes, it will add complications, even for AND/OR combinations.

McCool: can go back and look at this. For now, want to have self-contained specification.
... have to check if any application will require an AND scheme combining device and another flow.
... the vocabulary is insistent with the body. Have to discuss with TD/ontology team to fix the issue regarding flow names.

<kaz> TD Issue 929 - Multiple OAuth 2.0 flows

McCool: comment regarding device_authorization and vocab for flows: https://github.com/w3c/wot-thing-description/pull/927#issuecomment-664374807

Best practices document

McCool: since some flows are no longer recommended in TD, we should also update the security best practices (https://github.com/w3c/wot-security-best-practices)

<McCool_> Issue 5 - Recommended OAuth2 flows

<kaz> Issue 6 - Reference for MQTT

<kaz> Issue 7 - Update with discovery and directory recommendations/

McCool: we also need security best practices for directory and discovery in general
... need to update security practices document by July 2021, after discovery specs are in place


McCool: will discuss multiple flows and OR/AND scheme issues next time.
... will not merge the PR in the meantime.

<kaz> [adjourned]

Summary of Action Items

Summary of Resolutions

[End of minutes]

Minutes manually created (not a transcript), formatted by David Booth's scribe.perl version (CVS log)
$Date: 2020/07/28 06:35:56 $