<kaz> scribenick: FarshidT
<kaz> Agenda: https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#27_July_2020
<McCool_> https://www.w3.org/2020/07/20-wot-sec-minutes.html
no objections on publishing the minutes
PR 927: https://github.com/w3c/wot-thing-description/pull/927
McCool: still draft. Did not update
the ontology.
... Cristiano was going to look into token/authorization token
issue
Cristiano: already created a table
summarizing the endpoint requirement for each flow
... Farshid noted that using authorization endpoint also for
device may add confusion
Farshid: clients may set authorization endpoint of auth server in place of device authorization one.
McCool: the device_authorization name
is not very nice
... can simply reuse the authorization endpoint for device, as
flow field clarified that this is a different endpoint
Farshid: the "authorization" endpoint is the name of an endpoint provided by the server, this has nothing to do with device authorization
McCool:
https://github.com/w3c/wot-thing-description/pull/927#issuecomment-664363727
... updating the PR.
Farshid: what about when having multiple flows inside a schema (https://github.com/w3c/wot-thing-description/issues/929)?
Cristiano: yes, it will add complications, even for AND/OR combinations.
McCool: can go back and look at this.
For now, want to have self-contained specification.
... have to check if any application will require an AND scheme
combining device and another flow.
... the vocabulary is insistent with the body. Have to discuss
with TD/ontology team to fix the issue regarding flow
names.
<kaz> TD Issue 929 - Multiple OAuth 2.0 flows
McCool: comment regarding device_authorization and vocab for flows: https://github.com/w3c/wot-thing-description/pull/927#issuecomment-664374807
McCool: since some flows are no longer recommended in TD, we should also update the security best practices (https://github.com/w3c/wot-security-best-practices)
<McCool_> Issue 5 - Recommended OAuth2 flows
<kaz> Issue 6 - Reference for MQTT
<kaz> Issue 7 - Update with discovery and directory recommendations/
McCool: we also need security best
practices for directory and discovery in general
... need to update security practices document by July 2021,
after discovery specs are in place
McCool: will discuss multiple flows
and OR/AND scheme issues next time.
... will not merge the PR in the meantime.
<kaz> [adjourned]