W3C

- DRAFT -

WoT Security

03 Aug 2020

Agenda

Attendees

Present
Kaz_Ashimura, Michael_McCool, Clerley_Silveira, Elena_Reshetova, Farshid_Tavakolizadeh, Tomoaki_Mizushima, David_Ezell
Regrets
Chair
McCool
Scribe
clerley

Contents

<kaz> scribenick: clerley

Prev minutes

<kaz> July-27

McCool: Meeting minutes for July 27 reviewed

Meeting minutes for July 27 approved. No objections.

OAuth2 update

<McCool> https://github.com/w3c/wot-thing-description/pull/927

<kaz> PR 927 preview - 5.3.3.8 OAuth2SecurityScheme

McCool: Update the OAuth section, added flow. Added clarification for the auth flow. Several available only one should be used.
... Only one flow should be selected. Client should not fix multiple flows. Add citation to best practice document.

<kaz> [For the client flow authorization MUST NOT be included. ]

Farshid: wondering about "For the client flow authorization MUST NOT be include."

McCool: remark - Wot thing description HTML had all the line feeds removed.
... Took out the reference to the best practices document.

<kaz> TD draft - index.template.html

McCool: Updated the "device authorization" section and added a reference to WOT security guidelines.

Farshid: No objections but wrote a remark. If they see "device authorization" vs "authorization" a developer could be confused.

McCool: Unless a developer is guided by an author, they may not have read the design specification. They may see authorization and just use it.

<kaz> Farshid's comment on PR 927 for wot-thing-description

McCool: It could be a frequent error just because a developer may not be aware of authorization vs "device authorization".
... If we don't have the two tags, the error cannot happen.

Farshid: For most of the flow, the device authorization is used but, if the developer sees the authorization they may use that.

McCool: Make the "device authorization" a MUST NOT. That will force the developer to use the Authorization flow.
... If we keep both "device authorization" vs authorization and "device authorization" is tagged as MUST NOT, the validation tool could catch that error

Farshid: One suggestion is to add the "device authorization" and expand the description to clarify.

McCool: Should use device_authorization so that validation tool can catch the error.

Kaz: maybe this is overkill for OAuth2SecurityScheme, but at some point, we should consider the difference between the user and the device authorizations.

McCool: Could call it the "client authorization"
... If there are other flows, they would have to add the tags in the extension.
... Would like to keep simple and not add tags if it is not needed.
... Add a citation to the device flow to the table to make it normative.

Kaz: at the moment, it would be good to add an Editor's note to record Farshid's point here

<FarshidT> openapi's oauth2 endpoint table: https://swagger.io/docs/specification/authentication/oauth2/

Farshid: Sending a link with information about OpenAPI, how they define the endpoints. Maybe we can follow similar style.

McCool: Will discuss that possibility later. For now, updated the authorization section.
... Adding the table Farshid had in the comments would be a good idea.
... Updated the issue #927 comments.

<inserted> McCool's comment

Farshid: Is it possible to add more columns to the table.

McCool: Originally it was created for the "ontology" file. The script broke and has not been fixed yet. The script does not "know" about new columns if we manually add them to index.template.html.
... It would be easier to add a new table separately.
... Would like to go ahead and do the merge. The longer he goes without merging the harder it will be and he will have to play catch up.
... Is it acceptable to add an editor's note? The group agreed!

Document updates

<kaz> wot-security PR 174

McCool: Two branches "working" and "master". He would like to merge "working" into "master" to consolidate the two branches.

<kaz> diff

McCool: Believes the "working" version is more up to date.
... Any objections to deleting the working branch? No objections!
... PRs will be done against the master branch.

Issues

<kaz> wot-security issues

<kaz> issue 173 - Consider OAuth2 "device" flow

McCool: Attempted to link the issue but, it is not possible if linking across repositories.

<kaz> wot-thing-description PR 927

McCool: Added a note that PR is available.

<kaz> issue 169 - Security review of Lifecycle model and diagram

McCool: Would like to close the Lifecycle model.

Elena: Thinks the group should speak to Oliver. She has not been reviewing for a while.

McCool: Adding consideration that Lifecycle issue should be closed.

<kaz> issue 177 - Review oAuth2.0 use case

<kaz> OAuth2 Flows use case proposal

McCool: Look at the OAuth2 spec to find out if there is any security consideration. Other than that, there is nothing else the needs to be changed.
... The group will have one more week to review. Close the issue in the next meeting. (Consider closing the issue).

<kaz> issue 170 - Review Conexxus Security and Privacy Threat Model and Implementation Recommendations

Clerley: Send the Conexxus threat model to McCool.

<kaz> issue 166 - Add integrity protection to TDs

McCool: Will create a PR for integrity protection..

Adjourn.

Summary of Action Items

Summary of Resolutions

[End of minutes]
Minutes manually created (not a transcript), formatted by David Booth's scribe.perl version (CVS log)
$Date: 2020/08/04 05:17:06 $