<kaz> scribenick: clerley
<kaz> July-27
McCool: Meeting minutes for July 27 reviewed
Meeting minutes for July 27 approved. No objections.
<McCool> https://github.com/w3c/wot-thing-description/pull/927
<kaz> PR 927 preview - 5.3.3.8 OAuth2SecurityScheme
McCool: Update the OAuth section,
added flow. Added clarification for the auth flow. Several
available only one should be used.
... Only one flow should be selected. Client should not fix
multiple flows. Add citation to best practice document.
<kaz> [For the client flow authorization MUST NOT be included. ]
Farshid: wondering about "For the client flow authorization MUST NOT be include."
McCool: remark - Wot thing
description HTML had all the line feeds removed.
... Took out the reference to the best practices document.
<kaz> TD draft - index.template.html
McCool: Updated the "device authorization" section and added a reference to WOT security guidelines.
Farshid: No objections but wrote a remark. If they see "device authorization" vs "authorization" a developer could be confused.
McCool: Unless a developer is guided by an author, they may not have read the design specification. They may see authorization and just use it.
<kaz> Farshid's comment on PR 927 for wot-thing-description
McCool: It could be a frequent
error just because a developer may not be aware of
authorization vs "device authorization".
... If we don't have the two tags, the error cannot happen.
Farshid: For most of the flow, the device authorization is used but, if the developer sees the authorization they may use that.
McCool: Make the "device
authorization" a MUST NOT. That will force the developer to use
the Authorization flow.
... If we keep both "device authorization" vs authorization and
"device authorization" is tagged as MUST NOT, the validation
tool could catch that error
Farshid: One suggestion is to add the "device authorization" and expand the description to clarify.
McCool: Should use device_authorization so that validation tool can catch the error.
Kaz: maybe this is overkill for OAuth2SecurityScheme, but at some point, we should consider the difference between the user and the device authorizations.
McCool: Could call it the "client
authorization"
... If there are other flows, they would have to add the tags
in the extension.
... Would like to keep simple and not add tags if it is not
needed.
... Add a citation to the device flow to the table to make it
normative.
Kaz: at the moment, it would be good to add an Editor's note to record Farshid's point here
<FarshidT> openapi's oauth2 endpoint table: https://swagger.io/docs/specification/authentication/oauth2/
Farshid: Sending a link with information about OpenAPI, how they define the endpoints. Maybe we can follow similar style.
McCool: Will discuss that
possibility later. For now, updated the authorization
section.
... Adding the table Farshid had in the comments would be a
good idea.
... Updated the issue #927 comments.
<inserted> McCool's comment
Farshid: Is it possible to add more columns to the table.
McCool: Originally it was created
for the "ontology" file. The script broke and has not been
fixed yet. The script does not "know" about new columns if we
manually add them to index.template.html.
... It would be easier to add a new table separately.
... Would like to go ahead and do the merge. The longer he goes
without merging the harder it will be and he will have to play
catch up.
... Is it acceptable to add an editor's note? The group
agreed!
<kaz> wot-security PR 174
McCool: Two branches "working" and "master". He would like to merge "working" into "master" to consolidate the two branches.
<kaz> diff
McCool: Believes the "working"
version is more up to date.
... Any objections to deleting the working branch? No
objections!
... PRs will be done against the master branch.
<kaz> wot-security issues
<kaz> issue 173 - Consider OAuth2 "device" flow
McCool: Attempted to link the issue but, it is not possible if linking across repositories.
<kaz> wot-thing-description PR 927
McCool: Added a note that PR is available.
<kaz> issue 169 - Security review of Lifecycle model and diagram
McCool: Would like to close the Lifecycle model.
Elena: Thinks the group should speak to Oliver. She has not been reviewing for a while.
McCool: Adding consideration that Lifecycle issue should be closed.
<kaz> issue 177 - Review oAuth2.0 use case
<kaz> OAuth2 Flows use case proposal
McCool: Look at the OAuth2 spec
to find out if there is any security consideration. Other than
that, there is nothing else the needs to be changed.
... The group will have one more week to review. Close the
issue in the next meeting. (Consider closing the issue).
<kaz> issue 170 - Review Conexxus Security and Privacy Threat Model and Implementation Recommendations
Clerley: Send the Conexxus threat model to McCool.
<kaz> issue 166 - Add integrity protection to TDs
McCool: Will create a PR for integrity protection..
Adjourn.