WoT Security

10 Aug 2020


Kaz_Ashimura, Farshid_Tavakolizadeh, Michael_McCool, Oliver_Pfaff, Clerley_Silveira, Cristiano_Aguzzi, Tomoaki_Mizushima, David_Ezell


<kaz> scribenick: Oliver

Minutes to be taken by Oliver

Prev minutes

<kaz> August-3

<kaz> Issue 169 - Security review of Lifecycle model and diagram

Minutes of the meeting on 2020-08-03 reviewed with no objections; they are considered published

Oliver to review issue #169 on the component lifecycle and provide feedback

OAuth2 updates

<kaz> wot-thing-description PR 927

<kaz> Preview - OAuth2SecurityScheme

Status of the issue #927 about the OAuth2SecurityScheme section (WoT Description) reviewed; notes therein added. Some minor cleanup is still needed then merging can happen

<kaz> (McCool changed the state of PR927 to "Draft")

Issue 166 - TD Issue 940

Issue #166 in WoT Security (Integrity protection for TDs) was cloned to #940 in WoT Description to create awareness in TD

<inserted> Issue 166

<kaz> wot-thing-description TD Issue 940

<kaz> Linked Data Proofs 1.0 draft

Note added to TD Issue #940 about Id-proof (planned section on "proofChains")

<kaz> McCool's comments to TD Issue 940

Team comments to be provided as notes to #940

TD Issue 901

<kaz> TD Issue 901

Issue #901 in WoT Thing Description repo about multiple security schemes reviewed (esp. with respect OR/AND)

1. Array of arrays: [["sc1","sc2"],"sc3"]. Problem: nesting depth changes AND to OR; special rule that array of one element can be treated as a string may not work
2. Wrapper object: { "and": ["sc1", "sc2"], "or": "sc3"}. Breaks compatibility.
3. Farshid's suggestion above: {"scheme1": { "scheme2": {}}}. This is like a LISP CADR list... breaks compatibility.
4. Another option would be to define "or" (and maybe "and" for completeness) schemes in "securityDefinitions"

Proposed next step: create PR for option 4, this PR should be incorporated in TD 1.1

Additional consideration: can be array-of-flows be made compatible?

Other additional consideration: more compact notion for AND/OR

The alternative notations come with challenges with respect to backward compatibility and parsing complexity. Closer examinations are needed

Michael to care about creating the above mentioned PR

<kaz> McCool's updated comments

Issue 170

Reviewed issue #170 (WoT Security) about the Conexxus Security&Privacy use case

<kaz> Issue 170

<kaz> Conexxus documents

Added a note providing a link to a (publicly available) developer document on conexxus.com

<kaz> McCool's comment including links to Conexxus Threat Model template documents

Issue 168

<kaz> Issue 168

With respect to issue #168, the current understanding is to add the HTML file from now on

McCool will create a PR for HTML to include "security and privacy considerations" sections (as blank sections at the moment)

<inserted> McCool's comment about that point

Meeting closed


Summary of Action Items

Summary of Resolutions

[End of minutes]

Minutes manually created (not a transcript), formatted by David Booth's scribe.perl version (CVS log)
$Date: 2020/08/11 07:33:43 $