<kaz> scribenick: Oliver
Minutes to be taken by Oliver
<kaz> August-3
<kaz> Issue 169 - Security review of Lifecycle model and diagram
Minutes of the meeting on 2020-08-03 reviewed with no objections; they are considered published
Oliver to review issue #169 on the component lifecycle and provide feedback
<kaz> wot-thing-description PR 927
<kaz> Preview - 5.3.3.8 OAuth2SecurityScheme
Status of the issue #927 about the OAuth2SecurityScheme section (WoT Description) reviewed; notes therein added. Some minor cleanup is still needed then merging can happen
<kaz> (McCool changed the state of PR927 to "Draft")
Issue #166 in WoT Security (Integrity protection for TDs) was cloned to #940 in WoT Description to create awareness in TD
<inserted> Issue 166
<kaz> wot-thing-description TD Issue 940
<kaz> Linked Data Proofs 1.0 draft
Note added to TD Issue #940 about Id-proof (planned section on "proofChains")
<kaz> McCool's comments to TD Issue 940
Team comments to be provided as notes to #940
<kaz> TD Issue 901
Issue #901 in WoT Thing Description repo about multiple security schemes reviewed (esp. with respect OR/AND)
Options:
1. Array of arrays: [["sc1","sc2"],"sc3"]. Problem: nesting depth changes AND to OR; special rule that array of one element can be treated as a string may not work
2. Wrapper object: { "and": ["sc1", "sc2"], "or": "sc3"}. Breaks compatibility.
3. Farshid's suggestion above: {"scheme1": { "scheme2": {}}}. This is like a LISP CADR list... breaks compatibility.
4. Another option would be to define "or" (and maybe "and" for completeness) schemes in "securityDefinitions"
Proposed next step: create PR for option 4, this PR should be incorporated in TD 1.1
Additional consideration: can be array-of-flows be made compatible?
Other additional consideration: more compact notion for AND/OR
The alternative notations come with challenges with respect to backward compatibility and parsing complexity. Closer examinations are needed
Michael to care about creating the above mentioned PR
<kaz> McCool's updated comments
Reviewed issue #170 (WoT Security) about the Conexxus Security&Privacy use case
<kaz> Issue 170
<kaz> Conexxus documents
Added a note providing a link to a (publicly available) developer document on conexxus.com
<kaz> McCool's comment including links to Conexxus Threat Model template documents
<kaz> Issue 168
With respect to issue #168, the current understanding is to add the HTML file from now on
McCool will create a PR for HTML to include "security and privacy considerations" sections (as blank sections at the moment)
<inserted> McCool's comment about that point
Meeting closed
[adjourned]