W3C

WoT Security

01 February 2021

Attendees

Present
Cristiano_Aguzzi, Kaz_Ashimura, Michael_McCool, Oliver_Pfaff, Tomoaki_Mizushima
Regrets
Elena_Reshetova
Chair
McCool
Scribe
kaz

Meeting minutes

Prev minutes

Jan-25

McCool: would be better to add titles for issues/PRs...

McCool: (goes through the sections on apikeys from the editor's draft of the Thing Description spec)

WIP: add URI template location for security scheme parameters #1032

PR 1032

McCool: (explains the points)

McCool's comments

[[

"securityDefinitions": {

   "template": {

     "scheme": "uri",

     "uriVariables": {

       "ID" : { "type": "string", "@type": "SecurityID" },

       "KEY" : { "type": "string", "@type": "SecurityKey" }

     }

   }

}

]]

(example above)

McCool: (adds some more comments in response to the comments from Cristiano and Ege)
… (put a "uri_key" entry, a "uri_id" entry and a combo entry to a new example)

McCool: (shoes the ED of the TD spec again)

Thing Description Editor's Draft - 5.3.3.6 APIKeySecurityScheme

McCool's updated comments including the new example of the combo security

McCool: go with the "name" option

Consider security issues in Discovery #196

Issue 196

related PR - Update SPARQL DDoS ed note #107

<kaz> s/relate PR/relate PR for wot-discovery/

Section 7. Security and Privacy Considerations

McCool: (shows the related PR 107 for WoT Discovery and its preview)
… (and then goes back to the Issue 196 itself)
… (adds comments)
… location may be implicit
… if a TD simply *appears* in a directory, then we know the Thing is in range (e.g. of WiFi) so it can register with the TDD
… (adds some more comments)
… in general, "disabling" geolocation for personal devices may be necessary, although it still is useful for institutional use cases
… another option would be to use a "code generator" to generate IDs (perhaps in combination with encrypted TDs) that is synchronized between the device and another application available to the user
… so, for example, a user could use an app on their laptop to generate the current ID and then do a discovery search to find the location of their car, which had registered an encrypted TD with tat (rotating) ID with a discovery service.

Kaz: yeah, this discussion is very important for security purposes
… note that we should be get ready for the privacy review at some point (within 6 months)

McCool: yeah
… we need to work on this
… probably we need to allow "nosec" although it's probably a very bad idea except for development use cases.
… we could perhaps add an assertion that [[if a TDD service is available to anyone other than the developer and supports registration of third-party TDs then it MUST NOT use the "nosec" scheme]]

AOB

McCool: aob?

(none)

[adjourned]

Minutes manually created (not a transcript), formatted by scribe.perl version 127 (Wed Dec 30 17:39:58 2020 UTC).