Meeting minutes
Prev minutes
McCool: would be better to add titles for issues/PRs...
McCool: (goes through the sections on apikeys from the editor's draft of the Thing Description spec)
WIP: add URI template location for security scheme parameters #1032
McCool: (explains the points)
[[
"securityDefinitions": {
"template": {
  "scheme": "uri",
  "uriVariables": {
  "ID" : { "type": "string", "@type": "SecurityID" },
  "KEY" : { "type": "string", "@type": "SecurityKey" }
  }
}
}
]]
(example above)
McCool: (adds some more comments in response to the comments from Cristiano and Ege)
… (put a "uri_key" entry, a "uri_id" entry and a combo entry to a new example)
McCool: (shoes the ED of the TD spec again)
Thing Description Editor's Draft - 5.3.3.6 APIKeySecurityScheme
McCool's updated comments including the new example of the combo security
McCool: go with the "name" option
Consider security issues in Discovery #196
related PR - Update SPARQL DDoS ed note #107
<kaz> s/relate PR/relate PR for wot-discovery/
Section 7. Security and Privacy Considerations
McCool: (shows the related PR 107 for WoT Discovery and its preview)
… (and then goes back to the Issue 196 itself)
… (adds comments)
… location may be implicit
… if a TD simply *appears* in a directory, then we know the Thing is in range (e.g. of WiFi) so it can register with the TDD
… (adds some more comments)
… in general, "disabling" geolocation for personal devices may be necessary, although it still is useful for institutional use cases
… another option would be to use a "code generator" to generate IDs (perhaps in combination with encrypted TDs) that is synchronized between the device and another application available to the user
… so, for example, a user could use an app on their laptop to generate the current ID and then do a discovery search to find the location of their car, which had registered an encrypted TD with tat (rotating) ID with a discovery service.
Kaz: yeah, this discussion is very important for security purposes
… note that we should be get ready for the privacy review at some point (within 6 months)
McCool: yeah
… we need to work on this
… probably we need to allow "nosec" although it's probably a very bad idea except for development use cases.
… we could perhaps add an assertion that [[if a TDD service is available to anyone other than the developer and supports registration of third-party TDs then it MUST NOT use the "nosec" scheme]]
AOB
McCool: aob?
(none)
[adjourned]