W3C

WoT Security

08 March 2021

Attendees

Present
Cristiano_Aguzzi, Elena_Reshetova Oliver_Pfaff, Kaz_Ashimura, Michael_McCool, Philipp_Blum, Tomoaki_Mizushima
Regrets
-
Chair
McCool
Scribe
elena

Meeting minutes

meeting minutes from the last call

<kaz> Feb-22

McCool: meeting minutes approved

cancellations

McCool: next week we have a F2F, so maybe we should skip the security calls on mon march 15 and march 22

McCool: next security call is on March 29, but a short one to capture F2F outcomes

agenda for F2F

<kaz> March vF2F agenda

McCool: currently F2F agenda looks very full and does not have a security session. Does anyone thinks that we should have a security discussion or it is ok not to have it this time?

general consensus is that there has not been enough security changes that would require a separate security session

McCool: instead people should join existing sessions that might touch upon security issues

S&P consideration note update

McCool: changes that should be done in the note update: aligning the terminology with arch doc, updating docs, lifecycle??

AR to Elena to check the current status of lifecycle in the arch spec and raise any issues before the F2F if needed

McCool: the default branch for wot-security has been renamed from master to main. Please update your forks appropriately

issues

issue 197

https://github.com/w3c/wot-security/issues/197 Issue 197 - Promoting an approach where every thing is a server is a security nightmare

McCool enters a comment to point out the existing PR against the arch spec

issue 166

Issue 166 - Add integrity protection (proof section) to TDs

McCool reviewed the latest comment on that issue

issue 196

Issue 196 - Consider security issues in Discovery

McCool suggests to review the JSON path draft and puts a comment about it in the issue

issue 194

Issue 194 - Provide guidance on use of OAuth 2 flows

McCool: have we ever addressed this?

Cristiano would try to find the good place to have these recommendations added

McCool it indeed fits the Best Practices document better, but is the best practices even published?

McCool adding a note that we should formally publish the best practices document

McCool creates a new issue under best practices to add oauth2 recommendations

https://github.com/w3c/wot-security-best-practices/issues/5

McCool: we should aim to publish the best practices as a note

adding a note to issue https://github.com/w3c/wot-security-best-practices/issues/7

other ongoing activities

<kaz> wot-thing-description PR 1058 - WIP: Add JSON pointer assertion to definition of body sec location

McCool puts some comments on this PR

McCool we will be likely to discuss this in TD call further

<kaz> MvCool's comment 1 to PR 1058

<kaz> McCool's comment 2 to PR 1058

<kaz> [adjourned]

Minutes manually created (not a transcript), formatted by scribe.perl version 127 (Wed Dec 30 17:39:58 2020 UTC).