W3C

WoT Security

19 April 2021

Attendees

Present
Kaz_Ashimura, Michael_McCool, Philipp_Blum, Tomoaki_Mizushima
Regrets
-
Chair
McCool
Scribe
citrullin, kaz

Meeting minutes

Joint call with scripting

McCool: We could have a joint call for two hours. But let's take a look into the topics first.

Security TaskForce related issues

Discovery TaskForce related issues

McCool: I guess we should comment on the issue what we have to deal with.

McCool adds a note into the security wiki. Logistics still under discussion.

Canonicalization and signing

McCool: The problem with canonicalization are default values.
… the preprocessor may filled in the default values, if they are not given.

McCool adds a comment to the wiki regarding this issue.

Philipp: There should be an issue for it, so that we can think about it more in detail.

Object security

Consider how to support object security

McCool: .local domain are problematic to secure.
… there are still information which can get leaked, even if the body is encrypted. Query parameter for example.

Philipp: We may can use DIDs here and store the related keys etc. attached to the DID in a DLT.

<McCool> https://tools.ietf.org/html/rfc7165

McCool: We don't have experience with that and it probably takes too much time to get this experience.

Kaz: I agree that we might want to use DID for that. But I agree that it would take too much time for the current v 1.1 specs.

McCool: There is a way to distribute keys via DID. But this goes beyond IoT.

Philipp: Newer versions of HTTP allow encryption of headers. Not sure about queries though.

McCool: TLS relies on global domains. And that doesn't work in .local.
… for now we have to allow http for discovery.

Philipp: So the might have to say in the best-practices, if you want to have object security you should put the queries into the body.

McCool: Problem is that discovery supports queries in the URL and therefore they cannot get encrypted. SparkQL on the other hand allows the queries in the body.

<McCool> https://krellian.com/

OAuth2 flows

Philipp: I think we can remove the submitter etc.

McCool: Yes, there are some things which can get simplified and removed.
… have you made a PR for the use-case document?

Philipp: No, I haven't. We should talk with Michael Lagally first, I think.

OAuth2 flow issue

OAuth2 flow PR

<kaz> wot-security-best-practices PR 10 - Move OAuth2 flow from usecases to security-best-practices

Kaz: please note the default branch for the wot-security-best-practices repo has been also rename to "main"

[adjourned]

Minutes manually created (not a transcript), formatted by scribe.perl version 127 (Wed Dec 30 17:39:58 2020 UTC).