Meeting minutes
Joint call with scripting
McCool: We could have a joint call for two hours. But let's take a look into the topics first.
Security TaskForce related issues
Discovery TaskForce related issues
McCool: I guess we should comment on the issue what we have to deal with.
McCool adds a note into the security wiki. Logistics still under discussion.
Canonicalization and signing
McCool: The problem with canonicalization are default values.
… the preprocessor may filled in the default values, if they are not given.
McCool adds a comment to the wiki regarding this issue.
Philipp: There should be an issue for it, so that we can think about it more in detail.
Object security
Consider how to support object security
McCool: .local domain are problematic to secure.
… there are still information which can get leaked, even if the body is encrypted. Query parameter for example.
Philipp: We may can use DIDs here and store the related keys etc. attached to the DID in a DLT.
<McCool> https://
McCool: We don't have experience with that and it probably takes too much time to get this experience.
Kaz: I agree that we might want to use DID for that. But I agree that it would take too much time for the current v 1.1 specs.
McCool: There is a way to distribute keys via DID. But this goes beyond IoT.
Philipp: Newer versions of HTTP allow encryption of headers. Not sure about queries though.
McCool: TLS relies on global domains. And that doesn't work in .local.
… for now we have to allow http for discovery.
Philipp: So the might have to say in the best-practices, if you want to have object security you should put the queries into the body.
McCool: Problem is that discovery supports queries in the URL and therefore they cannot get encrypted. SparkQL on the other hand allows the queries in the body.
<McCool> https://
OAuth2 flows
Philipp: I think we can remove the submitter etc.
McCool: Yes, there are some things which can get simplified and removed.
… have you made a PR for the use-case document?
Philipp: No, I haven't. We should talk with Michael Lagally first, I think.
<kaz> wot-security-best-practices PR 10 - Move OAuth2 flow from usecases to security-best-practices
Kaz: please note the default branch for the wot-security-best-practices repo has been also rename to "main"
[adjourned]