IRC log of wot-script on 2021-04-26
Timestamps are in UTC.
- 11:02:23 [RRSAgent]
- RRSAgent has joined #wot-script
- 11:02:23 [RRSAgent]
- logging to https://www.w3.org/2021/04/26-wot-script-irc
- 11:02:30 [kaz]
- meeting: WoT Scripting API
- 11:02:53 [kaz]
- present+ Kaz_Ashimura, Daniel_Peintner, Cristiano_Aguzzi, Michael_McCool, Zoltan_Kis
- 11:03:18 [cris]
- cris has joined #wot-script
- 11:04:02 [zkis]
- scribe: zkis
- 11:06:09 [kaz]
- present+ Eena_Reshetova, Oliver_Pfaff
- 11:07:08 [McCool]
- McCool has joined #wot-script
- 11:07:49 [zkis]
- Topic: security discussions
- 11:08:29 [dape]
- https://github.com/w3c/wot-scripting-api/issues/315
- 11:08:52 [Mizushima]
- Mizushima has joined #wot-script
- 11:08:59 [Oliver]
- Oliver has joined #wot-script
- 11:09:06 [zkis]
- DP: this is tracking the meeting and we discuss individual issues
- 11:09:17 [zkis]
- Topic: issue#299
- 11:09:24 [dape]
- -> https://github.com/w3c/wot-scripting-api/issues/299
- 11:09:43 [zkis]
- CA: could the script know what security schemes are known to the runtime
- 11:09:50 [kaz]
- Agenda: https://www.w3.org/WoT/IG/wiki/WG_WoT_Scripting_API_WebConf#19_April_2021
- 11:10:59 [zkis]
- ZK: ExposedThing implementation is not well understood yet and not standardized
- 11:11:16 [kaz]
- s|issues/299|issues/299 Issue 299 - Chose a particular security schema for an ExposedThing|
- 11:11:23 [kaz]
- present+ Tomoaki_Mizushima
- 11:11:27 [zkis]
- CA: we can choose the security scheme but we could not know which ones are supported
- 11:11:59 [kaz]
- s/Topic: issue#299/subtopic: Issue 299/
- 11:12:01 [zkis]
- DP: for context, we have separated ConsumedThing and ExposedThing
- 11:12:18 [zkis]
- ... from ConsumedThing the client can choose
- 11:12:25 [zkis]
- ... for ExposedThing it is more complex
- 11:12:35 [McCool]
- q+
- 11:12:41 [zkis]
- ... but later on we need to define the security schemes
- 11:12:55 [zkis]
- ... question is how to choose, how to figure out which ones are supported
- 11:13:06 [zkis]
- ack McC
- 11:13:21 [zkis]
- ER: we had this discussion earlier
- 11:13:39 [zkis]
- ... we probably need a minimal requirement to fulfill
- 11:13:47 [zkis]
- ... like with SDP protocol
- 11:14:08 [zkis]
- ... the script internal logic should decide whether what is returned can be used
- 11:14:21 [zkis]
- ... the weak schemas will exist no matter which approach we take
- 11:14:34 [zkis]
- ... (except no security)
- 11:14:49 [zkis]
- ... we could provide the minimal set
- 11:14:51 [cris]
- q+
- 11:14:55 [zkis]
- ... otherwise fail
- 11:15:09 [zkis]
- MMC: say there are 3 levels of config:
- 11:15:17 [zkis]
- ... one is picking a predefined security def
- 11:15:26 [zkis]
- ... 2nd level is the content of a security object
- 11:15:49 [zkis]
- ... below that there is the level where we configure certificates etc
- 11:15:58 [zkis]
- ... we need to think about the use cases
- 11:16:08 [zkis]
- ... for instance not in the browser, but in Node.js
- 11:16:21 [zkis]
- MMC: about negotiation
- 11:16:32 [zkis]
- ... what we really want to know is what security objects are there
- 11:16:41 [zkis]
- ... based on which we can define security definitions
- 11:16:52 [zkis]
- ... then the script could pick one(s)
- 11:17:04 [zkis]
- ... so the script needs to access the security object's content
- 11:17:11 [zkis]
- ... that information is not sensitive
- 11:17:30 [zkis]
- ... for instance OAuth scheme etc
- 11:17:37 [zkis]
- ... another factor is the protocol;
- 11:17:42 [dape]
- q+
- 11:17:55 [zkis]
- ... we should not use basic HTTP, so the script needs to know what the protocols are
- 11:18:08 [zkis]
- ack cris
- 11:18:19 [zkis]
- CA: good formulation of the problem
- 11:18:29 [zkis]
- ... so we need a method to list the available security schemes
- 11:18:46 [McCool]
- s/security schemes/SecurityScheme object/
- 11:19:00 [kaz]
- -> https://w3c.github.io/wot-scripting-api/#exposedthing-examples Editor's draft - 8.32 ExposedThing Examples
- 11:19:17 [kaz]
- q?
- 11:19:17 [zkis]
- q+
- 11:19:34 [McCool]
- q+
- 11:19:36 [zkis]
- CA: how do we define minimal sets?
- 11:19:50 [zkis]
- ER: was not a proposal, just an example for an approach
- 11:20:25 [zkis]
- q?
- 11:20:43 [zkis]
- ER: there is a negotiation between the script and the runtime
- 11:20:59 [zkis]
- CA: that justifies even more that API
- 11:21:10 [zkis]
- ... we need a programmatic approach
- 11:22:12 [zkis]
- q?
- 11:22:31 [zkis]
- DP: right now node-wot is no-security
- 11:22:56 [zkis]
- OP: where is the a list of possible security schema definitions defined?
- 11:23:12 [kaz]
- q?
- 11:23:18 [kaz]
- ack d
- 11:23:23 [zkis]
- OP: look at OPC profile document
- 11:23:33 [dape]
- ack dape
- 11:23:41 [zkis]
- ... the vendor can declare capabilities
- 11:23:51 [zkis]
- ER: don't we have this in WoT?
- 11:24:04 [zkis]
- MMC: we are getting confused by the "Scheme"
- 11:24:08 [zkis]
- ... and the object
- 11:24:18 [zkis]
- ... or security definition
- 11:24:34 [zkis]
- ... so there should be a management API that configures the runtime
- 11:25:06 [zkis]
- ... security definitions could be applied on whole TD or only some Forms
- 11:25:22 [dape]
- q?
- 11:25:24 [zkis]
- ... we won't want developers use no-security
- 11:26:00 [zkis]
- MMC: the cleanest way to do it is to have a catalog of the security definitions
- 11:27:18 [zkis]
- ZK: currently we don't have any API for this, so we are discussing a new system API as a helper
- 11:27:48 [zkis]
- DP: currently doesn't help if the TD template contains definitions
- 11:28:01 [zkis]
- ... can the consumer pass down security credentials? NO
- 11:28:11 [zkis]
- ... so there should be prior configuration
- 11:28:38 [zkis]
- MMC: the secrets are associated to the security definitions; scripts can only select ones
- 11:28:42 [cris]
- q+
- 11:28:47 [zkis]
- ack zk
- 11:28:51 [zkis]
- ack McC
- 11:29:17 [zkis]
- MMC: we don't have a way to say that a security definition only applies to a certain protocol
- 11:29:29 [zkis]
- ... some schemes might not work for some protocols
- 11:29:40 [zkis]
- ... first we need to pick the scheme and protocol
- 11:29:55 [kaz]
- q?
- 11:29:58 [kaz]
- ack cr
- 11:29:58 [zkis]
- ... so we need an external management API that can be used to configure these in advance
- 11:30:19 [zkis]
- CA: the implementation of the security schemes is inside the bindings library
- 11:30:30 [zkis]
- ... so node-wot knows about them
- 11:30:38 [zkis]
- ... but the TD doesn't know about it
- 11:30:51 [dape]
- q+
- 11:31:03 [zkis]
- MMC: even if we say in the TD which protocol it applies to, the implementation could override
- 11:31:29 [zkis]
- DP: is there some suggestion to put a label on security objects that could be used for filtering?
- 11:31:37 [zkis]
- MMC: they are meant to be orthogonal
- 11:31:47 [zkis]
- ... some protocols have password schemes
- 11:31:58 [zkis]
- ... the impl can say it supports only certain protocols
- 11:32:31 [zkis]
- ... don't think we should put than in the TD spec
- 11:32:45 [zkis]
- ... but implementations can be more specific
- 11:33:12 [zkis]
- DP: trying to rephrase; we could query the available security schemes in the runtime
- 11:33:56 [zkis]
- q?
- 11:34:00 [zkis]
- ack dape
- 11:34:08 [zkis]
- q+
- 11:34:12 [zkis]
- MMC: right
- 11:34:23 [zkis]
- ... query, apply, management
- 11:34:26 [zkis]
- CA: +1
- 11:34:58 [zkis]
- ... wondering if we could include the query in the core API, as it's related to ExposedThing
- 11:35:17 [zkis]
- CA: can I profile/fingerprint a user based on this?
- 11:35:35 [zkis]
- MMC: this is an issue in the browser, but here we talk about servers
- 11:35:58 [zkis]
- ... it is possible to fingerprint the environment based on listing capabilities
- 11:36:18 [zkis]
- ... but to have access to the API, I have to be already provisioned
- 11:36:25 [zkis]
- ... so the risk is not substantial
- 11:36:30 [zkis]
- q?
- 11:36:45 [zkis]
- MMC: whether it matter it depends on the use case
- 11:36:57 [zkis]
- DP: what if this API is not there?
- 11:37:38 [zkis]
- MMC: let's suppose we just need to pick the security scheme name, even then we need the list, and even a standardized name list
- 11:37:52 [zkis]
- ... we could use a context that give access to at least the scheme names
- 11:38:07 [zkis]
- ER: I'd support this
- 11:38:31 [zkis]
- ... in scheme negotiation if we want to make a choice, we need just the descriptive names
- 11:38:40 [zkis]
- ... and that minimizes fingerprinting as well
- 11:40:19 [dape]
- q?
- 11:40:22 [zkis]
- q?
- 11:41:49 [cris]
- q+
- 11:42:12 [zkis]
- ZK: right now we need to put security definitions to an init dictionary
- 11:42:23 [zkis]
- ... CA would prefer programmatic API instead
- 11:42:36 [zkis]
- ... so we need a new API for that querying, and then also the management API
- 11:43:17 [zkis]
- MMC: listing and choosing the sec defs should be added to the API
- 11:43:29 [zkis]
- ... and a management API should set it up
- 11:43:31 [zkis]
- q+
- 11:43:36 [kaz]
- q+
- 11:43:37 [zkis]
- ack cris
- 11:44:16 [McCool]
- q+
- 11:44:17 [zkis]
- CA: I didn't like the declarative security definitions
- 11:44:42 [zkis]
- ... when we call the expose() method, we'll get back an error
- 11:45:02 [zkis]
- ... then we need to start again by creating a new template: it's a trial and error method
- 11:45:30 [zkis]
- q?
- 11:45:44 [zkis]
- MMC: the problem is with the secrets
- 11:45:48 [kaz]
- q- later
- 11:46:03 [zkis]
- ... MMC: each definition needs to be provisioned externally
- 11:48:35 [zkis]
- CA: node-wot starts to implement sandboxing, and we will need these APIs
- 11:48:56 [zkis]
- MMC: maybe out of scope for the current API, but we need to start working on the management API
- 11:49:29 [zkis]
- CA: this would also allow portability of the server applications
- 11:49:39 [kaz]
- i|this would|-> https://github.com/w3c/wot-scripting-api/issues/298 Issue 298 - Requirements for Managment APIs|
- 11:49:50 [dape]
- q?
- 11:49:59 [McCool]
- ack m
- 11:50:02 [zkis]
- q-
- 11:50:54 [zkis]
- KA: we need more details about the implementation, service ports etc
- 11:51:06 [zkis]
- MMC: we could include those in the management API
- 11:51:31 [zkis]
- q+
- 11:52:04 [zkis]
- KA: we don't have impl for DiD for Scripting, but wanted to raise the possibility to use it
- 11:52:17 [zkis]
- MMC: we will discuss it more deeply
- 11:52:24 [zkis]
- ... a bit too early at the moment
- 11:52:40 [kaz]
- s/we don't/also we don't/
- 11:52:54 [kaz]
- s/use it/use it as well (for v2 specs)
- 11:53:17 [kaz]
- ack kaz
- 11:53:18 [zkis]
- OP: we should differentiate between instance specific information and generic information that could apply to multiple instances
- 11:53:34 [zkis]
- q-
- 11:54:01 [zkis]
- OP: we need a well understood catalog of security scheme names
- 11:54:10 [zkis]
- ... without any instance specific information
- 11:54:26 [zkis]
- ... based on these 2 assumptions we could solve it
- 11:54:46 [zkis]
- CA: we have a sort of catalog
- 11:55:20 [zkis]
- ... in the Thing Model definition
- 11:55:51 [zkis]
- ... so we are not too far
- 11:56:25 [zkis]
- (link)
- 11:56:51 [zkis]
- OP: what is the difference between security scheme vocabulary and name?
- 11:57:11 [kaz]
- s|(link)|-> https://w3c.github.io/wot-thing-description/#sec-security-vocabulary-definition Thing Description Editor's draft - 5.3.3 Security Vocabulary Definitions|
- 11:57:28 [zkis]
- MMC: the set of labels are clear
- 11:58:34 [zkis]
- ZK: the TD spec is missing on how to generate a TD, we'd need that as well
- 11:58:38 [kaz]
- s/Thing Model/Thing Description's information model/
- 11:58:49 [zkis]
- MMC: we could have multiple levels of scripting
- 11:59:10 [zkis]
- ... setup would be done by different roles
- 11:59:22 [zkis]
- ... programming by another role
- 12:00:37 [zkis]
- MMC: when generating a TD from a script we have 2 stages, one is configuration and the other is selecting
- 12:02:48 [zkis]
- ZK: we need full code examples to figure out what/how to standardize
- 12:02:52 [zkis]
- CA: I can provide that
- 12:02:55 [dape]
- -> https://github.com/w3c/wot-scripting-api/issues/299
- 12:03:01 [zkis]
- MMC: we could comment in the issue
- 12:03:29 [zkis]
- q?
- 12:04:17 [zkis]
- MMC: we need to list/update the management API requirements
- 12:06:09 [zkis]
- MMC: let's figure out a minimal API fulfilling those
- 12:06:19 [zkis]
- CA: yes, we need subsets
- 12:06:29 [kaz]
- zakim, who is on the call?
- 12:06:29 [Zakim]
- Present: Kaz_Ashimura, Daniel_Peintner, Cristiano_Aguzzi, Michael_McCool, Zoltan_Kis, Eena_Reshetova, Oliver_Pfaff, Tomoaki_Mizushima
- 12:06:45 [kaz]
- present- Eena_Reshetova
- 12:06:50 [kaz]
- present+ Elena_Reshetova
- 12:07:07 [citrullin]
- citrullin has joined #wot-script
- 12:07:15 [kaz]
- present+ Philipp_Blum
- 12:07:25 [kaz]
- rrsagent, make log public
- 12:07:30 [kaz]
- rrsagent, draft minutes
- 12:07:30 [RRSAgent]
- I have made the request to generate https://www.w3.org/2021/04/26-wot-script-minutes.html kaz
- 12:07:45 [zkis]
- adjourned
- 12:08:02 [kaz]
- Chair: Daniel
- 12:08:05 [kaz]
- rrsagent, draft minutes
- 12:08:05 [RRSAgent]
- I have made the request to generate https://www.w3.org/2021/04/26-wot-script-minutes.html kaz
- 12:08:53 [Mizushima]
- Mizushima has left #wot-script
- 12:11:26 [zkis2]
- zkis2 has joined #wot-script
- 14:10:04 [Zakim]
- Zakim has left #wot-script
- 14:57:35 [zkis]
- zkis has joined #wot-script
- 17:08:40 [zkis]
- zkis has joined #wot-script
- 20:57:33 [zkis]
- zkis has joined #wot-script