11:02:23 <RRSAgent> RRSAgent has joined #wot-script
11:02:23 <RRSAgent> logging to https://www.w3.org/2021/04/26-wot-script-irc
11:02:30 <kaz> meeting: WoT Scripting API
11:02:53 <kaz> present+ Kaz_Ashimura, Daniel_Peintner, Cristiano_Aguzzi, Michael_McCool, Zoltan_Kis
11:03:18 <cris> cris has joined #wot-script
11:04:02 <zkis> scribe: zkis
11:06:09 <kaz> present+ Eena_Reshetova, Oliver_Pfaff
11:07:08 <McCool> McCool has joined #wot-script
11:07:49 <zkis> Topic: security discussions
11:08:29 <dape> https://github.com/w3c/wot-scripting-api/issues/315
11:08:52 <Mizushima> Mizushima has joined #wot-script
11:08:59 <Oliver> Oliver has joined #wot-script
11:09:06 <zkis> DP: this is tracking the meeting and we discuss individual issues
11:09:17 <zkis> Topic: issue#299
11:09:24 <dape> -> https://github.com/w3c/wot-scripting-api/issues/299
11:09:43 <zkis> CA: could the script know what security schemes are known to the runtime
11:09:50 <kaz> Agenda: https://www.w3.org/WoT/IG/wiki/WG_WoT_Scripting_API_WebConf#19_April_2021
11:10:59 <zkis> ZK: ExposedThing implementation is not well understood yet and not standardized
11:11:16 <kaz> s|issues/299|issues/299 Issue 299 - Chose a particular security schema for an ExposedThing|
11:11:23 <kaz> present+ Tomoaki_Mizushima
11:11:27 <zkis> CA: we can choose the security scheme but we could not know which ones are supported
11:11:59 <kaz> s/Topic: issue#299/subtopic: Issue 299/
11:12:01 <zkis> DP: for context, we have separated ConsumedThing and ExposedThing
11:12:18 <zkis> ... from ConsumedThing the client can choose
11:12:25 <zkis> ... for ExposedThing it is more complex
11:12:35 <McCool> q+
11:12:41 <zkis> ... but later on we need to define the security schemes
11:12:55 <zkis> ... question is how to choose, how to figure out which ones are supported
11:13:06 <zkis> ack McC
11:13:21 <zkis> ER: we had this discussion earlier
11:13:39 <zkis> ... we probably need a minimal requirement to fulfill
11:13:47 <zkis> ... like with SDP protocol
11:14:08 <zkis> ... the script internal logic should decide whether what is returned can be used
11:14:21 <zkis> ... the weak schemas will exist no matter which approach we take
11:14:34 <zkis> ... (except no security)
11:14:49 <zkis> ... we could provide the minimal set
11:14:51 <cris> q+
11:14:55 <zkis> ... otherwise fail
11:15:09 <zkis> MMC: say there are 3 levels of config:
11:15:17 <zkis> ... one is picking a predefined security def
11:15:26 <zkis> ... 2nd level is the content of a security object
11:15:49 <zkis> ... below that there is the level where we configure certificates etc
11:15:58 <zkis> ... we need to think about the use cases
11:16:08 <zkis> ... for instance not in the browser, but in Node.js
11:16:21 <zkis> MMC: about negotiation
11:16:32 <zkis> ... what we really want to know is what security objects are there
11:16:41 <zkis> ... based on which we can define security definitions
11:16:52 <zkis> ... then the script could pick one(s)
11:17:04 <zkis> ... so the script needs to access the security object's content
11:17:11 <zkis> ... that information is not sensitive
11:17:30 <zkis> ... for instance OAuth scheme etc
11:17:37 <zkis> ... another factor is the protocol;
11:17:42 <dape> q+
11:17:55 <zkis> ... we should not use basic HTTP, so the script needs to know what the protocols are
11:18:08 <zkis> ack cris
11:18:19 <zkis> CA: good formulation of the problem
11:18:29 <zkis> ... so we need a method to list the available security schemes
11:18:46 <McCool> s/security schemes/SecurityScheme object/
11:19:00 <kaz> -> https://w3c.github.io/wot-scripting-api/#exposedthing-examples Editor's draft - 8.32 ExposedThing Examples
11:19:17 <kaz> q?
11:19:17 <zkis> q+
11:19:34 <McCool> q+
11:19:36 <zkis> CA: how do we define minimal sets?
11:19:50 <zkis> ER: was not a proposal, just an example for an approach
11:20:25 <zkis> q?
11:20:43 <zkis> ER: there is a negotiation between the script and the runtime
11:20:59 <zkis> CA: that justifies even more that API
11:21:10 <zkis> ... we need a programmatic approach
11:22:12 <zkis> q?
11:22:31 <zkis> DP: right now node-wot is no-security
11:22:56 <zkis> OP: where is the a list of possible security schema definitions defined?
11:23:12 <kaz> q?
11:23:18 <kaz> ack d
11:23:23 <zkis> OP: look at OPC profile document
11:23:33 <dape> ack dape
11:23:41 <zkis> ... the vendor can declare capabilities
11:23:51 <zkis> ER: don't we have this in WoT?
11:24:04 <zkis> MMC: we are getting confused by the "Scheme"
11:24:08 <zkis> ... and the object
11:24:18 <zkis> ... or security definition
11:24:34 <zkis> ... so there should be a management API that configures the runtime
11:25:06 <zkis> ... security definitions could be applied on whole TD or only some Forms
11:25:22 <dape> q?
11:25:24 <zkis> ... we won't want developers use no-security
11:26:00 <zkis> MMC: the cleanest way to do it is to have a catalog of the security definitions
11:27:18 <zkis> ZK: currently we don't have any API for this, so we are discussing a new system API as a helper
11:27:48 <zkis> DP: currently doesn't help if the TD template contains definitions
11:28:01 <zkis> ... can the consumer pass down security credentials? NO
11:28:11 <zkis> ... so there should be prior configuration
11:28:38 <zkis> MMC: the secrets are associated to the security definitions; scripts can only select ones
11:28:42 <cris> q+
11:28:47 <zkis> ack zk
11:28:51 <zkis> ack McC
11:29:17 <zkis> MMC: we don't have a way to say that a security definition only applies to a certain protocol
11:29:29 <zkis> ... some schemes might not work for some protocols
11:29:40 <zkis> ... first we need to pick the scheme and protocol
11:29:55 <kaz> q?
11:29:58 <kaz> ack cr
11:29:58 <zkis> ... so we need an external management API that can be used to configure these in advance
11:30:19 <zkis> CA: the implementation of the security schemes is inside the bindings library
11:30:30 <zkis> ... so node-wot knows about them
11:30:38 <zkis> ... but the TD doesn't know about it
11:30:51 <dape> q+
11:31:03 <zkis> MMC: even if we say in the TD which protocol it applies to, the implementation could override
11:31:29 <zkis> DP: is there some suggestion to put a label on security objects that could be used for filtering?
11:31:37 <zkis> MMC: they are meant to be orthogonal
11:31:47 <zkis> ... some protocols have password schemes
11:31:58 <zkis> ... the impl can say it supports only certain protocols
11:32:31 <zkis> ... don't think we should put than in the TD spec
11:32:45 <zkis> ... but implementations can be more specific
11:33:12 <zkis> DP: trying to rephrase; we could query the available security schemes in the runtime
11:33:56 <zkis> q?
11:34:00 <zkis> ack dape
11:34:08 <zkis> q+
11:34:12 <zkis> MMC: right
11:34:23 <zkis> ... query, apply, management
11:34:26 <zkis> CA: +1
11:34:58 <zkis> ... wondering if we could include the query in the core API, as it's related to ExposedThing
11:35:17 <zkis> CA: can I profile/fingerprint a user based on this?
11:35:35 <zkis> MMC: this is an issue in the browser, but here we talk about servers
11:35:58 <zkis> ... it is possible to fingerprint the environment based on listing capabilities
11:36:18 <zkis> ... but to have access to the API, I have to be already provisioned
11:36:25 <zkis> ... so the risk is not substantial
11:36:30 <zkis> q?
11:36:45 <zkis> MMC: whether it matter it depends on the use case
11:36:57 <zkis> DP: what if this API is not there?
11:37:38 <zkis> MMC: let's suppose we just need to pick the security scheme name, even then we need the list, and even a standardized name list
11:37:52 <zkis> ... we could use a context that give access to at least the scheme names
11:38:07 <zkis> ER: I'd support this
11:38:31 <zkis> ... in scheme negotiation if we want to make a choice, we need just the descriptive names
11:38:40 <zkis> ... and that minimizes fingerprinting as well
11:40:19 <dape> q?
11:40:22 <zkis> q?
11:41:49 <cris> q+
11:42:12 <zkis> ZK: right now we need to put security definitions to an init dictionary
11:42:23 <zkis> ... CA would prefer programmatic API instead
11:42:36 <zkis> ... so we need a new API for that querying, and then also the management API
11:43:17 <zkis> MMC: listing and choosing the sec defs should be added to the API
11:43:29 <zkis> ... and a management API should set it up
11:43:31 <zkis> q+
11:43:36 <kaz> q+
11:43:37 <zkis> ack cris
11:44:16 <McCool> q+
11:44:17 <zkis> CA: I didn't like the declarative security definitions
11:44:42 <zkis> ... when we call the expose() method, we'll get back an error
11:45:02 <zkis> ... then we need to start again by creating a new template: it's a trial and error method
11:45:30 <zkis> q?
11:45:44 <zkis> MMC: the problem is with the secrets
11:45:48 <kaz> q- later
11:46:03 <zkis> ... MMC: each definition needs to be provisioned externally
11:48:35 <zkis> CA: node-wot starts to implement sandboxing, and we will need these APIs
11:48:56 <zkis> MMC: maybe out of scope for the current API, but we need to start working on the management API
11:49:29 <zkis> CA: this would also allow portability of the server applications
11:49:39 <kaz> i|this would|-> https://github.com/w3c/wot-scripting-api/issues/298 Issue 298 - Requirements for Managment APIs|
11:49:50 <dape> q?
11:49:59 <McCool> ack m
11:50:02 <zkis> q-
11:50:54 <zkis> KA: we need more details about the implementation, service ports etc
11:51:06 <zkis> MMC: we could include those in the management API
11:51:31 <zkis> q+
11:52:04 <zkis> KA: we don't have impl for DiD for Scripting, but wanted to raise the possibility to use it
11:52:17 <zkis> MMC: we will discuss it more deeply
11:52:24 <zkis> ... a bit too early at the moment
11:52:40 <kaz> s/we don't/also we don't/
11:52:54 <kaz> s/use it/use it as well (for v2 specs)
11:53:17 <kaz> ack kaz
11:53:18 <zkis> OP: we should differentiate between instance specific information and generic information that could apply to multiple instances
11:53:34 <zkis> q-
11:54:01 <zkis> OP: we need a well understood catalog of security scheme names
11:54:10 <zkis> ... without any instance specific information
11:54:26 <zkis> ... based on these 2 assumptions we could solve it
11:54:46 <zkis> CA: we have a sort of catalog
11:55:20 <zkis> ... in the Thing Model definition
11:55:51 <zkis> ... so we are not too far
11:56:25 <zkis> (link)
11:56:51 <zkis> OP: what is the difference between security scheme vocabulary and name?
11:57:11 <kaz> s|(link)|-> https://w3c.github.io/wot-thing-description/#sec-security-vocabulary-definition Thing Description Editor's draft - 5.3.3 Security Vocabulary Definitions|
11:57:28 <zkis> MMC: the set of labels are clear
11:58:34 <zkis> ZK: the TD spec is missing on how to generate a TD, we'd need that as well
11:58:38 <kaz> s/Thing Model/Thing Description's information model/
11:58:49 <zkis> MMC: we could have multiple levels of scripting
11:59:10 <zkis> ... setup would be done by different roles
11:59:22 <zkis> ... programming by another role
12:00:37 <zkis> MMC: when generating a TD from a script we have 2 stages, one is configuration and the other is selecting
12:02:48 <zkis> ZK: we need full code examples to figure out what/how to standardize
12:02:52 <zkis> CA: I can provide that
12:02:55 <dape> -> https://github.com/w3c/wot-scripting-api/issues/299
12:03:01 <zkis> MMC: we could comment in the issue
12:03:29 <zkis> q?
12:04:17 <zkis> MMC: we need to list/update the management API requirements
12:06:09 <zkis> MMC: let's figure out a minimal API fulfilling those
12:06:19 <zkis> CA: yes, we need subsets
12:06:29 <kaz> zakim, who is on the call?
12:06:29 <Zakim> Present: Kaz_Ashimura, Daniel_Peintner, Cristiano_Aguzzi, Michael_McCool, Zoltan_Kis, Eena_Reshetova, Oliver_Pfaff, Tomoaki_Mizushima
12:06:45 <kaz> present- Eena_Reshetova
12:06:50 <kaz> present+ Elena_Reshetova
12:07:07 <citrullin> citrullin has joined #wot-script
12:07:15 <kaz> present+ Philipp_Blum
12:07:25 <kaz> rrsagent, make log public
12:07:30 <kaz> rrsagent, draft minutes
12:07:30 <RRSAgent> I have made the request to generate https://www.w3.org/2021/04/26-wot-script-minutes.html kaz
12:07:45 <zkis> adjourned
12:08:02 <kaz> Chair: Daniel
12:08:05 <kaz> rrsagent, draft minutes
12:08:05 <RRSAgent> I have made the request to generate https://www.w3.org/2021/04/26-wot-script-minutes.html kaz
12:08:53 <Mizushima> Mizushima has left #wot-script
12:11:26 <zkis2> zkis2 has joined #wot-script
14:10:04 <Zakim> Zakim has left #wot-script
14:57:35 <zkis> zkis has joined #wot-script
17:08:40 <zkis> zkis has joined #wot-script
20:57:33 <zkis> zkis has joined #wot-script