WoT Security

17 May 2021


Kaz_Ashimura, Michael_McCool, Oliver_Pfaff, Philipp_Blum, Tomoaki_Mizushima

Meeting minutes


McCool: wording change needed for TD Issue 940

<McCool> for example, LDS might choose to use full URLs for JSON-LD canonical form, which would be problematic for us

McCool: wording change needed in Signature section (attribute comment about Lagally action to OAuth)

<McCool> change "Michael Lagally will look into those points" to "Regarding moving the detailed OAuth2 description and recommendations to the security best practices document, I will follow up with Michael Lagally"

McCool: change for Signature section was reconsidered: remove the line about the above mentioned action

McCool: one more wording change needed for TD Issue 940

McCool: minutes approved with the mentioned changes

TD Issue 940

https://github.com/w3c/wot-thing-description/issues/940 wot-thing-description issue 940 - Add optional proof section to TDs

<kaz> McCool's comment to the strategy issue 262

<kaz> McCool's issue on lds-wg-charter - W3C Web of Things (WoT) WG supports the W3C LDS WG

https://github.com/w3c/wot-thing-description/issues/940: W3C LDS WG adoption was considered and likely to happen

https://github.com/w3c/wot-thing-description/issues/940: timeline is an issue. W3C LDS WG probably needs 2 years; TD signatures can probably not wait 2 years

https://github.com/w3c/wot-security/issues/166: discussion about ciphers. current proposal: SHA256 and ECDSA

https://github.com/w3c/wot-security/issues/166: "ECDSA" was meant in sense of the NIST curves (secp)

https://github.com/w3c/wot-security/issues/166: NIST curves enjoy broad support (SW/FW/HW) but are subject of some concerns. Not all communities are equally happy with the NIST curves

An alternative is Curve25519 aka x25519. See https://ianix.com/pub/curve25519-deployment.html for "Things that use Curve25519"

https://github.com/w3c/wot-security/issues/166: likely starting points for elliptic curves for digital signatures: NIST P-256 and x25519

https://github.com/w3c/wot-security/issues/168: Use case questionaire status review

https://github.com/w3c/wot-security/issues/166: review and comments by all particpants is invited

<McCool> https://github.com/w3c/wot-security-best-practices/pulls

WoT security best practices: discussed a PR "Move OAuth2 flows from Use Cases to Best Practices"

A merger shall be made to cover this PR

<McCool> https://github.com/w3c/wot-security-best-practices/issues/11

Meeting closed

Minutes manually created (not a transcript), formatted by scribe.perl version 131 (Sat Apr 24 15:23:43 2021 UTC).