WoT Security

24 May 2021


Kaz_Ashimura, Michael_McCool, Philipp_Blum, Tomoaki_Mizushima

Meeting minutes




WoT Security Best Practices

wot-security-best-practices Issue 9 - Publish as a Note

Kaz: we've never published the document as an official group Note

McCool: for the consistency with the GitHub repo's name, we should use "wot-security-best-practices" as the shortname

Philipp: makes sense

Kaz: right

McCool adds comments on the Issue 9

McCool: adds "Call for Resolution to publish update" for Security and Privacy within the June vF2F agenda

Proposed Topics section of the vF2F wiki

another comment on the planning to the Issue 9

McCool: we need to do some general clean up for the draft

wot-security-best-practices ED

McCool: (creates a new issue on secure transport)

wot-security-best-practices Issue 13 - Update Security Transport

McCool: need to talk with Ben about what best practice makes sense here
… we basically recommend OAuth2 flow
… (adds some more comments to Issue 5 as well)

wot-security-best-practices Issue 5 - Recommended OAuth2 flows

McCool: Section 2.1 of the Best Practices document describes the OAuth2 Flows

2.1 OAuth2 Flows

McCool: (creates another Issue on TD Signatures)

wot-security-best-practices Issue 14 - TD Signatures

McCool: in general, the "object security" section is troublesome since we have no direct experience implementing a system with it
… so maybe we should just remove this section for now...

4. Object Security

Kaz: we can leave it as is and add an Editor's Note for the publication of the group Note

McCool: yeah

Philipp: (also like that idea)

McCool: regarding the section 7. Summary"
… currently it's empty

wot-security-best-practices Issue 15 - Add or Remove Summary Section

McCool: and should expand the Acknowledgements section

wot-security-best-practices Issue 16 - Expand Acknowledgements

McCool: we're not ready for publishing the document yet
… need more improvement
… (adds some more comments to Issue 5 again)

McCool's new comments for Issue 5

McCool: Move the current OAuth2 review into an appendix
… Pull out the pseudo-RFC2119 recommendations into the main body and reword as necessary...
… (and then make the "call for resolution" for security during vF2F to "initial call for resolution")

Security and Privacy topics within the Proposed Topics section on the vF2F wiki

McCool: would like to see what the acceptable practices for secure transport


Minutes manually created (not a transcript), formatted by scribe.perl version 131 (Sat Apr 24 15:23:43 2021 UTC).