13:02:52 <RRSAgent> RRSAgent has joined #wot-sec
13:02:52 <RRSAgent> logging to https://www.w3.org/2021/11/29-wot-sec-irc
13:02:59 <citrullin> citrullin has joined #wot-sec
13:03:10 <kaz> meeting: WoT Security
13:03:16 <Mizushima> Mizushima has joined #wot-sec
13:03:31 <kaz> present+ Kaz_Ashimura, Cristiano_Aguzzi, Jiye_Park, Michael_McCool, Philipp_Blum
13:05:31 <kaz> Agenda: https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#29_November_2021
13:06:02 <zkis> zkis has joined #wot-sec
13:07:06 <kaz> present+ Tomoaki_Mizushima
13:08:21 <McCool> McCool has joined #wot-sec
13:09:03 <cris_> cris_ has joined #wot-sec
13:09:18 <kaz> scribenick: cris_
13:09:37 <cris_> topic: minutes
13:10:07 <cris_> mc: we discuss local transport and onboarding
13:10:22 <cris_> ... we are heading to a conclusion
13:10:48 <cris_> ... we are working with on-going specs like TLS and DTL 1.3
13:10:53 <kaz> i|we discuss|-> https://www.w3.org/2021/11/22-wot-sec-minutes.html Nov-22|
13:11:16 <cris_> .. I was thinking that sec guidelines should be just meant for green field devices
13:11:54 <cris_> ... but it might be relevant also for brownfield devices that has security configuration parameters
13:12:26 <cris_> ... minutes looks good?
13:12:33 <cris_> ... ok approved
13:12:51 <cris_> topic: upcoming issues
13:13:08 <kaz> rrsagent, make log public
13:13:12 <kaz> rrsagent, draft minutes
13:13:12 <RRSAgent> I have made the request to generate https://www.w3.org/2021/11/29-wot-sec-minutes.html kaz
13:13:13 <cris_> mc: we should scan WoT repo for security issues
13:13:58 <cris_> ... I did this myself but I found that some of them were miss labeled ( they were assigned to me but they weren't labelled as security)
13:14:33 <cris_> ... in the current list of issues there's a set of issues related to canonicalization
13:14:48 <cris_> ... my advice is to move them to WoT 2.0
13:15:02 <cris_> ... it adds an extra burden to producers
13:15:37 <cris_> ... they are usually small devices, it might more sense to move the processing to more capable devices (i.e. consumers)
13:15:37 <kaz> i| we should scan|-> https://github.com/w3c/wot-thing-description/issues?q=is%3Aissue+is%3Aopen+label%3AV1.1+assignee%3Ammccool wot-thing-description issues marked as "V1.1" and assigned to McCool|
13:15:51 <kaz> s/WoT repo/WoT Thing Description repo/
13:16:05 <kaz> s/( they/(they/
13:16:10 <kaz> rrsagnet, draft minutes
13:16:16 <cris_> ... I created a PR for removing canonicalization in the TD
13:16:39 <cris_> ... we have to wait for a consensus before talking about it
13:16:46 <kaz> chair: McCool
13:17:12 <cris_> subtopic : issue 998
13:17:22 <cris_> mc: it should be already solved
13:18:09 <cris_> ... I found a PR that addressed the points
13:18:28 <kaz> i/in the/subtopic: Canonicalization/
13:18:31 <kaz> rrsagnet, draft minutes
13:18:47 <cris_> ... please take a look if the new text satisfy the issue
13:19:08 <cris_> subtopic: issue 953
13:19:41 <kaz> i|it should be|-> https://github.com/w3c/wot-thing-description/issues/998 wot-thing-description issue 998 - [security] API key and PSK security schemes are not referenced or explained|
13:20:00 <cris_> mc: we discussed a lot about the term to use for the authorization endpoint for oAuth 2.0 device flow
13:20:17 <cris_> ... I think we settle the discussion about adding a ediotor's note
13:20:31 <kaz> i|we discussed|-> https://github.com/w3c/wot-thing-description/issues/953 wot-thing-description issue 953 - For OAuth2 device flow, should we define a "device authorization" element?|
13:20:34 <kaz> rrsagnet, draft minutes
13:21:01 <kaz> s/rrsagnet, draft minutes//
13:21:07 <kaz> s/rrsagent, draft minutes//
13:21:15 <kaz> rrsagent, draft minutes
13:21:15 <RRSAgent> I have made the request to generate https://www.w3.org/2021/11/29-wot-sec-minutes.html kaz
13:21:41 <kaz> s/rrsagnet, draft minutes//
13:21:43 <kaz> rrsagent, draft minutes
13:21:43 <RRSAgent> I have made the request to generate https://www.w3.org/2021/11/29-wot-sec-minutes.html kaz
13:21:51 <cris_> ... adding device_athorization might make the text more complex
13:21:59 <kaz> s/rrsagnet, draft minutes//
13:22:01 <kaz> rrsagent, draft minutes
13:22:01 <RRSAgent> I have made the request to generate https://www.w3.org/2021/11/29-wot-sec-minutes.html kaz
13:22:47 <cris_> mc: I would remove the editor's note
13:22:58 <cris_> cris: I agree the text it is pretty clear
13:23:13 <kaz> s/subtopic: Canonicalization//
13:23:31 <kaz> i/in the current list of issues/subtopic: Canonicalization/
13:23:33 <kaz> rrsagent, draft minutes
13:23:33 <RRSAgent> I have made the request to generate https://www.w3.org/2021/11/29-wot-sec-minutes.html kaz
13:24:50 <cris_> cris: it might worth to refactor the OAuth2SecurityScheme in subclasses
13:25:43 <cris_> mc: true, but at the current state of the specification process we are just doing fix ups no major changes. I'd stick with the decision above
13:25:47 <cris_> +1
13:27:10 <cris_> subtopic: issue 949
13:27:54 <kaz> -> https://github.com/w3c/wot-thing-description/issues/949 wot-thing-description issue 949 - We need extension ontology to include implicit and password flows in OAuth2
13:27:57 <cris_> mc: we took out implicit and password flow because they are now deprecated. To use them now you have to use an extension vocabulary
13:28:53 <cris_> ... however, in 1.0 we *defined* those terms and removing them causes backwards incompatibility.
13:30:48 <cris_> cris: we are moving definitions out side our vocabulary, is this actually causing backwards compatibility problems?
13:31:37 <cris_> mc: consumers can understand both 1.0 and td 1.1 using the context URL. Therefore they will not have a problem
13:32:24 <cris_> ... for the spec I propose using a fixed URL extension
13:37:40 <cris_> mc: do you think that we need an ontology file for those not standard flows?
13:37:46 <cris_> cris: not strong opinion
13:38:55 <cris_> ... not sure if the implicit flow is used in IoT context
13:39:14 <cris_> philipp: true, maybe none of the flows is really supported nowadays
13:39:48 <cris_> mc: ok, my understanding is that an extension onotology is a nice-to-have but not essential.
13:41:05 <cris_> ... if we provide the ontology we need two implementations
13:41:26 <cris_> ... not sure if it is well spent time
13:41:43 <cris_> subtopic: issue 948
13:42:06 <cris_> mc: we have one example already
13:43:27 <kaz> i|we have|-> https://github.com/w3c/wot-thing-description/issues/948 wot-thing-description issue 948 - We need an OAuth2 example for TD 1.1|
13:43:57 <cris_> cris: I added examples for other flows, but not sure if we were asking to have more examples about code flow
13:44:09 <cris_> mc: I think that we just need examples for client flow
13:44:17 <cris_> ... code flow is not really useful
13:45:36 <cris_> ... my proposal is to change code to client
13:48:17 <cris_> ... and remove authorization endpoint
13:49:07 <cris_> ... we may add other flows but as optional (e.g. always together client flow)
13:53:24 <cris_> topic: security guidelines issue 5
13:54:02 <cris_> mc: reading cristiano's comment I agree, a solution might be to recommend to use two schemes.
13:56:15 <cris_> ... it is complicated therefore it might be good to put a good example
14:00:06 <kaz> i|reading cri|-> https://github.com/w3c/wot-security-best-practices/issues/5 wot-security-best-practices issue 5- Recommended OAuth2 flows|
14:00:40 <kaz> s/topic: se/subtopic: se/
14:00:49 <cris_> mc: aob?
14:01:04 <cris_> ... ok meet closed
14:01:08 <kaz> [adjourned]
14:01:15 <kaz> rrsagent, draft minutes
14:01:15 <RRSAgent> I have made the request to generate https://www.w3.org/2021/11/29-wot-sec-minutes.html kaz
15:30:12 <Zakim> Zakim has left #wot-sec