13:06:08 RRSAgent has joined #wot-sec 13:06:08 logging to https://www.w3.org/2021/12/06-wot-sec-irc 13:06:14 meeting: WoT Security 13:06:33 present+ Kaz_Ashimura, Michael_McCool, Jiye_Park 13:06:50 present+ Tomoaki_Mizushima 13:07:36 jiye has joined #wot-sec 13:08:06 mm: a test comment 13:08:20 ... and it goes on 13:08:43 topic: this is a test topic 13:09:35 scribenick: kaz 13:10:23 Agenda: https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#6_December_2021 13:10:28 topic: Minutes 13:10:38 -> https://www.w3.org/2021/11/29-wot-sec-minutes.html Nov-29 13:10:54 s/topic: Minutes// 13:11:01 s|-> https://www.w3.org/2021/11/29-wot-sec-minutes.html Nov-29|| 13:11:04 topic: Logistics 13:11:16 mm: meeting cancellations 13:12:06 ... from the week of Dec 20 except the main call on Dec 22 13:12:25 ... regarding the Security call 13:13:09 ... Dec 20 and 27 will be cancelled due to the winter holidays 13:13:19 ... Jan 3 will be also cancelled 13:13:48 ... would like to go through issues today 13:13:58 ... let's look at the minutes first 13:14:02 topic: Minutes 13:14:08 -> https://www.w3.org/2021/11/29-wot-sec-minutes.html Nov-29 13:14:40 mm: (goes through the minutes) 13:15:56 ... "upcoming issues" should be actually "TD issues" 13:15:58 kaz: fixed 13:16:28 i/upcoming/... "DTL" should be "DTLS" 13:16:36 rrsagent, make log public 13:16:41 rrsagent, draft minutes 13:16:41 I have made the request to generate https://www.w3.org/2021/12/06-wot-sec-minutes.html kaz 13:18:02 zakim, who is on the call? 13:18:02 Present: Kaz_Ashimura, Michael_McCool, Jiye_Park, Tomoaki_Mizushima 13:18:10 present+ Philipp_Blum 13:19:09 citrullin has joined #wot-sec 13:20:39 (quick discussion on OAuth2 implementation) 13:22:05 topic: TD issues 13:22:43 subtopic: Issue @@@ 13:22:54 mm: would see the TD 1.0 spec 13:24:24 -> https://www.w3.org/TR/wot-thing-description/#oauth2securityscheme TD 1.0 REC - 5.3.3.8 OAuth2SecurityScheme 13:24:38 pb: should keep backward compatibility 13:25:19 -> https://datatracker.ietf.org/doc/html/rfc8252 RFC8252 - OAuth 2.0 for Native Apps 13:25:54 mm: this (RFC8252) is a Best Current Practice by IETF 13:26:54 ... it says "the use of the Implicit Flow with native apps is NOT RECOMMENDED." 13:28:18 ... (adds comments to issue 949) 13:28:23 s/@@@/949/ 13:28:57 i|would see the|-> https://github.com/w3c/wot-thing-description/issues/949 TD Issue 949 - We need extension ontology to include implicit and password flows in OAuth2| 13:29:24 ... TD 1.0 document only explicitly mentions "code" 13:29:43 ... and uses "string" for the flow and gives "code" as an example 13:30:41 ... also sites RFC8252 which says "implicit is NOT RECOMMENDED" 13:31:23 ... so for TD 1.1, we can take the stance we're clarifying wha is allowed and what is not 13:31:27 s/wha /what / 13:32:10 ... the bottom line is that the current TD 1.1 draft doesn't remove the code, so no conflict with the TD 1.0 spec 13:33:23 ... so think we're ok 13:33:37 ... what do you think? 13:33:59 kaz: we might want to ask the TAG and the Security group for advice during our wide reviews 13:35:37 i/what do/... don't think we want or need a normative ontology for implicit and password (if we did do it, we would have to test it, too). 13:36:50 jp: what is the expectation for the password? 13:37:16 mm: even if we just define a URL it opens a can of worms 13:37:46 ... since it would only be useful for brownfield devices that can't be updated 13:38:24 ... (adds some more comments) 13:39:01 ... TD 1.0 unfortunately doesn't have "client" but we agreed we can *add* flows and maintain compatibility 13:39:23 kaz: we can ask implementers for feedback 13:40:00 ... in any case, we need to ask the TAG and the security group for review during the Wide Review 13:40:26 mm: leave the current text alone, and don't define an ontology for implicit and password. Nothing to do here (except maybe delete an ed note if there is one) and this issue can be closed. 13:40:47 -> https://github.com/w3c/wot-thing-description/issues/949#issuecomment-986786771 McCool's comments 13:44:19 mm: (goes through the TD 1.1 draft) 13:44:32 -> https://w3c.github.io/wot-thing-description/#oauth2securityscheme TD 1.1 draft - 5.3.3.9 OAuth2SecurityScheme 13:45:09 mm: both the token and the endpoint should not have scope 13:45:19 ... not sure it's clear enough here 13:46:34 ... any comments? 13:47:27 jp: question about security vocabulary within TD spec in general 13:47:34 ... a bit confused here 13:47:44 ... combo security is a bit confusing 13:48:10 mm: "combo" itself is a security scheme 13:48:32 ... one example is proxy 13:48:39 ... and also endpoint mechanism 13:48:57 jp: what about "basic"? 13:49:19 mm: one of the orthogonal schemes 13:49:44 ... btw, currently security scheme is an array 13:50:15 ... we followed the notation of Open API 13:50:53 ... at some point we may deprecate the notation and use only one value 13:51:01 ... and use combo to express combination 13:52:10 q+ 13:52:26 ... @@@ 13:52:44 jp: how to deal with encryption? 13:52:58 mm: the basic requirement is using HTTPS 13:53:32 ... we should say "SHOULD" for security mechanism for BasicSecurityScheme too 13:55:19 ... regarding DigestSecurityScheme uses Digest Access Authentication 13:56:02 jp: which scheme uses TLS or not? 13:56:12 mm: can create an issue to clarify that 13:57:14 -> https://github.com/w3c/wot-thing-description/issues/1313 TD issue 1313 - add SHOULD assertion to security schemes that need TLS to be secure 13:58:10 q? 14:02:23 s/@@@/we're asking feedback on recursive use/ 14:03:21 mm: would like to go through the TD 1.1 document and see consistency 14:03:46 ... please give comments to me or create GitHub issues about your comments 14:04:04 i/would like/topic: AOB/ 14:04:08 [adjourned] 14:04:18 rrsagent, make log public 14:04:22 rrsagent, draft minutes 14:04:22 I have made the request to generate https://www.w3.org/2021/12/06-wot-sec-minutes.html kaz 15:58:28 Zakim has left #wot-sec 17:26:24 sebastian has joined #wot-sec 19:26:47 sebastian has joined #wot-sec