Meeting minutes
Minutes
<kaz> Feb-20
Logistics
McCool: I am going to archive all links, any objections?
(no objection)
Profile issues
<kaz> Profile issues related to security
Issue 224
wot-profile issue 224 - subscribeallevents security requirements
(Summary of the issue)
McCool: make sense to use different identity for different authorization
McCool: let's focus on subscribeallevents first
Jiye: I agree on the comment. It would be better to use OAuth2 or bearer token than multiple account
McCool: having multiple account like admin, user accounts can have different level of authorization
Jiye: yes, but it's not good to have it for IoT devices, the IoT devices have to maintain the way to do authorization
Jiye: First two things (in bold) are clear, but the last one, where an user account is created, where the information is stored like if the user is admin or user?
McCool: Password based approach should be used for only limited number of users.
Issue 222
<kaz> Issue 222 - Security Requirements for WebHook Consumer
(talking about Webhook)
McCool: It's difficult simply adopt OpenID SSF as it has certain format requirement
… Cloud Events even talks about payload, and there are different specs, having a good summary of webhook. what we could do is just adopt this spec but the problem is we need a particular signature algorithm
… in addition, it has authorization using OAuth2 bearer tokens
Jiye: Regarding the comments about Cloud Events, we can discuss once more
WoT Security PRs
Jan: there are PRs I made, if you have time to review it, would be good to get review
<kaz> [adjourned]