<inserted> scribenick: kaz
mccool: any update on
lifecycle?
... updates the agenda
<scribe> scribenick: mjkoster
mccool: update action items:
decided to create a security metadata strawman
... objections to accepting minutes?
(none)
PR #63: initial text for lifecycle
https://github.com/w3c/wot-security/pull/63
discuss moving to Architecture document
<inserted> (pr 63 merged)
PR #74: metadata PR
https://github.com/w3c/wot-security/pull/74
mccool: Several things above the
example TD
... adding security to the base TD
... what if different interactions need different
security?
... array of named configurations in the base document
... can refer to a named configuration in a form or describe a
configurtion in the form
... the example uses different security for reads vs.
writes
... writes need an additional API key
+ { + "href": "coaps://mylamp.example.com:5683/status", + "mediaType": "application/json", + "method": "coap:post", + "security": ["ocf-config","apikey-config"] + }, +
mccool: no security is also allowed
elena: are there examples of what some of the security bindings would look like?
mccool: for example, OCF is a
collection of mechanisms
... the OCF tag would be a tag for all of the metadata
elena: how would you identify the specific set of credentials needed
mccool: it's not represented
now
... there is just one scheme with OCF
... it is a sub-scheme of a general type of authorization
... not quite figured out the structure of what is under what,
e.g. bearer token
... all of the relations are not well identified yet
... there is currently identifier and scheme
... scheme and schema are unfortunately similar names and could
introduce confusion
elena: still having trouble seeing the end to end flow, where do the credentials come from and do we need to describe that?
mccool: not sure how it works in OCF, like is there an AS?
zoltan: it is solution-specific in OCF
elena: probably need to provide a URL
mccool: is it an interoperability problem?
zoltan: still working on it in OCF
mccool: maybe discuss at the OCF
meeting
... kerberos style seems to be common
... describes high level kerberos protocol with AS,
token,refresh...
... also need to incorporate oauth flow
<kaz> [[ "security": ["basic-config","apikey-config"] ]]
[[
"security": [{
"@id": "token-config",
"type": "token",
"scheme": "bearer",
"alg": "ES256",
"as": "https://plugfest.thingweb.io:8443/"
}],
]]
[[
"security": [{
"@id": "proxy-config",
"type": "http-proxy",
"scheme": "basic",
"href": "http://plugfest.thingweb.io:8087"
}],
]]
mccool: updated examples
... proxy has a secondary auth scheme
... use both schemes together
<kaz> Matthias' comment within issue 73
mccool: OCF has ACLs that provide
access control for read vs. write
... 2 design choices for OCF
<kaz> (currently [[ "writable": false, ]] in the TD Example)
mccool: can query the device for
its metadata
... or configure the security state machine using a protocol
binding form construct
zoltan: 1st stage use device specific driver, 2nd stage look at a metadata approach
mccool: agree
... looking at oauth2 flows
... openID Connect is user oriented
... not sure user ID stuff belongs in TD
... there are some experimental features to add to TD, we may
need a way to identify experimental features
... what should we do on this PR?
<kaz> security metadata strawman pr
<McCool> https://github.com/mmccool/wot-security/blob/mechanisms/wot-security-metadata.md
mccool: make a set of github issues for discussion and try to organize a session at the F2F
elena: have TD present for the discussion
mccool: hoping for a single track
discussion
... plugfest wiki page
<kaz> f2f input
mccool: add another
topic for the F2F to discuss security metadata vocabulary
... what about priorities for the discussion at the F2F?
... #1 is life cycle
... metadata is important
... validation, use cases
... (marking up the Wiki page with priority numbers)
... prioritize the metadata work
... over the publication schedule to next update of the security WG note
... the metadata has implementation dependencies
mccool: TD, scripting,
protocol binding
... we need to discuss in the context of life cycle
elena: what is node-wot?
zoltan: nodejs implementation of web of things
mccool: open source implementation
https://github.com/thingweb/node-wot
mccool: examples are there in the
repo
... other information is needed for usage and setup
... out of time
... next week, review scripting API
... 2 more meetings before the F2F
... can anyone do analysis of TD and protocol bindings for
security?
elena: plan for scripting API discussion in 2 weeks
mccool: next week, review metadata and TD security
... make early draft of the F2F schedule by next week
... AOB?
... adjourned