W3C

- DRAFT -

WoT Security

05 Mar 2018

Agenda

Attendees

Present
Kaz_Ashimura, Elena_Reshetova, Michael_Koster, Michael_McCool, Tomoaki_Mizushima, Barry_Leiba, Zoltan_Kis
Regrets
Chair
McCool
Scribe
kaz, mjkoster

Contents

<inserted> scribenick: kaz

agenda

mccool: any update on lifecycle?
... updates the agenda

<scribe> scribenick: mjkoster

review minutes

prev minutes

mccool: update action items: decided to create a security metadata strawman
... objections to accepting minutes?

(none)

review PRs

PR #63: initial text for lifecycle

https://github.com/w3c/wot-security/pull/63

discuss moving to Architecture document

<inserted> (pr 63 merged)

PR #74: metadata PR

https://github.com/w3c/wot-security/pull/74

mccool: Several things above the example TD
... adding security to the base TD
... what if different interactions need different security?
... array of named configurations in the base document
... can refer to a named configuration in a form or describe a configurtion in the form
... the example uses different security for reads vs. writes
... writes need an additional API key

+ { + "href": "coaps://mylamp.example.com:5683/status", + "mediaType": "application/json", + "method": "coap:post", + "security": ["ocf-config","apikey-config"] + }, +

mccool: no security is also allowed

elena: are there examples of what some of the security bindings would look like?

mccool: for example, OCF is a collection of mechanisms
... the OCF tag would be a tag for all of the metadata

elena: how would you identify the specific set of credentials needed

mccool: it's not represented now
... there is just one scheme with OCF
... it is a sub-scheme of a general type of authorization
... not quite figured out the structure of what is under what, e.g. bearer token
... all of the relations are not well identified yet
... there is currently identifier and scheme
... scheme and schema are unfortunately similar names and could introduce confusion

elena: still having trouble seeing the end to end flow, where do the credentials come from and do we need to describe that?

mccool: not sure how it works in OCF, like is there an AS?

zoltan: it is solution-specific in OCF

elena: probably need to provide a URL

mccool: is it an interoperability problem?

zoltan: still working on it in OCF

mccool: maybe discuss at the OCF meeting
... kerberos style seems to be common
... describes high level kerberos protocol with AS, token,refresh...
... also need to incorporate oauth flow

<kaz> [[ "security": ["basic-config","apikey-config"] ]]

[[
  "security": [{
    "@id": "token-config",
    "type": "token",
    "scheme": "bearer",
    "alg": "ES256",
    "as": "https://plugfest.thingweb.io:8443/"
  }],
]]

[[
  "security": [{
    "@id": "proxy-config",
    "type": "http-proxy",
    "scheme": "basic",
    "href": "http://plugfest.thingweb.io:8087"
  }],
]]

mccool: updated examples
... proxy has a secondary auth scheme
... use both schemes together

<kaz> Matthias' comment within issue 73

mccool: OCF has ACLs that provide access control for read vs. write
... 2 design choices for OCF

<kaz> (currently [[ "writable": false, ]] in the TD Example)

mccool: can query the device for its metadata
... or configure the security state machine using a protocol binding form construct

zoltan: 1st stage use device specific driver, 2nd stage look at a metadata approach

mccool: agree
... looking at oauth2 flows
... openID Connect is user oriented
... not sure user ID stuff belongs in TD
... there are some experimental features to add to TD, we may need a way to identify experimental features
... what should we do on this PR?

<kaz> security metadata strawman pr

<McCool> https://github.com/mmccool/wot-security/blob/mechanisms/wot-security-metadata.md

mccool: make a set of github issues for discussion and try to organize a session at the F2F

elena: have TD present for the discussion

mccool: hoping for a single track discussion
... plugfest wiki page

f2f wiki

<kaz> f2f input

mccool: add another topic for the F2F to discuss security metadata vocabulary
... what about priorities for the discussion at the F2F?
... #1 is life cycle
... metadata is important
... validation, use cases
... (marking up the Wiki page with priority numbers)
... prioritize the metadata work
... over the publication schedule to next update of the security WG note
... the metadata has implementation dependencies

security review of working group documents

mccool: TD, scripting, protocol binding
... we need to discuss in the context of life cycle

elena: what is node-wot?

zoltan: nodejs implementation of web of things

mccool: open source implementation

https://github.com/thingweb/node-wot

mccool: examples are there in the repo
... other information is needed for usage and setup
... out of time
... next week, review scripting API
... 2 more meetings before the F2F
... can anyone do analysis of TD and protocol bindings for security?

elena: plan for scripting API discussion in 2 weeks

mccool: next week, review metadata and TD security
... make early draft of the F2F schedule by next week
... AOB?
... adjourned

Summary of Action Items

Summary of Resolutions

[End of minutes]
Minutes formatted by David Booth's scribe.perl version 1.152 (CVS log)
$Date: 2018/03/19 12:05:47 $