W3C

- DRAFT -

WoT Security

25 May 2020

Attendees

Present
Kaz_Ashimura, Michael_McCool, Oliver_Pfaff, Zoltan_Kis, Cristiano_Aguzzi, Daniel_Peintner, Michael_Lagally, Tomoaki_Mizushima, David_Ezell
Regrets
Elena_Reshetova
Chair
McCool
Scribe
zkis

Contents

<kaz> scribenick: zkis

past minutes

May 18 minutes and May 4 minutes to be reviewed

<kaz> May-18

McCool: any objections accepting these?

accepted

<kaz> May-4

<inserted> (typos within May-4 minutes are fixed; and approved)

PRs

<McCool> https://github.com/w3c/wot-security/pull/175

[past minutes accepted]

<McCool> https://github.com/w3c/wot-security/pull/176

Oliver: one of these is obsolete

McCool: we can add direct references, but we should instead add references to ReSpec

Zoltan: that is right

McCool: we could accept this but later move references from localBiblio to ReSpec references

https://www.specref.org/

McCool: we should have (linked) terms for User Data etc
... some issues about citing references
... maybe merge this and fix it in a separate PR?

Oliver: OK

Lagally: should respect the style guide for W3C docs
... about the specific term User Data - should we define that in the Architecture doc?

McCool: create an issue for that

Lagally: we also need a definition for that

McCool: Elena maybe, or I could look into it
... merging into the Working branch for now

<McCool> Manual of Style

OAuth2 issue in Scripting

https://github.com/w3c/wot-scripting-api/issues/214

McCool: to make sure all flows are implemented

<McCool> https://github.com/w3c/wot-security/issues/173

McCool: we need to read into the OAuth spec
... Cristiano and Daniel are involved, please drive through

Cristiano: presents https://github.com/w3c/wot-scripting-api/issues/214
... user needs to do manual login
... how to put that flow in node-wot
... problem: only possible if the script runs in the browser
... this defines the context for this issue
... we need to decide how to handle the interaction between the user and runtime
... then, if it happens transparently or not
... and which way, e.g. with an init function?
... MM suggested solving the issue at protocol level

<mlagally> [Here's the terminology issue for the architecture specification: https://github.com/w3c/wot-architecture/issues/508]

Cristiano: the user could be represented by service, but never seen this flow code implemented by others

McCool: we don't necessarily need to add the flow to browser, it could be a user agent, possibly a very simple one
... the question is if the device is a server, should we use a web dashboard or what?
... for each flow we need a use case; state reasons when we don't support them

Cristiano: ok
... where the use cases are posted?

McCool adding comment to https://github.com/w3c/wot-scripting-api/issues/214

<dape> code flow mentioned in TD, see https://w3c.github.io/wot-thing-description/#oauth2securityscheme

Lagally: use cases are collected in the Architecture task force
... the OAuth scenario matches several domains and scenarios
... we should document these flows somewhere we can reference them from

Oliver: we should not try to use OAuth flow for everything but check which use cases correlate to which flows
... there is server, resource server and caller (browser or app)
... if we replace the resource server with an IoT device, it's (?)
... if we replace the caller, then (?)
... if we look at the auth flow and matching people with devices won't work

Cristiano: agree on that

McCool: TD describes resources available on the device

Zoltan: we really need the use cases defined, I am not convinced the human user should be involved in the flows

McCool: right - assuming we need to support the human user flow

Oliver: the oauth spec is quite implicit, not explicit, whether is it a human user

Cristiano: yes, I also found it unclear
... every other owner interprets it's the user

Zoltan: we have 2 options, solving it with provisioning, the other is solving with a UI, depending who is the provider

McCool: include this in the lifecycle and onboarding topic

Cristiano: the problem is when the token provider says they are expired, then we need to involve the resource owner

Zoltan: there could be an error in that case, either at the end user, or at the provider's management system

McCool: or do automatic refreshing of tokens
... which is anyway a good security practice

McCool captured some comments in the github issue

McCool: we have several possibilities ahead: 1. we need to capture the various use cases
... for instance as an md file
... create a use case in...

Lagally: the Architecture repo, please

McCool is creating a new use case in Architecture.

(link to commit)

McCool: next step is to create PRs based on this

Cristiano: I could do that

McCool: discussing the Invited Expert status of Cristiano

Cristiano: there are issues/questions about that

McCool: will work with Kaz for the procedure
... AOB?

[adjourned]

Summary of Action Items

Summary of Resolutions

[End of minutes]
Minutes manually created (not a transcript), formatted by David Booth's scribe.perl version (CVS log)
$Date: 2020/05/28 13:35:26 $