IRC log of wot-sec on 2021-04-19
Timestamps are in UTC.
- 12:02:21 [RRSAgent]
- RRSAgent has joined #wot-sec
- 12:02:21 [RRSAgent]
- logging to https://www.w3.org/2021/04/19-wot-sec-irc
- 12:02:28 [kaz]
- meeting: WoT Security
- 12:02:51 [kaz]
- present+ Kaz_Ashimura, Michael_McCool, Philipp_Blum, Zoltan_Kis
- 12:03:31 [zkis]
- https://github.com/w3c/wot-scripting-api/issues/315
- 12:03:49 [zkis]
- https://github.com/w3c/wot-scripting-api/issues/314
- 12:08:49 [citrullin]
- present+ Tomoaki_Mizushima
- 12:09:22 [citrullin]
- Zakim, who is here?
- 12:09:22 [Zakim]
- Present: Kaz_Ashimura, Michael_McCool, Philipp_Blum, Zoltan_Kis, Tomoaki_Mizushima
- 12:09:25 [Zakim]
- On IRC I see RRSAgent, Zakim, Mizushima, citrullin, McCool, zkis, kaz
- 12:10:07 [kaz]
- present- Zoltan_Kis
- 12:12:43 [kaz]
- scribenick: citrullin
- 12:13:14 [citrullin]
- topic: Joint call with scripting
- 12:13:47 [citrullin]
- mm: We could have a joint call for two hours. But let's take a look into the topics first.
- 12:14:03 [citrullin]
- Security TaskForce related issues -> https://github.com/w3c/wot-scripting-api/issues/315
- 12:14:18 [citrullin]
- Discovery TaskForce related issues -> https://github.com/w3c/wot-scripting-api/issues/314
- 12:15:55 [citrullin]
- mm: I guess we should comment on the issue what we have to deal with.
- 12:16:53 [citrullin]
- mm adds a note into the security wiki. Logistics still under discussion.
- 12:18:19 [citrullin]
- topic: Cannonicalization and signing
- 12:18:54 [citrullin]
- mm: The problem with cannonicalization are default values.
- 12:19:33 [citrullin]
- ... the preprocessor may filled in the default values, if they are not given.
- 12:21:58 [citrullin]
- ... The solution: Limiting proof.
- 12:25:38 [citrullin]
- mm adds a comment to the wiki regarding this issue.
- 12:27:20 [citrullin]
- pb: There should be an issue for it, so that we can think about it more in detail.
- 12:29:08 [citrullin]
- topic: Object security
- 12:29:33 [citrullin]
- Consider how to support object security -> https://github.com/w3c/wot-security/issues/185
- 12:30:10 [citrullin]
- mm: .local domain are problematic to secure.
- 12:31:11 [citrullin]
- ... there are still information which can get leaked, even if the body is encrypted. Query parameter for example.
- 12:33:28 [citrullin]
- pb: We may can use DIDs here and store the related keys etc. attached to the DID in a DLT.
- 12:33:51 [McCool]
- https://tools.ietf.org/html/rfc7165
- 12:33:53 [citrullin]
- mm: We don't have experience with that and it probably takes too much time to get this experience.
- 12:33:55 [kaz]
- q+
- 12:35:26 [citrullin]
- Kaz: I agree that we might want to use DID for that. But I agree that it takes too much.
- 12:37:04 [citrullin]
- mm: There is a way to distribute keys via DID. But this goes beyond IoT.
- 12:39:15 [citrullin]
- pb: Newer versions of HTTP allow encryption of headers. Not sure about queries though.
- 12:40:05 [citrullin]
- mm: TLS relies on global domains. And that doesn't work in .local.
- 12:40:53 [citrullin]
- ... for now we have to allow http for discovery.
- 12:43:37 [citrullin]
- pb: So the might have to say in the best-practices, if you want to have object security you should put the queries into the body.
- 12:45:43 [citrullin]
- mm: Problem is that discovery supports queries in the URL and therefore they cannot get encrypted. SparkQL on the other hand allows the queries in the body.
- 12:46:35 [McCool]
- https://krellian.com/
- 12:47:48 [citrullin]
- topic: OAuth2 flows
- 12:49:22 [citrullin]
- pb: I think we can remove the submitter etc.
- 12:49:34 [citrullin]
- mm: Yes, there are some things which can get simplified and removed.
- 12:50:27 [citrullin]
- ... have you made a PR for the use-case document?
- 12:51:01 [citrullin]
- pb: No, I haven't. We should talk with Michael Legally first, I think.
- 12:55:25 [citrullin]
- oAuth2 flow issue -> https://github.com/w3c/wot-security/issues/194
- 12:55:43 [citrullin]
- oAuth 2 flow PR -> https://github.com/w3c/wot-security-best-practices/pull/10
- 12:56:03 [kaz]
- -> https://github.com/w3c/wot-security-best-practices/pull/10 wot-security-best-practices PR 10 - Move oAuth2 flow from usecases to security-best-practices
- 12:56:19 [kaz]
- q+
- 12:58:07 [kaz]
- ack k
- 12:58:54 [kaz]
- kaz: please note the default branch for the wot-security-best-practices repo has been also rename to "main"
- 12:59:13 [kaz]
- s/oAuth 2/OAuth2/
- 12:59:44 [kaz]
- i/please/scribenick: kaz/
- 12:59:56 [kaz]
- [adjourned]
- 13:00:10 [kaz]
- rrsagent, draft minutes
- 13:00:10 [RRSAgent]
- I have made the request to generate https://www.w3.org/2021/04/19-wot-sec-minutes.html kaz
- 13:00:36 [kaz]
- rrsagent, make log public
- 13:00:37 [kaz]
- rrsagent, draft minutes
- 13:00:37 [RRSAgent]
- I have made the request to generate https://www.w3.org/2021/04/19-wot-sec-minutes.html kaz
- 13:00:55 [kaz]
- Chair: McCool
- 13:00:56 [kaz]
- rrsagent, draft minutes
- 13:00:56 [RRSAgent]
- I have made the request to generate https://www.w3.org/2021/04/19-wot-sec-minutes.html kaz