- From: Kazuyuki Ashimura <ashimura@w3.org>
- Date: Thu, 10 Mar 2016 22:01:59 +0900
- To: Public Web of Things IG <public-wot-ig@w3.org>
- Message-ID: <CAJ8iq9Vh3yNS=H7dEBGfohtfppq9vU1q=zn0CAZO5mc1DCuNOg@mail.gmail.com>
available at:
https://www.w3.org/2016/03/10-wot-sp-minutes.html
also as text below.
The next TF-SP call will be held on April 7th.
Thanks,
Kazuyuki
---
[1]W3C
[1] http://www.w3.org/
- DRAFT -
Security task force
10 Mar 2016
[2]Agenda
[2]
https://lists.w3.org/Archives/Public/public-wot-ig/2016Mar/0013.html
See also: [3]IRC log
[3] http://www.w3.org/2016/03/10-wot-sp-irc
Attendees
Present
Kaz, Dave, Oliver, Sebastian, Yingying,
Sebastian_Kaebisch
Regrets
Chair
Oliver
Scribe
kaz
Contents
* [4]Topics
1. [5]how to re-energize the security/privacy work
2. [6]Landscape document
3. [7]Current practice document
4. [8]F2F, Plugfest in Montreal
5. [9]Charter items
* [10]Summary of Action Items
* [11]Summary of Resolutions
__________________________________________________________
how to re-energize the security/privacy work
(brain storming)
kaz: TV Control API CG has started their phase 2 work
... and interested in security/privacy
... so far they're thinking about collaboration with the
Automotive group
... but collaboration with this WoT-SP would also make sense
oliver: ok. let me know about their opinions, etc.
... we should be able to respond to them
... there is already public information
... so we can show it to them
Landscape document
-> [12]http://w3c.github.io/wot/landscape.html Landscape
document on GitHub
[12] http://w3c.github.io/wot/landscape.html
oliver: sharing the document on the webex
... not updating for awhile
Current practice document
->
[13]http://w3c.github.io/wot/current-practices/wot-practices.ht
ml#security-considerations-1 Security consideration for AP from
the Current Practice document
[13]
http://w3c.github.io/wot/current-practices/wot-practices.html#security-considerations-1
oliver: question to Sebastian
sebastian: updating the TD section
... what kind of security portion should be considered?
... to get access for resources
... what kind of security token for server?
... discussion using email
... first idea
... will talk during the TD call next week as well
... one part is how would the security information be provided?
... how to interact with services?
... how we can protect TD itself?
... interesting issues to consider
oliver: the second one is more important
... it's design work
... protect TD
... my recommendation is accessing things should be the
priority
... wrapper for things
... would suggest prioritize that
... and could think about other topics later
... skimming the document
... explaining the problems
... not yet have information from the email exchanges
... showing "Protecting TD Objects" section
... the second part is more important
... "Describing prerequistes for accessing things"
... would be the fundamental work
sebastian: ok. will do.
oliver: 3.2.3 Security Considerations
... not giving the answer yet
... need more coverage
... maybe need to talk with Johannes
sebastian: will do that too.
F2F, Plugfest in Montreal
oliver: we've been taking care of security as well for our
plugfest
... e.g., in Nice
... would have same features in Montreal as well
... plan to offer an extension
... probably could provide something in June
sebastian: in Nice we already had security scenario
... but security description was not used within the Thing
Description
... we need security description within TD
... the point is small change in TD
... additional features
... how about that?
oliver: could be done
... 2 issues
... we have server-side component
... don't require to change that part
... how to document?
... timing issue
... the other thing is
... error response from the server
... natural approach would be rewrite the description
... client should understand the security token
... the second step is putting that into TD
... but not enough time to do really fundamental things
... but would be welcome if you try
... for Montreal, could display security
... not as abstract but concrete Thing Description
sebastian: not involved in the security plugfest so far
... panasonic made much effort
... security and communication
... maybe I should check that beforehand
oliver: light-weight way for prototype in non-normative way
... prototype object as a part
... next discussion would be how to create automatic sessions
... would make a display object
... logic by a state management engine
... can be done by the Montreal meeting
... BTW, I can't make my travel for the Montreal meeting...
... I could prepare for those topics including the state engine
... and could offer information to TD and AP
sebastian: sounds like a good idea
oliver: we should try to define
... that's all from my side for the Montreal meeting
Charter items
->
[14]https://github.com/w3c/wot/blob/master/WG/wot-wg-items.md
Charter items
[14] https://github.com/w3c/wot/blob/master/WG/wot-wg-items.md
<dsr> draft charter (viewable in browser)
[15]https://w3c.github.io/charter-drafts/wot-wg-2016.html
[15] https://w3c.github.io/charter-drafts/wot-wg-2016.html
kaz: Dave has created an HTML version above
oliver: two sections for security
... 1.1 Thing Descriptions
... the second bullet is on security
... and 1.2 Scripting APIs
... the second bullet again is on security
... where to add security portion?
dsr: we have to define deliverables
... and put more details
... mentioned during the AP call yesterday as well
... need information on prototype implementations
... also proof-of-concepts
... to justify the need for this work
... and convince corporate managers
... we have architecture document and current practice document
oliver: it would make more sense to extend the best practice
document?
... what should be the starting point?
... also would be difficult to work for the following weeks due
to vacation...
dsr: explains the importance of additional information
oliver: was in contact with vendors
... solid foundation than having paper only
... would go into the best practice document
... there are technologies there
... would suggest we update the best practice document
... elaborate the text
dsr: we have focus on some specific technology
... not sure in terms of text for the charter
... we have references
... on the GitHub site
... could add links to the architecture/current practice
documents
oliver: alright
dsr: there is a bullet point mentioning privacy poicies, access
control, etc.
... linked data vocabulary might be too ambitious for
short-term
... we need to clarify
... we have to explain that
oliver: alright
... don't think "trust assertions" are too far away
... but we need to have components for security
... we have had some of them during plugfest demos
... would suggest we continue discussion using emails
dsr: ok
oliver: action item on trust assertions
... that's all for today from my viewpoint
... anything else to talk today?
(none)
oliver: a couple of follow-ups to do
... next call will be April 7th
... meaning no call on March 24th
[ adjourned ]
Summary of Action Items
Summary of Resolutions
[End of minutes]
__________________________________________________________
Minutes formatted by David Booth's [16]scribe.perl version
1.144 ([17]CVS log)
$Date: 2016/03/10 12:58:30 $
[16] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
[17] http://dev.w3.org/cvsweb/2002/scribe/
Received on Thursday, 10 March 2016 13:03:11 UTC