W3C home > Mailing lists > Public > public-wot-ig@w3.org > October 2017

[wot-security] minutes - 9 October 2017

From: Kazuyuki Ashimura <ashimura@w3.org>
Date: Tue, 17 Oct 2017 01:18:16 +0900
Message-ID: <CAJ8iq9Wqpn1JfPo3cBokFiWwzAKC92xQxOoa4SnoCFXHUdKMOQ@mail.gmail.com>
To: Public Web of Things IG <public-wot-ig@w3.org>, public-wot-wg@w3.org
available at:
  https://www.w3.org/2017/10/09-wot-sec-minutes.html

also as text below.

Thanks,

Kazuyuki

---

   [1]W3C

      [1] http://www.w3.org/

                               - DRAFT -

                           WoT IG - Security

09 Oct 2017

   [2]Agenda

      [2] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Agenda

   See also: [3]IRC log

      [3] http://www.w3.org/2017/10/09-wot-sec-irc

Attendees

   Present
          Kaz_Ashimura, Michael_McCool, Dave_Raggett,
          Elena_Reshetova, Zoltan_Kis, Soumya_Kanti_Datta,
          Tomoaki_Mizushima

   Regrets
   Chair
          McCool

   Scribe
          kaz

Contents

     * [4]Topics
         1. [5]Release Timeline (as a W3C Note)
         2. [6]Pull request
         3. [7]Issues
         4. [8]issue 34
         5. [9]Issue on privacy
     * [10]Summary of Action Items
     * [11]Summary of Resolutions
     __________________________________________________________

Release Timeline (as a W3C Note)

   mccool: publication schedule
   ... this is a Note
   ... distinction on the state of the doc
   ... working version and release version

   kaz: add some clarification
   ... Sebastian clarified TD schedule at:
   [12]https://www.w3.org/WoT/IG/wiki/WG_WoT_Thing_Description_Web
   Conf#Agenda
   ... but "Security&Privacy Considerations" is expected as a
   group Note
   ... so we should think about "1. First Public Note" and "2.
   updatd Note(s)"

     [12] https://www.w3.org/WoT/IG/wiki/WG_WoT_Thing_Description_WebConf#Agenda

   mccool: would like to publish a first one before TPAC

   elena: when is TPAC?

   kaz: the week of Nov. 6

   mccool: would like to prepare the release candidate within 2
   weeks
   ... first draft for the FP Note in 2 weeks from now
   ... Oct. 24
   ... working -> master
   ... and W3C Note: Oct 31 roughly - ready for TPAC Nov 6
   ... (mm checks Elena's availability)
   ... 2nd draft: end of Dec
   ... Dec 19 (Tue)
   ... tentatively

   <inserted> kaz: note on the automatic publication system

   mccool: after that: roughly every 2 months
   ... FYI, NDSS deadline Nov 14
   ... and the NDSS workshop Feb 18
   ... IEEE proposal was rejected
   ... I'll be making presentation and need your input for NDSS
   workshop
   ... (going back to the publication schedule)
   ... 3rd draft: early Feb

   elena: might be problematic to me

   mccool: 3rd draft: early Feb (e.g., Feb 15 for NDSS; Elena may
   not be available)
   ... (records the above in the wiki)

   <McCool> Release Timeline (W3C Note) First Draft - 2wks from
   now, Oct 24 (working -> master) W3C Note: FP Note (Oct 31
   roughly) - ready for TPAC Nov 6 Second draft: Dec 19 (Tues)
   Third draft: early Feb (eg Feb 15 for NDSS; Elena may not be
   available) After that: roughly every two months update

Pull request

   [13]https://github.com/w3c/wot-security/pull/30

     [13] https://github.com/w3c/wot-security/pull/30

Issues

   [14]https://github.com/w3c/wot-security/issues

     [14] https://github.com/w3c/wot-security/issues

   elena: submitted proposal for section 5
   ... agreement?
   ... seems there is some difference
   ... need to change the basic assumption?

   [15]Section 5

     [15] https://rawgit.com/w3c/wot-security/working/index.html#examples-of-wot-security-configurations

   elena: ok with this approach?

   mccool: as long as you're clear with the example, should be ok

   elena: referring to a couple of RFCs
   ... don't want to repeat the descriptions already done by
   others
   ... e.g., OCF

   mccool: architecture documents include similar things
   ... bunch of use cases
   ... maybe you could add links referring to the architecture
   document

   elena: might be a bit different set

   mccool: another point you mentioned is OCF
   ... WoT client can talk with an OCF device
   ... is there a case in which the device doesn't handle WoT TD?
   ... one possibility is a Thing itself provides TD
   ... or another Thing could provide the TD for the Thing

   elena: can add some description

   mccool: OK with this Editor's Note (Fill in the protocols)

   elena: any configuration different is important and to be
   described from security viewpoint
   ... would people to submit ideas

   mccool: we should proceed with some obvious scenarios
   ... not too much stuff
   ... in this scenario (Fig 3)
   ... what if we have a gateway
   ... there might be some additional security issue with, e.g.,
   caching
   ... need to expand the example to include other possible
   scenarios

   elena: btw, the cloud is cut off in Fig 5
   ... will work with section 5 tomorrow

   mccool: we should fix the figure references
   ... once you add links to the threats, take a look at the
   definition

   kaz: will we add links to the architecture doc from section 5?

   mccool: we should do so
   ... 1-to-1 link

   kaz: do you want to add an Editor's note on that?

   mccool: as appropriate
   ... (looks at the draft)
   ... starting with the section "1. Introduction"
   ... will add a link to the WoT Architecture document
   ... terminology section also should refer to the Architecture
   document
   ... still missing content for several sections

   elena: e.g., 4.2

   mccool: ok with those sections at the moment
   ... should add several abstract sentences, though
   ... OK for the first public Note
   ... might be going to fix up the formatting for the table
   ... to make it consistent
   ... let's go back to the issues

   [16]Issues

     [16] https://github.com/w3c/wot-security/issues

   mccool: Elena has done some edits

   [17]https://github.com/w3c/wot-security/issues/29

     [17] https://github.com/w3c/wot-security/issues/29

   mccool: we have bunch of things with the scenarios
   ... we've done the abstract

   [18]https://github.com/w3c/wot-security/issues/17

     [18] https://github.com/w3c/wot-security/issues/17

   [19]abstract

     [19] https://rawgit.com/w3c/wot-security/working/index.html#abstract

   mccool: the abstract is clean enough

   kaz: you'll add a link to the Architecture document. right?

   mccool: yes
   ... closes issue 17
   ... and create another issue "Align with Architecture document"

   [20]https://github.com/w3c/wot-security/issues/35

     [20] https://github.com/w3c/wot-security/issues/35

   mccool: would like to clean up the document for the first
   publication within 2 weeks

issue 34

   [21]issue 34

     [21] https://github.com/w3c/wot-security/issues/34

   dsr: using WebSocket for Eventing

   mccool: do you agree with Elena?

   Elena's question: Should we have a case for this explained in
   the "Examples of WoT security configurations" section of the
   security doc? Seems like a good logical place to describe this
   case and also talk about the measures

   dsr: yes

   elena: need to clarify concrete mechanism
   ... please add description and pictures if possible
   ... actual security mitigation, etc.

   dsr: wanted to stimulate the discussion

   mccool: willing to provide concrete Pullrequest?

   dsr: yes

   elena: possible new section 5.5

   mccool: what kind of figure? SVG?

   elena: please follow the examples from Matthias
   (wot-security/images)

   mccool: good to follow align with existing practices in this
   space

Issue on privacy

   mccool: would like to add another issue on privacy

   elena: we can add a separate section
   ... but still need to update the threat model section
   ... should add links to the points we need to consider

   kaz: possibly a guy from DAS WG who attended TPAC in Lisbon?

   soumya: can hep as well

   mccool: (can't find Soumya on the list)
   ... who is the guy from DAS?

   kaz: will check and get back to you later

   mccool: updates the issue

   [22]Issue 36

     [22] https://github.com/w3c/wot-security/issues/36

   soumya: question on NDSS paper
   ... can join the effort as well

   mccool: tx

   soumya: we should have some template

   mccool: let's have discussion next week
   ... (adds a topic on that for the next meeting)

   [adjourned]

Summary of Action Items

Summary of Resolutions

   [End of minutes]
     __________________________________________________________


    Minutes formatted by David Booth's [23]scribe.perl version
    1.152 ([24]CVS log)
    $Date: 2017/10/12 18:23:51 $

     [23] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
     [24] http://dev.w3.org/cvsweb/2002/scribe/
Received on Monday, 16 October 2017 16:19:26 UTC

This archive was generated by hypermail 2.3.1 : Monday, 16 October 2017 16:19:27 UTC