W3C home > Mailing lists > Public > public-wot-ig@w3.org > April 2018

[wot-security] minutes - 9 April 2018

From: Kazuyuki Ashimura <ashimura@w3.org>
Date: Tue, 17 Apr 2018 21:53:18 +0900
Message-ID: <CAJ8iq9WrfdsQ_EiQgtTXVpA-f_7wbqzxmkyGrb4M=Uo9NMkPXg@mail.gmail.com>
To: Public Web of Things IG <public-wot-ig@w3.org>, public-wot-wg@w3.org
available at:
  https://www.w3.org/2018/04/09-wot-sec-minutes.html

also as text below.

Thanks a lot for taking these minutes, Soumya!

Kazuyuki

---

   [1]W3C

      [1] http://www.w3.org/

                               - DRAFT -

                              WoT Security

09 Apr 2018

   [2]Agenda

      [2] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Agenda

Attendees

   Present
          Kaz_Ashimura, Michael_McCool, Elena_Reshetova,
          Michael_Koster, Soumya_Kanti_Datta, Kazuaki_Nimura,
          Tomoaki_Mizushima, Barry_Leiba, Zoltan_Kis

   Regrets

   Chair
          McCool

   Scribe
          Soumya

Contents

     * [3]Topics
         1. [4]Previous minutes
         2. [5]NDSS paper
         3. [6]Pullrequests
         4. [7]Planning
         5. [8]issues
     * [9]Summary of Action Items
     * [10]Summary of Resolutions
     __________________________________________________________

   <kaz> scribenick: Soumya

Previous minutes

   <McCool> [11]https://www.w3.org/2018/03/19-wot-sec-minutes.html

     [11] https://www.w3.org/2018/03/19-wot-sec-minutes.html

   mccool: talks about prev minutes
   ... shows the agenda
   ... accepts the minutes, no objections heard, minutes accepted.

NDSS paper

   mccool: note - tomorrow is the final deadline for NDSS paper
   ... already uploaded, 24 hour for any last min changes

   <McCool>
   [12]https://github.com/mmccool/ndss-wot-sec/blob/master/ndss-di
   ss-008.pdf

     [12] https://github.com/mmccool/ndss-wot-sec/blob/master/ndss-diss-008.pdf

   mccool: overview of changes
   ... identify for things, brought up the issue in the paper,
   potential issues for privacy
   ... asks the participants to review
   ... discusses new additions to the wot-sec paper in NDSS
   workshops
   ... discussion on tokens for RBAC

   <Zakim> kaz, you wanted to wonder about the URLs for WoT drafts

   <kaz> ACTION: kaz to provide updated/correct URLs for the WoT
   drafts

Pullrequests

   mccool: next topic is two PRs
   ... we have choice in order of acceptance
   ... quickly review the changes in security metadata
   ... merge as it

   elena: main doc will have lifecycle drawing from Matthias

   mccool: someone may have committed directly in master branch on
   lifecycle

   <kaz> [13]pullrequest 88

     [13] https://github.com/w3c/wot-security/pull/88

   mccool: need a common master, changes can be done later
   ... simple changes related to JSON LD 1.1
   ... discussing PR 88

   koster, mccool: discussion on authentication and authorization

   koster: kerboros and openAPI follow diff things, have to be
   careful
   ... authorization is the correct term, when authentication
   comes - things might get complicated

   mccool: shows the changes in TD example regarding security
   metadata

   <McCool>
   [14]https://github.com/mmccool/wot-security/blob/f007a7309a6ac3
   aeb14f1200fc21a9b33c386038/wot-security-metadata.md

     [14] https://github.com/mmccool/wot-security/blob/f007a7309a6ac3aeb14f1200fc21a9b33c386038/wot-security-metadata.md

   mccool: token - highlight bearer or pop
   ... added that in metadata
   ... thinking about profile for admin, security configuration
   ... diff config for diff protocols
   ... not sure how to deal with that and scopes in case of oauth
   ... could give scope and lookup scope from a listing
   ... might be complicated

   elena: still can implement this, might not need it yet, not do
   anything about it yet

   mccool: syntax change to be addressed first
   ... then consider roles (if we need)

   elena: not sure how to define roles
   ... what types of roles make sense

   mccool: current example not ready for merging
   ... should be inline with new TD, need some cleaning
   ... would like to merge the other PR
   ... showing PR 87
   ... any objection from anyone?

   none heard

   mccool: merges it
   ... other PR is going on working branch

   <kaz> [15]pullrequest 87

     [15] https://github.com/w3c/wot-security/pull/87

Planning

   mccool: asks about any additional topic for 'what next?'

   barry gives IETF WG names TEEP, SUIT

   mccool: going into lifecycle
   ... matthias is creating a general version of lifecycle?

   elena: yes, adapt to that
   ... it was agreed in last f2f

   mccool: discuss more on next IG/WG call
   ... testing and validation
   ... created some notes on this
   ... asks barry to walk us through the ietf wgs
   ... request a security review from w3c sec group

   kaz points out that it is an IG

   mccool: need external security review but not yet there
   ... need a version ready to review
   ... need to start planning for next plugfest
   ... asks barry about IETF WGs

   barry: can write and post in the MLs
   ... teep is aimed at the idea that execution env in a device is
   divided into trusted and untrusted env. driven by ARM and Intel
   ... SUIT - keep software updated for IoT
   ... relationship b/w is - proposed in the same time and have
   some overlaps

   mccool: capture some writeup in a md file

   barry: agrees

   mccool: goes to testing and validation
   ... shows a github page for this
   ... penetration testing ...
   ... pick a suite that makes sense there
   ... sec review to be included

   elena: wot certified test suite?

   mccool: markup (must, should, may) and test suites
   ... go through normative specs, mark (must, should, may)
   ... testing ontologies (out of scope)

   <McCool> [16]initial testing content

     [16] https://github.com/w3c/wot/pull/439

   mccool: asks for review
   ... discuss more on wednesday

issues

   mccool: initial content for industrial infrastructure
   ... shows an issue

   <kaz> [17]issue 21

     [17] https://github.com/w3c/wot-security/issues/21

   mccool: try to capture requirements in an industrial use case

   mccool, elena discusses if industrial a strict superset of
   enterprise

   koster asks the definition of industrial or enterprise

   mccool: looks at issue tracker

   elena: complete some pending tasks

   mccool: suggests creating a PR
   ... next time - retire some issues

   <kaz> [18]e.g., issue 65

     [18] https://github.com/w3c/wot-security/issues/65

   mccool: AOB?

   meeting adjourned ...

Summary of Action Items

   [NEW] ACTION: kaz to provide updated/correct URLs for the WoT
   drafts
   [NEW] ACTION: barry to provide information on 2 new IETF groups
   (TEEP, SUIT)
   [NEW] ACTION: mccool to talk with security guys about
   testing/validation timeline

Summary of Resolutions

   [End of minutes]
     __________________________________________________________


    Minutes formatted by David Booth's [19]scribe.perl version
    1.152 ([20]CVS log)
    $Date: 2018/04/17 12:48:38 $

     [19] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
     [20] http://dev.w3.org/cvsweb/2002/scribe/
Received on Tuesday, 17 April 2018 12:54:27 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 17 April 2018 12:54:28 UTC