[wot-security] minutes - 6 August 2018

available at:
  https://www.w3.org/2018/08/06-wot-sec-minutes.html

also as text below.

Thanks,

Kazuyuki

---

   [1]W3C

      [1] http://www.w3.org/

                               - DRAFT -

                              WoT Security

06 Aug 2018

   [2]Agenda

      [2] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Agenda

Attendees

   Present
          Kaz_Ashimura, Michael_McCool, Elena_Reshetova,
          Ryo_Kajiwara, Tomoaki_Mizushima, Kazuaki_Nimura,
          Michael_Koster, Barry_Leiba

   Regrets

   Chair
          McCool

   Scribe
          kaz

Contents

     * [3]Topics
         1. [4]Permissions workshop
         2. [5]Agenda
         3. [6]Review minutes from the lastmeeting
         4. [7]TD Update Review
         5. [8]Testing (Fuzz testing, DTLS)
         6. [9]Permissions workshop (revisited)
         7. [10]Best practices
         8. [11]Issues/PRs
         9. [12]Actions
     * [13]Summary of Action Items
     * [14]Summary of Resolutions
     __________________________________________________________

Permissions workshop

   McCool: any updates?

   Ryo: not submitted to GH but can explain my ideas

   Elena: background, etc., about the workshop?

   [15]Permissions WS CfP

     [15] https://www.w3.org/Privacy/permissions-ws-2018/cfp.html

   McCool: CfP above
   ... (creating a README.md for our position paper on McCool's GH
   repo)

Agenda

   McCool: previous minutes review
   ... permissions workshop
   ... TD update review
   ... planning, issues/PRs
   ... any comments on the agenda?

   Elena: new PR for the security scenario

   McCool: ok
   ... captured within the PR review

Review minutes from the last meeting

   [16]prev minutes

     [16] https://www.w3.org/2018/07/30-wot-sec-minutes.html

   McCool: skipped the f2f review
   ... (goes through the prev minutes)

   <inserted> (Barry joins)

   McCool: if any updates on DTLS, we can discuss that today
   ... (add that to the agenda for today)
   ... did these things...
   ... (goes through TD updates, actions, other issues, ...)
   ... there are bunch of actions here
   ... 1st ACTION: ongoing
   ... 2, 3, 4: we'll talk about these
   ... 5: need to do
   ... 6: no updates from Barry yet
   ... 8: not yet done
   ... comments?
   ... objections to accept the minutes?

   (no objections)

   McCool: ok. the minutes are accepted
   ... (goes through the updated agenda for today)


   * W3C Permissions Workshop
   * TD Update Review
   * Testing (Fuzz testing, DTLS)
   * Best practices (brainstorming)
   * Planning: next steps
   * Other issues and PRs
   * Other business
   ]]

TD Update Review

   [17]TD draft

     [17] https://w3c.github.io/wot-thing-description/

   [18]6.1.7 security

     [18] https://w3c.github.io/wot-thing-description/#security-serialization-json

   McCool: security mandated
   ... (goes through the examples)
   ... example 15, 16, 17
   ... fixed a bunch of things about security examples

   [19]pr 183

     [19] https://github.com/w3c/wot-thing-description/pull/183

   McCool: the bottom line is fixing all the examples
   ... PSKSecurityScheme, etc., to be fixed as well
   ... NoneSecurityScheme is bizarre

Testing (Fuzz testing, DTLS)

   McCool: (shows Elena's email)
   ... WoT Security testing

   Elena: security testing to be moved to validation part?

   McCool: is testing plan a separate document?
   ... the Charter says we produce a testing plan
   ... one big document including all the testing stuff
   ... all in one place

   Kaz: what kind of content for that?

   <inserted> policy? W3C WGs usually generate test planning
   document and test report for each spec, one by one

   Kaz: testing plan? policy?

   McCool: scripting api and TD
   ... logically one WG
   ... we could split up various pieces into various documents
   ... network interface testing

   Kaz: if that is a document on the testing infrastructure, that
   could be a single separate document

   McCool: we can have some discussion during the main call
   ... we can start with one document and split it up later

   Elena: mentions some idea on fuzz testing

   McCool: cites her message
   ... test suites available for example for HTTP
   ... probably CoAP need more work

   Elena: Scapy is recommended for HTTP, MQTT and CoAP
   ... I've not tried this yet

   [20]Scapy site

     [20] https://scapy.net/

   Elena: generates random input
   ... can try to study it

   McCool: it seems there is CoAP support as well
   ... do you want to create a PR for testing document?

   Elena: ok

Permissions workshop (revisited)

   [21]CfP

     [21] https://www.w3.org/Privacy/permissions-ws-2018/cfp.html

   McCool: only Kajiwara-san can make the workshop
   ... do you have any specific input?

   <ryo-k>
   [22]https://github.com/mmccool/w3c-permissions-2018/blob/master
   /0806-kajiwara-original-plans.txt

     [22] https://github.com/mmccool/w3c-permissions-2018/blob/master/0806-kajiwara-original-plans.txt

   Ryo: my proposal above
   ... medical prescription system
   ... access permission based on user consent
   ... my original intention was standardized way to manage that
   on the large scale basis

   McCool: giving people access?

   Ryo: access control based on user consent is important because
   some people don't want to let their data accessed

   McCool: what would be the story?
   ... OCF is looking at medical use cases as well

   Ryo: some kind of vital data can be accessed
   ... heartbeat rate, etc.

   McCool: features of interest have been discussed
   ... measurement we can share
   ... share with the doctor
   ... but not family, etc.
   ... maybe you could use an example of medical device annotated
   using "feature of interest"

   Ryo: ok

   Koster: feature of interest can specify special things like
   medical data
   ... location and body part
   ... interesting design question

   McCool: user decides whether the data is accessible or not
   ... but how to describe that?

   Koster: makes perfect sense actually

   McCool: category of information?

   Ryo: something like "I don't share the information with
   somebody."
   ... information about "who to what"
   ... interesting discussion during the workshop

   McCool: (adds comment)
   ... wondering about the deadline

   [23]https://www.w3.org/Privacy/permissions-ws-2018/cfp.html

     [23] https://www.w3.org/Privacy/permissions-ws-2018/cfp.html

   Kaz: August 17

   Barry: it's extended till August 17

   McCool: we can generate a one-pager
   ... Kajiwara-san, let's have discussion

   Ryo: would like to hear background expectation from you as well

   McCool: (adds some edits)
   ... use WoT as an example of "consent as access control"

   Ryo: will give input to the GH repo

   <McCool> [24]https://github.com/mmccool/w3c-permissions-2018

     [24] https://github.com/mmccool/w3c-permissions-2018

   McCool: (will make the repo public)

Best practices

   McCool: we've been discussing a separate document on best
   practices

   [25]Security draft - 5. Recommended Security Practices

     [25] https://w3c.github.io/wot-security/#recommended-security-practices

   McCool: we could make this version more generic
   ... and create a separate document for more specific content
   ... how to make it testable
   ... for the moment, we can put specific content to this
   section, though
   ... but a bit concerned to put too much specific content to
   this Note itself

   Kaz: maybe we can put all the content here first
   ... and if the structure gets too complicated, we can move some
   of the detail into the appendix
   ... and split that appendix into a separate document later

   McCool: that's fine
   ... note that we need a testable document and need to limit our
   scope for testing
   ... let's just put things into the subsection of section 5
   ... and we should think about test on fuzzing, etc.
   ... testing the subsection of best practice section as well
   ... for now, let's stick into that approach

   <McCool> [26]https://github.com/w3c/wot-security/pull/108

     [26] https://github.com/w3c/wot-security/pull/108

Issues/PRs

   [27]changes

     [27] https://github.com/w3c/wot-security/pull/108/files

   McCool: we should talk about industrial security scenarios

   Elena: please take a look at the changes

   McCool: ok
   ... let's discuss it next time

Actions

   McCool: Barry, you can send me your proposal on DTLS

   Barry: ok. btw, can I get Elena's proposal about security
   testing?

   McCool: Elena, you can send the proposal to the whole group?

   Elena: ok

   [adjourned]

Summary of Action Items

   [ONGOING] ACTION: mccool to talk with IIC Security TF and W3C
   Web Security IG about testing/validation timeline (first item
   tbd; second item done)
   [ONGOING] ACTION: mccool to work on issue 70 (Require Not
   Exposing Immutable Hardware Identifiers?)
   [ONGOING] ACTION: mjkoster/elena to review examples in the
   security spec
   [ONGOING] ACTION: mccool to look into URI templates (RFC6570)
   for issue 98
   [ONGOING] ACTION: mcCool to write PR on TD spec for security
   definition
   [ONGOING] ACTION: Barry to suggest DTLS testing plan applicable
   for CoAP/MQTT
   [ONGOING] ACTION: everyone to generate set of best practices
   for draft by next week
   [ONGOING] ACTION: McCool to clean up Security and Privacy
   Considerations documents for final update to master by next
   week

Summary of Resolutions

   [End of minutes]
     __________________________________________________________


    Minutes formatted by David Booth's [28]scribe.perl version
    1.152 ([29]CVS log)
    $Date: 2018/08/14 12:49:13 $

     [28] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
     [29] http://dev.w3.org/cvsweb/2002/scribe/

Received on Tuesday, 14 August 2018 12:55:03 UTC