- From: Kazuyuki Ashimura <ashimura@w3.org>
- Date: Tue, 5 Jun 2018 17:45:18 +0900
- To: Public Web of Things IG <public-wot-ig@w3.org>, public-wot-wg@w3.org
available at:
https://www.w3.org/2018/05/28-wot-sec-minutes.html
also as text below.
Thanks a lot for taking these minutes, Soumya!
Kazuyuki
---
[1]W3C
[1] http://www.w3.org/
- DRAFT -
WoT Security
28 May 2018
[2]Agenda
[2] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Agenda
Attendees
Present
Kaz_Ashimura, Michael_McCool, Elena_Reshetova,
Soumya_Kanti_Datta, Michael_Koster, Tomoaki_Mizushima,
Kazuaki_Nimura
Regrets
Chair
McCool
Scribe
Soumya
Contents
* [3]Topics
1. [4]TPAC schedule
2. [5]Agenda
3. [6]Prev minutes
4. [7]Review PRs
5. [8]PlugFest prep
* [9]Summary of Action Items
* [10]Summary of Resolutions
__________________________________________________________
TPAC schedule
some discussion on the upcoming TPAC 2018 schedule
... Elena mentions she has conclict with the Linux Security
Summit during the TPAC week and can't join TPAC this time
<kaz> [11]Linux Security Summit Europe - Oct 25-26 in
Edinburgh, UK
[11] https://infosec-conferences.com/events-in-2018/linux-security-summit-europe/
<kaz> scribenick: Soumya
Agenda
McCool: shows the agenda
<kaz> [12]prev minutes
[12] https://www.w3.org/2018/05/21-wot-sec-minutes.html
<McCool> agenda:
[13]https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#May_28.2
C_2018
[13] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#May_28.2C_2018
Prev minutes
McCool: review of previous minutes
... reviews current actions
... accepts minutes
no other comments
Review PRs
McCool: no open PR expect one old one
... websockets are out of scope for TD right now
<kaz> [14]PRs
[14] https://github.com/w3c/wot-security/pulls
McCool: merged several items to master branch
PlugFest prep
McCool: separate testing and plugfest prep meeting
... for testing, we need to think on security testing,
validation
... looked at some tools
... e.g. npm audit
... action - testing and validation for security
... plugfest prep - we will have a plugfest meeting this week,
mj koster will run it
Koster: matsukura-san may also chair that meeting
McCool: how to include more security and testing aspects in
plugfest?
Koster: figure out what do we mean by security - starting point
... common security practice
McCool: using self-sign certificate for https, secured storage
... nodejs proxy for security
... how to distribute that
Koster/McCool: discussion on proxy
Elena: knows the process to make codes open source
McCool: I just have to follow the internal Intel processes
<not sure if it is correct spelling>
McCool: having https is useful
... basic auth should be used in addition to https
... do at least basic auth, digest, bearer tokens
... https could be possible through proxy
Koster: supports the idea
McCool: action - write a short proposal on what security tools
to use in next plugfest
... action - write a proxy service
... service would work on a web API
<kaz> ACTION: mccool to write a short proposal on what security
tools to use for the next plugfest
McCool: for next f2f - discussion on security related agenda
... plugfest security review is secondary priority
... discuss something on privacy, any missing aspects
... provide a recommendation on best practice efforts for ppl
implementing w3c systems
... this could be another discussion
... looking at ongoing issues
<kaz> [15]issue 98
[15] https://github.com/w3c/wot-security/issues/98
McCool: issue 97, including a password in TLS
... is it used in place of basic auth?
Elena: could look into it
McCool: Intel building management systems use form based
authentication
Koster: we can also figure our exemplery protocols for WoT
<kaz> [16]issue 97
[16] https://github.com/w3c/wot-security/issues/97
McCool: adds an issue for security recommendations for
'native-wot' systems
<kaz> [17]issue 102
[17] https://github.com/w3c/wot-security/issues/102
McCool: discussing issue 85, it is to be closed. we don't have
a separate version system. security systems have a stable
implementation.
<kaz> [18]issue 85
[18] https://github.com/w3c/wot-security/issues/85
McCool: no objection heard
... writes conclusion in the issue and closes it.
<kaz> McCool: changes the label for #73 to "DOCUMENTATION"
McCool: discussing issue 72, it is a privacy risk
<kaz> [19]issue 73
[19] https://github.com/w3c/wot-security/issues/73
<kaz> McCool: qop parameter for digest authentication
<kaz> [20]issue 96
[20] https://github.com/w3c/wot-security/issues/96
<kaz> [21]digest access authentication (Wikipedia)
[21] https://en.m.wikipedia.org/wiki/Digest_access_authentication
AOB?
none
<kaz> [adjourned]
Summary of Action Items
[ONGOING] ACTION: mccool to talk with security guys about
testing/validation timeline
[ONGOING] ACTION: mccool to work on issue 70 (Require Not
Exposing Immutable Hardware Identifiers?)
[ONGOING] ACTION: mjkoster/elena to review examples in the
security spec
[NEW] ACTION: mccool to write a short proposal on what security
tools to use for the next plugfest
Summary of Resolutions
[End of minutes]
__________________________________________________________
Minutes formatted by David Booth's [22]scribe.perl version
1.152 ([23]CVS log)
$Date: 2018/06/05 08:42:19 $
[22] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
[23] http://dev.w3.org/cvsweb/2002/scribe/
Received on Tuesday, 5 June 2018 08:46:52 UTC