[wot-security] minutes - 30 April 2018

available at:
  https://www.w3.org/2018/04/30-wot-sec-minutes.html

also as text below.

Thanks a lot for taking these minutes, Michael Koster!

Kazuyuki

---

   [1]W3C

      [1] http://www.w3.org/

                               - DRAFT -

                              WoT Security

30 Apr 2018

Attendees

   Present
          Kaz_Ashimura, Elena_Reshetova, Michael_Koster,
          Michael_McCool, Zoltan_Kis, Kazuaki_Nimura, Barry_Leiba,
          Tomoaki_Mizushima

   Regrets

   Chair
          McCool

   Scribe
          mjkoster

Contents

     * [2]Topics
         1. [3]Prev minutes
         2. [4]Life cycle transition
         3. [5]Review PRs
               o [6]PR 90
               o [7]PR 91
               o [8]PR #92
         4. [9]Issue #78
         5. [10]Actions from today's call
     * [11]Summary of Action Items
     * [12]Summary of Resolutions
     __________________________________________________________

   <kaz> scribenick: mjkoster

Prev minutes

   <kaz> [13]prev minutes

     [13] https://www.w3.org/2018/04/23-wot-sec-minutes.html

   <kaz> (several typos: s/tak/talk/; s/pare/pair/;)

   <kaz> leftover actions:

   <kaz> ACTION: [ONGOING] elena to work on issue 68 (Thing
   Provider Data Specification) and issue 69 (Passive Observers
   Risk)

   <kaz> ACTION: [ONGOING] mccool to work on issue 70 (Require Not
   Exposing Immutable Hardware Identifiers?)

   <kaz> ACTION: [ONGOING] elena/koster to work on terminology

   <kaz> ACTION: [ONGOING] mccool to talk with security guys about
   testing/validation timeline

   McCool: accept the minutes

   <kaz> (other than the typos and the leftover actions)

   McCool: any objections?

   <kaz> (none)

Life cycle transition

   Zoltan: we need a mechanism by which the consumed thing
   application gets notified when the exposed thing is destroyed

   McCool: can a management thing have en event?

   Zoltan: it needs to tell which object is signalled
   ... simpler to have the object signal itself

   McCool: so, a set of standard events

   Zoltan: how does OCF work?
   ... can observe the /oic/res

   McCool: standard APIs for components in the architecture
   ... network API for runtime using a management thing

   Zoltan: how does the script get the signal?

   McCool: change of state signal would also cover the unexpected
   loss of a thing
   ... not sure what the security implications would be

   (discussion on TD life cycle management interface)

   McCool: seems incomplete without a TD state change mechanism
   exposed

   Zoltan: we can implement this with TD monitoring
   ... will create an issue

Review PRs

   McCool: PR 90, 91, and 92

* PR #90

   Elena: start with PR #90
   ... 3 issues addressed in this PR
   ... clarification on what is meant by System User Data
   ... clarified what is meant by System Provider Data

   <kaz> [14]PR 90

     [14] https://github.com/w3c/wot-security/pull/90

   <kaz> [15]changed files

     [15] https://github.com/w3c/wot-security/pull/90/files

   Elena: clarified the attack model and including Thing Directory
   ... question: is Thing Directory out of scope?

   McCool: Thing Directory could be addressed in the security
   recommendations

   Elena: it is difficult to define the threat model to the same
   detail not knowing the protocol
   ... maybe we can make some general recommendations

   McCool: we could explain this in the document

   Elena: yes, we can clarify the scope

   McCool: can we create an issue to address Thing Directory
   security?

   Elena: we need to add gateway security as out of scope also
   since we don't cover end to end security

   McCool: in a similar way we could make general recommendations
   ... we can cite external references like IIC
   ... capture this in the PR comments
   ... PR #90

* PR #91

   McCool: next PR #91 on Security Metadata

   <kaz> [16]pr 91

     [16] https://github.com/w3c/wot-security/pull/91

   McCool: starting with a simple example
   ... leading to more complex examples

   <kaz> [17]Security Metadata proposal

     [17] https://github.com/mmccool/wot-security/blob/3589a1e0e2c6c75aa004c83e9e0e8509bf16c0da/wot-security-metadata.md

   McCool: ready to merge PR 91

* PR #92

   <kaz> [18]PR 92

     [18] https://github.com/w3c/wot-security/pull/92

   McCool: Tunnel Configuration

   <kaz> [19]changes

     [19] https://github.com/w3c/wot-security/pull/92/files

   McCool: changes to break up long text lines
   ... not ready to merge; adding a section on shadows

   mjk: what about using the term "caching proxy"

Issue #78

   <kaz> [20]issue 78

     [20] https://github.com/w3c/wot-security/issues/78

   McCool: management API that uses cookies for a use case
   ... out of time now, any other business?

Actions from today's call

   McCool: tunneling+shadow
   ... elena's PR

   <kaz> ACTION: mccool to work on tunneling/shadow for the
   security metadata proposal

   McCool: zoltan create scripting issue for TD life cycle in
   scripting API
   ... review examples in the security spec (mjk, elena)

   <kaz> ACTION: mccool to work on PR 90

   <kaz> ACTION: zkis to create scripting issue for TD life cycle
   in scripting api

   McCool: adjourn

   <kaz> ACTION: mjkoster/elena to review examples in the security
   spec

Summary of Action Items

   [ONGOING] ACTION: elena to work on issue 68 (Thing Provider
   Data Specification) and issue 69 (Passive Observers Risk)
   [ONGOING] ACTION: elena/koster to work on terminology
   [ONGOING] ACTION: mccool to work on issue 70 (Require Not
   Exposing Immutable Hardware Identifiers?)
   [ONGOING] ACTION: mccool to talk with security guys about
   testing/validation timeline
   [NEW] ACTION: mccool to work on tunneling/shadow for the
   security metadata proposal
   [NEW] ACTION: mccool to work on PR 90
   [NEW] ACTION: zkis to create scripting issue for TD life cycle
   in scripting api
   [NEW] ACTION: mjkoster/elena to review examples in the security
   spec

Summary of Resolutions

   [End of minutes]
     __________________________________________________________


    Minutes formatted by David Booth's [21]scribe.perl version
    1.152 ([22]CVS log)
    $Date: 2018/04/30 14:25:34 $

     [21] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
     [22] http://dev.w3.org/cvsweb/2002/scribe/

Received on Monday, 21 May 2018 23:11:06 UTC