[wot-security] minutes - 27 August 2018

available at:
  https://www.w3.org/2018/08/27-wot-sec-minutes.html

also as text below.

Thanks,

Kazuyuki

---

   [1]W3C

      [1] http://www.w3.org/

                               - DRAFT -

                              WoT Security

27 Aug 2018

Attendees

   Present
          Kaz_Ashimura, Michael_McCool, Kazuaki_Nimura,
          Ryo_Kajiwara, Xiaoru_Li, Michael_Lagally,
          Tomoaki_Mizushima

   Regrets
          Elena, Barry

   Chair
          McCool

   Scribe
          kaz

Contents

     * [2]Topics
         1. [3]Prev minutes
         2. [4]W3C Permissions workshop update
         3. [5]English clean up
         4. [6]Best practices
         5. [7]Remaining issues
         6. [8]Agenda for next week
     * [9]Summary of Action Items
     * [10]Summary of Resolutions
     __________________________________________________________

   <McCool>
   [11]https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Aug_27.2
   C_2018

     [11] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Aug_27.2C_2018

Prev minutes

   McCool: will review the whole minutes next week due to small
   participation today
   ... check actions
   ... last one done
   ... 2nd last keep

   <McCool> keep the following action items:

   <McCool> mccool to talk with IIC Security TF and W3C Web
   Security IG

   <McCool> create a PR to clarify the immutability of the "id"
   property in Thing Description

   McCool: will do that

   <McCool> mccool to look into URI templates (RFC6570) for issue
   98

   McCool: ongoing

   <McCool> Barry to suggest DTLS testing plan applicable for
   CoAP/MQTT

   McCool: ongoing

   <McCool> mcCool to write PR on TD spec for security definition

   McCool: still to do

   <McCool> everyone to generate set of best practices

   McCool: ongoing
   ... let's create action list based on the above
   ... Xiaoru has joined the group
   ... additional security meeting during TPAC on Monday

   Kaz: have conflict on Monday for the M&E IG

   McCool: please send an email to me and Elena
   ... maybe we can do that during breakfast or weekend

   Kaz: ok

   (some more attendees join)

   McCool: some more attendees have just joined this call and
   we've got quorum, so let's review the previous minutes
   ... (goes through the minutes)
   ... actions again
   ... mccool to look into URI templates (RFC6570) for issue 98
   ... we can discuss the issue later
   ... would propose to accept the minutes

   Ryo: typo?
   ... TDLS to be DTLS?

   McCool: right
   ... with that change, can we accept the minutes?

   (no objection)

W3C Permissions workshop update

   Ryo: sent the position paper on the GitHub repo

   [12]proposed position paper

     [12] https://github.com/mmccool/w3c-permissions-2018

   Ryo: got notification
   ... accepted for the workshop
   ... so will participate in the workshop

   McCool: need to generate some slide deck?

   Ryo: not sure
   ... it will be held in one month

   [13]permissions workshop cfp

     [13] https://www.w3.org/Privacy/permissions-ws-2018/cfp.html

   sep 26-27

   McCool: let's think about the slide deck for that

   Ryo: will let you know about the time schedule and requirements

   McCool: ok

English clean up

   [14]PR 112

     [14] https://github.com/w3c/wot-security/pull/112

   McCool: Elena says she will clean up figures
   ... also 2 empty sections
   ... simply commented out them
   ... best practices for non-wot devices

   [15]non-wot endpoints

     [15] https://github.com/w3c/wot-security/pull/112/commits/baa2c2a39876a5feb18d4d7ba6a8000f41c1b6a4

   McCool: bunch of small changes
   ... commented out here (<!-- Don't think these are
   necessary...)
   ... 2 empty sections here
   ... Elena is happy to merge this PR
   ... merging it with mmccool:master (from mccool:polish)

   <McCool>
   [16]https://rawgit.com/mmccool/wot-security/polish/index.html

     [16] https://rawgit.com/mmccool/wot-security/polish/index.html

   McCool: next week we aim to publish the official version
   ... finding any small issues
   ... we should be prepared and make decision
   ... would merge this agains the master
   ... any objection to merge this now?

   Kaz: against w3c/wot-security/master ?

   McCool: right
   ... any objections?

   (none)

   [merged PR 112]

Best practices

   McCool: want to hear your input where to go
   ... created an MD file

   [17]Security Best Practices

     [17] https://github.com/w3c/wot-security/blob/master/wot-security-best-practices.md

   McCool: will elaborate this later on
   ... should be specific about transport, authentication, access
   control, ...
   ... if you have any specific best practices, we can create some
   notes here
   ... limited scope on best practices on security configuration
   ... questions?

   <Xiaoru> Does the MQTTS mean MQTT + TLS 1.3?

   Kaz: maybe "MQTTS (CoAP + TLS 1.3)" is typo, isn't it?

   <Xiaoru> yes

   McCool: ah, ok
   ... would like to flesh this out during the week

Remaining issues

   [18]https://github.com/w3c/wot-security/issues/109

     [18] https://github.com/w3c/wot-security/issues/109

   McCool: updated PR 198
   ... this issue can be closed?

   (no objections)

   McCool: closed issue 109

   [19]issue 102

     [19] https://github.com/w3c/wot-security/issues/102

   McCool: let's change the name of this issue
   ... to "Security Best Practices for WoT Systems"

   McCool: generate MD file
   ... please give your comments

   [20]best practices doc

     [20] https://github.com/w3c/wot-security/blob/master/wot-security-best-practices.md

   [21]issue 98

     [21] https://github.com/w3c/wot-security/issues/98

   McCool: we can close this
   ... question of URI thing
   ... will close this since once we have URI templates we can use
   "in = query" to represent authentication information in query
   parameters
   ... like a form would do
   ... for various schemes
   ... but we should definitely use this as a test case for
   combining URI templates with security

   [22]issue 81

     [22] https://github.com/w3c/wot-security/issues/81

   McCool: kind of confused with reverse-proxy and forward-proxy
   ... client side vs server side
   ... reverse-proxy is often transparent
   ... my question is
   ... would propose to close this issue
   ... considering it's done

   Nimura: are we just thinking about network configuration?
   ... or security?

   McCool: caching or NAT traversal
   ... not specific for proxy
   ... authentication on proxy for endpoint
   ... you can give endpoint security information separately
   ... we should test it at plugfest
   ... the original goal of this issue was that we needed to add
   some metadata
   ... and it's done
   ... and now we need to test it
   ... and then let me know if any problem
   ... make sense?

   Kaz: in that case, we need to add one check point explicitly to
   the online plugfest planning document. right?

   McCool: right
   ... will make the update and then close this issue

   [23]issue 80

     [23] https://github.com/w3c/wot-security/issues/80

   McCool: next issue similar approach
   ... metadata already exists
   ... will update the plugfest planning document and then close
   this issue

   [24]issue 77

     [24] https://github.com/w3c/wot-security/issues/77

   McCool: similar approach
   ... will update the plugfest planning document and then close
   the issue

   [25]issue 76

     [25] https://github.com/w3c/wot-security/issues/76

   McCool: leave this out in this version draft

   [26]issue 72

     [26] https://github.com/w3c/wot-security/issues/72

   McCool: we did add fingerprinting risks
   ... privacy risks
   ... immutable hardware
   ... role of consent
   ... will create a PR for issue 70
   ... any objections to close these 3 issues?

   (no objections)

   McCool: 72 closed

   [27]https://github.com/w3c/wot-security/issues/71

     [27] https://github.com/w3c/wot-security/issues/71

   McCool: did add a new section
   ... but still pretty empty
   ... should keep it open

   [28]https://github.com/w3c/wot-security/issues/67

     [28] https://github.com/w3c/wot-security/issues/67

   McCool: 67 closed

   [29]issue 61

     [29] https://github.com/w3c/wot-security/issues/61

   McCool: Wendy suggests integrity protection
   ... but the security Note itself is not normative

   McCool: will create a PR to put a normatie SHOULD statement for
   confidentiality of TD distribution in the TD spec draft

   <scribe> ACTION: McCool to create a PR to put a normative
   SHOULD statement for confidentiality of TD distribution in the
   Thing Description document.

Agenda for next week

   McCool: will update the best practice document
   ... give your comments
   ... final review for the security draft
   ... (updates the agenda for Sep. 3)
   ... issue and PR review
   ... review of last minutes
   ... anything else?

   (none)

   [adjourned]

Summary of Action Items

   [DONE] ACTION: mccool to edit the W3C permissions document
   [DONE] ACTION: McCool to clean up Security and Privacy
   Considerations documents for final update to master by next
   week
   [DONE] ACTION: mjkoster/elena to review examples in the
   security spec

   [ONGOING] ACTION: mccool to talk with IIC Security TF and W3C
   Web Security IG about testing/validation timeline (first item
   tbd; second item done)
   [ONGOING] ACTION: mccool to look into URI templates (RFC6570)
   for issue 98
   [ONGOING] ACTION: mcCool to write PR on TD spec for security
   definition
   [ONGOING] ACTION: Barry to suggest DTLS testing plan applicable
   for CoAP/MQTT
   [ONGOING] ACTION: everyone to generate set of best practices
   for draft by next week
   [ONGOING] ACTION: create a PR to clarify the immutability of
   the "id" property in Thing Description
   [ONGOING] ACTION: mccool to work on issue 70 (Require Not
   Exposing Immutable Hardware Identifiers?) - same as the above
   action?

   [NEW] ACTION: McCool to create a PR to put a normative SHOULD
   statement for confidentiality of TD distribution in the Thing
   Description document.
   [NEW] ACTION: McCool to update plugfest planning docs to
   include security scheme configurations to test from best
   practices.

Summary of Resolutions

   [End of minutes]
     __________________________________________________________


    Minutes formatted by David Booth's [30]scribe.perl version
    1.152 ([31]CVS log)
    $Date: 2018/09/04 02:32:34 $

     [30] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
     [31] http://dev.w3.org/cvsweb/2002/scribe/

Received on Tuesday, 4 September 2018 02:54:39 UTC