W3C home > Mailing lists > Public > public-wot-wg@w3.org > January 2020

[wot-security] minutes - 16 December 2019

From: Kazuyuki Ashimura <ashimura@w3.org>
Date: Wed, 15 Jan 2020 20:47:01 +0900
Message-ID: <878sm97xhm.wl-ashimura@w3.org>
To: public-wot-ig@w3.org, public-wot-wg@w3.org
available at:
  https://www.w3.org/2019/12/16-wot-sec-minutes.html

also as text below.

Thanks,

Kazuyuki

---
   [1]W3C

      [1] http://www.w3.org/

                               - DRAFT -

                              WoT Security

16 Dec 2019

Attendees

   Present
          Kaz_Ashimura, Michael_McCool, Elena_Reshetova,
          Oliver_Pfaff

   Regrets

   Chair
          McCool

   Scribe
          kaz

Contents

     * [2]Topics
         1. [3]Agenda
         2. [4]Minutes review
         3. [5]Review of Lifecycle/Onboarding in Architecture
         4. [6]Future topics
         5. [7]Cleaning up the agenda wiki
         6. [8]Issue 151
         7. [9]Issue 143
     * [10]Summary of Action Items
     * [11]Summary of Resolutions
     __________________________________________________________

Agenda

   McCool: last week we canceled the call
   ... to finalize the Proposed REC transition
   ... for today
   ... planning to have the main call this week as well
   ... what about the Security calls?
   ... maybe we can have a call on Jan 6, and cancel the meeting
   on Jan 13?

   Elena: will do my best to join the call on Jan 6

   McCool: ok, let's have the next meeting on Jan. 6 then
   ... possible cancellation on Jan 13
   ... no meetings on Dec 23 or Dec 30

   Oliver: will be not available on Jan 6...

   McCool: ok
   ... in that case...
   ... no meetings: Dec 23, Dec 30
   ... tentative Jan 6, Jan 13

Minutes review

   [12]Nov-18 minutes

     [12] https://www.w3.org/2019/11/18-wot-sec-minutes.html

   McCool: charter finalization
   ... not an actual security meeting
   ... we still need to discuss IETF Anima
   ... would accept the minutes
   ... objections?

   (none)

   McCool: accept the minutes then

Review of Lifecycle/Onboarding in Architecture

   Elena: discussed the lifecycle
   ... first discussed Oracle's model
   ... Lagally presented Oracle's documentation
   ... it's a lifecycle of IoT devices from cloud viewpoint
   ... then OneM2M model and OCF model
   ... need to read the OCF spec more in detail

   [13]Dec-12 Architecture minutes

     [13] https://www.w3.org/2019/12/12-wot-arch-minutes.html

   McCool: Oracle is taking cloud management approach
   ... specific to automatic onboarding
   ... we should look into generic onboarding as well
   ... including establishment of trust
   ... Oracle is interested in how to manage devices for large
   scale
   ... we need to work on use cases

   Elena: there was discussion we would need to work on use cases
   during the Architecture call

   McCool: each company has some specific use case in mind
   ... according to the schedule, we have use cases as the first
   priority

   Elena: Architecture call could happen on 19th this week

   McCool: ok
   ... we should have use case discussion as well
   ... OCF, oneM2M and LwM2M as the primary contenders
   ... oneM2M is based on LwM2M?
   ... the lifecycle is included in the Architecture now?

   Elena: not really sure if it's good to move the content now

   McCool: we can wait for a while so that the Architecture
   content can be cleaned up
   ... probably should keep the content on the Security/Privacy
   guideline now
   ... PRs and Issues to cleaning up before yearend

   [14]PR 150

     [14] https://github.com/w3c/wot-security/pull/150

   [15]Changes

     [15] https://github.com/w3c/wot-security/pull/150/files

   Elena: the goal is described here

   McCool: 3 things here
   ... establishing the trust
   ... key materials
   ... provisioning access
   ... may involve installing other devices
   ... generate tokens, etc.

   Elena: we need to understand how to deal with that

   McCool: would capture the point here (within the comment for PR
   150)
   ... need to specify goals before datailed proceses
   ... need to establish trust, need to provision secretes, need
   to configure authorizations
   ... setup/onboarding/provisioning may invoke more than the
   device itself
   ... apparently the last point is also being discussed in
   architecture

   [16]McCool's comment

     [16] https://github.com/w3c/wot-security/pull/150#issuecomment-566064846

   Oliver: wonder whether trust is symmetric or asymmetric

   McCool: probably depends on use cases

   Elena: don't think we can prescribe it

   McCool: some use cases may require mutual trust and some don't

   Kaz: we might want to look into verifiable credentials as well

   McCool: ok

Future topics

   McCool: (adds a section for "Future topics" on the Security
   agenda wiki)
   ... Lifecycle and Onboarding
   ... Look at Verifiable Claims; VCWG is closed but people are in
   DID-WG now
   ... Trust establishment: use case analysis

   Oliver: maybe bootstrapping for establishing trust?

   McCool: terminology varies
   ... we need to research related ecosystems
   ... OCF bootstrapping: correspondence with lifecycle,
   provisioning, etc.
   ... and Discovery: privacy preservation
   ... what a privacy-sensitive situation would be?
   ... those would be topics for the future

Cleaning up the agenda wiki

   McCool: then would clean up the agenda wiki
   ... "Key Dates" section is out-dated
   ... also should update the "External Review" section
   ... possible reviewers: Terri Oda, Valerie Fenwick, Sven
   Shrecker, Mike West/Daniel Vedtz, DISS participants
   ... (remove obsolete "Key Dates" section, and mention "See new
   WG charter")

Issue 151

   [17]Issue 151

     [17] https://github.com/w3c/wot-security/issues/151

   McCool: (adds a comment to Issue 151)
   ... Terminology use for various stakeholders need to be made
   consistent between the Arch and Security Document. Use cases
   also need to define stakeholders, and use cases should be in
   architecture... so maybe all stakeholder defns should move to
   architecture?

   [18]McCool's comment

     [18] https://github.com/w3c/wot-security/issues/151#issuecomment-566071869

Issue 143

   [19]Issue 143

     [19] https://github.com/w3c/wot-security/issues/143

   McCool: currently we use ISO definition for Privacy
   ... but think it's a bit weak, since it refers to "private
   information" which seems circular
   ... maybe there is a deeper ISO definition, e.g., of "private,
   that we can refer to
   ... we should investigate further

   [adjourned]

Summary of Action Items

Summary of Resolutions

   [End of minutes]
     __________________________________________________________


    Minutes manually created (not a transcript), formatted by
    David Booth's [20]scribe.perl version 1.154 ([21]CVS log)
    $Date: 2020/01/15 11:41:35 $

     [20] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
     [21] http://dev.w3.org/cvsweb/2002/scribe/
Received on Wednesday, 15 January 2020 11:47:09 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:27:55 UTC