W3C home > Mailing lists > Public > public-wot-ig@w3.org > March 2016

[TF-SP] minutes - 10 March 2016

From: Kazuyuki Ashimura <ashimura@w3.org>
Date: Thu, 10 Mar 2016 22:01:59 +0900
Message-ID: <CAJ8iq9Vh3yNS=H7dEBGfohtfppq9vU1q=zn0CAZO5mc1DCuNOg@mail.gmail.com>
To: Public Web of Things IG <public-wot-ig@w3.org>
available at:

also as text below.

The next TF-SP call will be held on April 7th.




      [1] http://www.w3.org/

                               - DRAFT -

                          Security task force

10 Mar 2016



   See also: [3]IRC log

      [3] http://www.w3.org/2016/03/10-wot-sp-irc


          Kaz, Dave, Oliver, Sebastian, Yingying,




     * [4]Topics
         1. [5]how to re-energize the security/privacy work
         2. [6]Landscape document
         3. [7]Current practice document
         4. [8]F2F, Plugfest in Montreal
         5. [9]Charter items
     * [10]Summary of Action Items
     * [11]Summary of Resolutions

how to re-energize the security/privacy work

   (brain storming)

   kaz: TV Control API CG has started their phase 2 work
   ... and interested in security/privacy
   ... so far they're thinking about collaboration with the
   Automotive group
   ... but collaboration with this WoT-SP would also make sense

   oliver: ok. let me know about their opinions, etc.
   ... we should be able to respond to them
   ... there is already public information
   ... so we can show it to them

Landscape document

   -> [12]http://w3c.github.io/wot/landscape.html Landscape
   document on GitHub

     [12] http://w3c.github.io/wot/landscape.html

   oliver: sharing the document on the webex
   ... not updating for awhile

Current practice document

   ml#security-considerations-1 Security consideration for AP from
   the Current Practice document


   oliver: question to Sebastian

   sebastian: updating the TD section
   ... what kind of security portion should be considered?
   ... to get access for resources
   ... what kind of security token for server?
   ... discussion using email
   ... first idea
   ... will talk during the TD call next week as well
   ... one part is how would the security information be provided?
   ... how to interact with services?
   ... how we can protect TD itself?
   ... interesting issues to consider

   oliver: the second one is more important
   ... it's design work
   ... protect TD
   ... my recommendation is accessing things should be the
   ... wrapper for things
   ... would suggest prioritize that
   ... and could think about other topics later
   ... skimming the document
   ... explaining the problems
   ... not yet have information from the email exchanges
   ... showing "Protecting TD Objects" section
   ... the second part is more important
   ... "Describing prerequistes for accessing things"
   ... would be the fundamental work

   sebastian: ok. will do.

   oliver: 3.2.3 Security Considerations
   ... not giving the answer yet
   ... need more coverage
   ... maybe need to talk with Johannes

   sebastian: will do that too.

F2F, Plugfest in Montreal

   oliver: we've been taking care of security as well for our
   ... e.g., in Nice
   ... would have same features in Montreal as well
   ... plan to offer an extension
   ... probably could provide something in June

   sebastian: in Nice we already had security scenario
   ... but security description was not used within the Thing
   ... we need security description within TD
   ... the point is small change in TD
   ... additional features
   ... how about that?

   oliver: could be done
   ... 2 issues
   ... we have server-side component
   ... don't require to change that part
   ... how to document?
   ... timing issue
   ... the other thing is
   ... error response from the server
   ... natural approach would be rewrite the description
   ... client should understand the security token
   ... the second step is putting that into TD
   ... but not enough time to do really fundamental things
   ... but would be welcome if you try
   ... for Montreal, could display security
   ... not as abstract but concrete Thing Description

   sebastian: not involved in the security plugfest so far
   ... panasonic made much effort
   ... security and communication
   ... maybe I should check that beforehand

   oliver: light-weight way for prototype in non-normative way
   ... prototype object as a part
   ... next discussion would be how to create automatic sessions
   ... would make a display object
   ... logic by a state management engine
   ... can be done by the Montreal meeting
   ... BTW, I can't make my travel for the Montreal meeting...
   ... I could prepare for those topics including the state engine
   ... and could offer information to TD and AP

   sebastian: sounds like a good idea

   oliver: we should try to define
   ... that's all from my side for the Montreal meeting

Charter items

   Charter items

     [14] https://github.com/w3c/wot/blob/master/WG/wot-wg-items.md

   <dsr> draft charter (viewable in browser)

     [15] https://w3c.github.io/charter-drafts/wot-wg-2016.html

   kaz: Dave has created an HTML version above

   oliver: two sections for security
   ... 1.1 Thing Descriptions
   ... the second bullet is on security
   ... and 1.2 Scripting APIs
   ... the second bullet again is on security
   ... where to add security portion?

   dsr: we have to define deliverables
   ... and put more details
   ... mentioned during the AP call yesterday as well
   ... need information on prototype implementations
   ... also proof-of-concepts
   ... to justify the need for this work
   ... and convince corporate managers
   ... we have architecture document and current practice document

   oliver: it would make more sense to extend the best practice
   ... what should be the starting point?
   ... also would be difficult to work for the following weeks due
   to vacation...

   dsr: explains the importance of additional information

   oliver: was in contact with vendors
   ... solid foundation than having paper only
   ... would go into the best practice document
   ... there are technologies there
   ... would suggest we update the best practice document
   ... elaborate the text

   dsr: we have focus on some specific technology
   ... not sure in terms of text for the charter
   ... we have references
   ... on the GitHub site
   ... could add links to the architecture/current practice

   oliver: alright

   dsr: there is a bullet point mentioning privacy poicies, access
   control, etc.
   ... linked data vocabulary might be too ambitious for
   ... we need to clarify
   ... we have to explain that

   oliver: alright
   ... don't think "trust assertions" are too far away
   ... but we need to have components for security
   ... we have had some of them during plugfest demos
   ... would suggest we continue discussion using emails

   dsr: ok

   oliver: action item on trust assertions
   ... that's all for today from my viewpoint
   ... anything else to talk today?


   oliver: a couple of follow-ups to do
   ... next call will be April 7th
   ... meaning no call on March 24th

   [ adjourned ]

Summary of Action Items

Summary of Resolutions

   [End of minutes]

    Minutes formatted by David Booth's [16]scribe.perl version
    1.144 ([17]CVS log)
    $Date: 2016/03/10 12:58:30 $

     [16] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
     [17] http://dev.w3.org/cvsweb/2002/scribe/
Received on Thursday, 10 March 2016 13:03:11 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:26:56 UTC