- From: Kazuyuki Ashimura <ashimura@w3.org>
- Date: Thu, 21 Dec 2017 00:16:32 +0900
- To: Public Web of Things IG <public-wot-ig@w3.org>, public-wot-wg@w3.org
available at:
https://www.w3.org/2017/12/11-wot-sec-minutes.html
also as text below.
Thanks,
Kazuyuki
---
[1]W3C
[1] http://www.w3.org/
- DRAFT -
WoT Security
11 Dec 2017
Attendees
Present
Kaz_Ashimura, Elena_Reshetova, Michael_Koster,
Michael_McCool, Tomoaki_Mizushima, Barry_Leiba
Regrets
Chair
McCool
Scribe
kaz
Contents
* [2]Topics
1. [3]NDSS paper
2. [4]publication status
3. [5]NDSS paper (revisited)
4. [6]wot-security issues
5. [7]next meeting
6. [8]prev minutes
* [9]Summary of Action Items
* [10]Summary of Resolutions
__________________________________________________________
<scribe> scribenick: kaz
NDSS paper
mccool: deadline on Dec 11
... 4 commits after Barry's review
... can walk through the updates
publication status
kaz: Elena created a pullrequest about my question
elena: have fixed all the problems you mentioned
-> [11]https://github.com/w3c/wot-security/pulls/57 Kaz's
pullrequest
[11] https://github.com/w3c/wot-security/pulls/57
kaz: added the UID (W3C account id) for McCool and Elena
mccool: ok
mccool: merges the change
-> [12]https://github.com/w3c/wot-security/pull/58 Elena's
pullrequest on fixing problems Kaz pointed out
[12] https://github.com/w3c/wot-security/pull/58
mccool: goes through the changes
(fixed broken links at reference)
mccool: merges the fix
kaz: will check the document using the checker again
... and will work with the webmaster for the publication
NDSS paper (revisited)
mccool: submission 3 and 4
barry: reviewed submission 3
... clarifying the goal of the paper would be helpful
mccool: 30 submissions so far
... 12 of them are expected at the workshop
... we're talking about reviewing the draft spec
... in the context of reviewing a standard
... I myself am one of the organizers, so can't support this
paper itself due to Conflict of Interest
->
[13]https://github.com/mmccool/ndss-wot-sec/blob/master/ndss-wo
t-sec.pdf PDF version
[13] https://github.com/mmccool/ndss-wot-sec/blob/master/ndss-wot-sec.pdf
barry: looks good to me but how about the others?
... this is a workshop paper, not a conference paper
... explicitly mentioning that we've started some work
mccool: important exercise for people to participate in
... concept of reviewing the standard asap
elena: shorten the background section?
mccool: changed the examples to actual examples
... example of an application servient
(some more discussion)
mccool: C. Endpoint Adaptation
... will try one more around update
... if you find any small problems (typos, missing words, etc.)
please create pullrequests
kaz: ok to fix the URL for link 14 after the publication of the
Note?
mccool: can fix it now, and also can update later as well
[Kaz's comment on reference [14]]
The link "https://www.w3.org/TR/2017/WD-wot-security-20171116/"
at:
E. Reshetova and M. McCool, “Web of Things (WoT) Security
and Privacy Considerations,” W3C, W3C Note, Sep. 2017.
[Online].
Available: https://www.w3.org/TR/2017/WD-wot-security-20171116/
]]
sould be:
https://www.w3.org/TR/NOTE-wot-security/
]]
as the generic URL at the moment (but should be update with the
dated URL, e.g.,
https://www.w3.org/TR/2017/NOTE-wot-security-20171214/
once the document is published
also "Sep." should be "Dec."
[14] https://github.com/w3c/wot-security/issues/59
mccool: ok
wot-security issues
[14]https://github.com/w3c/wot-security/issues/59 TD/API
security requirements for the next plugfest
[14] https://github.com/w3c/wot-security/issues/59
[15]https://github.com/w3c/wot-scripting-api/issues/82#issuecom
ment-350662317 related issue on Scripting
[15] https://github.com/w3c/wot-scripting-api/issues/82#issuecomment-350662317
mccool: 2 issues here
... added a comment here to the scripting issue 82
... and created another issue for security repo 59
... adding another description to security issue 59
... perhaps there are two issues
... 1. specifying "security" section of an exposed TD. The
requirements for the scripting API will be given entirely by
the requirements for the TD spec. Right now the TD spec has an
"open" format for the security metadata so probably the API
should just allow similar arbitary data in the API
elena: 2nd issue would be much bigger?
mccool: 2. A possibly related issue is now "provisioned
security data" (keys, etc.) are provided to a particular
instanc of a WoT object, e.g., for a service
... do we assume a WoT servient magically find that key?
... how to handle this?
kaz: maybe we need 3 different kinds of identifiers?
... one for the devices, 2nd for the apps and 3rd for the
users?
... and some mechanism to how to identify the combination of
those three identifiers
elena: depends on the application
mccool: the first point is easier
... related to the problem of lifecycle
elena: we have the 2nd point within the privacy consideration?
... the lifecycle issue is related to how to handle the
credential for multiple apps
mccool: we can add a link from the security document to
specific issues on the GitHub repo
... any other issues to review?
[16]https://github.com/w3c/wot-security/issues/52 Blockchains
for WoT
[16] https://github.com/w3c/wot-security/issues/52
mccool: blockchains may fit with WoT
... the Payment WG is working on rechartering
... interledger would be a good place to start for "blockchain
authorization"
[17]https://github.com/w3c/wot-security/issues/53 authorization
and minimizing access to TD in Things directory
[17] https://github.com/w3c/wot-security/issues/53
mccool: possibly multiple questions here...
... 1. who is authorized to use the Thing Directory Web
service? shince this is a Web service, it can be handled like
other Web service.
... 2. How can/should we support sub-setting of Thing
Descriptions, i.e., should a Thing Directory support different
levels of authorization?
... 3. if we do a semantic search, the data that can be used
for inferencing should also only be data that the user has
authorization to access.
... for example, could have two levels of access, full and
partial, Then a user with partial access can only do
inferencing over partial TDs.
... a related problem
... Thing Directories are not officially part of the WoT
architecture.
... this may be a problem since we may leave out important
security hooks like the identity of the entity doing discovery.
next meeting
elena: not available on 18th
mccool: can handle the next meeting
... let's talk about lifecycle, etc.
barry: won't be available on 18th
mccool: ah, in that case, maybe we can simply cancel the
meeting on 18th
... can just have discussion on publication with Kaz
prev minutes
[18]https://www.w3.org/2017/12/04-wot-sec-minutes.html prev
minutes
[18] https://www.w3.org/2017/12/04-wot-sec-minutes.html
mccool: don't see problems
elena: we should update the publication plan
[19]https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Schedule
publication schedule
[19] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Schedule
mccool: we'll update the publication with Feb. 15 (Thu)
... the prev minutes themselves are accepted
[adjourned]
Summary of Action Items
Summary of Resolutions
[End of minutes]
__________________________________________________________
Minutes formatted by David Booth's [20]scribe.perl version
1.147 ([21]CVS log)
$Date: 2017/12/20 15:13:54 $
[20] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
[21] http://dev.w3.org/cvsweb/2002/scribe/
Received on Wednesday, 20 December 2017 15:17:42 UTC