[wot-security] minutes - 30 October 2017

• From: Kazuyuki Ashimura <ashimura@w3.org>
• Date: Tue, 21 Nov 2017 11:54:01 +0900
• To: Public Web of Things IG <public-wot-ig@w3.org>, public-wot-wg@w3.org
• Message-ID: <CAJ8iq9WrU3DqU=oA8Loa=NRf9NZiPGOUbSfS3HDV=g-+JCfDuw@mail.gmail.com>

available at:
  https://www.w3.org/2017/10/30-wot-sec-minutes.html

also as text below.

Sorry for the delay.

Kazuyuki

---

   [1]W3C

      [1] http://www.w3.org/

                               - DRAFT -

                              WoT Security

30 Oct 2017

   [2]Agenda

      [2] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Agenda

   See also: [3]IRC log

      [3] http://www.w3.org/2017/10/30-wot-sec-irc

Attendees

   Present
          Kaz_Ashimura, Michael_McCool, Michael_Koster,
          Elena_Reshetova, Tomoaki_Mizushima, Zoltan_Kis

   Regrets
   Chair
          McCool

   Scribe
          kaz

Contents

     * [4]Topics
         1. [5]agenda
         2. [6]minutes
         3. [7]schedule
         4. [8]draft publication
         5. [9]TPAC agenda
         6. [10]issues
         7. [11]workshop
         8. [12]AOB
     * [13]Summary of Action Items
     * [14]Summary of Resolutions
     __________________________________________________________

   <scribe> scribenick: kaz

agenda

   [15]Agenda

     [15] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Agenda

   mccool: review of prev minutes, draft publication, schedule,
   issues, workshop
   ... TPAC agenda and PlugFest objectives

   elena: next week?

   mccool: yes
   ... so no meeting on Nov. 6

minutes

   [16]prev minutes

     [16] https://www.w3.org/2017/10/23-wot-sec-minutes.html

   mccool: goes through the minutes
   ... various issues
   ... one clarification
   ... working branch was deleted
   ... merged into the main master branch

   elena: and started new work on the working branch

   mccool: ok
   ... master branch staying clean is important for TPAC
   discussion
   ... goes through issues
   ... I'm ok with the minutes

   elena: fine by me as well

   RESOLUTION: prev minutes accepted

   mccool: working branch is not gone but merged

   kaz: will fix that point

schedule

   [17]Schedule

     [17] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Schedule

   mccool: we've done the preparation
   ... kaz, can you work for the publication?

   kaz: will send a transition request to the project manager
   ... and check the document using check tools
   ... and then talk with the Webmaster

   mccool: possible pub date on Nov. 16?

   kaz: yes, let's aim that
   ... if there is any problem, I'll get back to you

   mccool: updates the schedule

draft publication

   mccool: master is updated version for TPAC
   ... feel free to provide pull requests but the master branch
   should be clean

   elena: Matthias's comments?

   mccool: he's busy so maybe difficult
   ... during TPAC, there are three things
   ... plugfest, security features as part of my contribution
   ... trying to work with HTTPS
   ... authentication using OAuth
   ... in conjunction with Amazon Alexa as well
   ... any prototype of implementations for TPAC?

   elena: thinking about practical implementations
   ... example use cases for section 5
   ... not sure how to collect information at the moment, though

   mccool: add topics for "TODO: Security Features" from his
   slides
   ... WoT0McCoolPOC(007).pptx

   elena: now we have a very basic one

   mccool: Use Cases from PlugFest
   ... additional lower-level "patterns" or "system
   configurations"
   ... some information at:
   [18]https://github.com/w3c/wot/tree/master/plugfest/2017-burlin
   game
   ... we can discuss the document
   ... you'd do a presentation on the current status?
   ... you can add people about possible additional system
   configuration

     [18] https://github.com/w3c/wot/tree/master/plugfest/2017-burlingame

   elena: section 5 is good to go
   ... examples of security mechanisms

   mccool: want a document
   ... e.g., Intel POC includes HTTPS, SSH tunnel for NAT
   traversal, OAuth, CoAPS locally
   ... shows the current configuration
   ... [1.5 Metadata Bridging]
   ... metadata bridge
   ... and HTTPS bridge
   ... relays the NAT tunnel
   ... good HTTPS access to the system here (at the local network)
   ... correct setup for remote access
   ... and also local access
   ... HTTP connection is not so nice
   ... would try HTTPS end point
   ... thing directory is a SPARQL end point
   ... global HTTP endpoint and local HTTP endpoint
   ... that's my configuration

   elena: local HTTP
   ... local network is not so secure
   ... may be some acceptable scenario, though

   mccool: right
   ... IP address not visible globally
   ... how to set up a local HTTPS bridge?
   ... now working with Edison
   ... not fully OCF 1.1 compliant
   ... may be able to use CoAPS, though
   ... not fantastically secure yet

   elena: lack of setting up a local HTTPS server
   ... question of protocols

   mccool: many possible ways
   ... issues: local certs for HTTPS?
   ... let's Encrypt/certbot does not work; cert renewal (need
   certibot)
   ... there is a CG working on local HTTPS

   kaz: we can talk with them during TPAC

   mccool: yeah
   ... AVS server needs to talk with these guys
   ... (showing [2. Semantic Voice Control])
   ... any other certificate issues?
   ... look into "HTTPS Local CG"
   ... authenticated, encrypted, securely identified endpoints
   ... HTTPS + OAuth
   ... the connection is encrypted
   ... probably not locally...

TPAC agenda

   [19]TPAC Agenda wiki

     [19] https://www.w3.org/WoT/IG/wiki/F2F_meeting,_4-10_November_2017,_Burlingame,_CA,_USA#Agenda

   mccool: regarding security
   ... should mention...
   ... Wednesday, in addition to the regular topics
   ... we'll have a joint session with Payments/Security
   ... also joint meeting on Thursday with Web Commerce

   elena: wondering about the timezone

   mccool: California time
   ... asking a speakerphone
   ... morning should be better for you

   elena: Monday is fine
   ... but something on Tuesday

   mccool: you're listed here on Monday in the morning (in
   California)
   ... also summary of security work in the afternoon on Monday
   ... feedback on section 5
   ... I can do it if not good for you
   ... Tuesday morning, 1.5 hours for security

   <McCool> please delete the above line before email is published

   mccool: and Wednesday
   ... introduction to WoT for Security guys
   ... will generate some short presentation for that purpose

issues

   skipping

workshop

   mccool: busy with POC work
   ... you input welcome
   ... will write the paper after TPAC

AOB

   mccool: anything else?

   (none)

   mccool: no meeting on Nov. 6

   <McCool> but there will be one the week after that

   <McCool> Nov 13

   mccool: next meeting on Nov. 13

   [adjourned]

Summary of Action Items

Summary of Resolutions

    1. [20]prev minutes accepted

   [End of minutes]
     __________________________________________________________


    Minutes formatted by David Booth's [21]scribe.perl version
    1.152 ([22]CVS log)
    $Date: 2017/11/21 02:51:52 $

     [21] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
     [22] http://dev.w3.org/cvsweb/2002/scribe/

Received on Tuesday, 21 November 2017 02:55:10 UTC