- From: Kazuyuki Ashimura <ashimura@w3.org>
- Date: Mon, 2 Oct 2017 16:52:26 +0900
- To: Public Web of Things IG <public-wot-ig@w3.org>, public-wot-wg@w3.org
available at:
https://www.w3.org/2017/09/25-wot-sec-minutes.html
also as text below.
Thanks a lot for taking these minutes, Michael Koster!
Kazuyuki
---
[1]W3C
[1] http://www.w3.org/
- DRAFT -
WoT IG - Security
25 Sep 2017
[2]Agenda
[2] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Agenda
See also: [3]IRC log
[3] http://www.w3.org/2017/09/25-wot-sec-irc
Attendees
Present
Kaz_Ashimura, Michael_McCool, Elena_Reshetova,
Uday_Davuluru, Zoltan_Kis, Michael_Koster,
Tomoaki_Mizushima, Soumya_Kanti_Datta
Regrets
Chair
McCool
Scribe
mjkoster
Contents
* [4]Topics
1. [5]WoT Security and Privacy Considerations - document
status and issue review
2. [6]workshop proposal for NDSS
* [7]Summary of Action Items
* [8]Summary of Resolutions
__________________________________________________________
<kaz> scribenick: mjkoster
WoT Security and Privacy Considerations - document status and issue
review
mccool: document progress update
... outstanding PR
... created an action for mccool
... review the changes in the PR
<kaz> [9]Issues
https://github.com/w3c/wot-security/issues
* [10]Issue on "Current practices alignment"
https://github.com/w3c/wot-security/issues/13
* [11]Issue on "Table formatting and definition highlighting"
https://github.com/w3c/wot-security/issues/16
* [12]Issue on "Abstract"
https://github.com/w3c/wot-security/issues/17
* [13]Issue on "Existing best practices"
[13] https://github.com/w3c/wot-security/issues/18
<kaz> [14]Pull Requests
[14] https://github.com/w3c/wot-security/pulls
mccool: ( elena's branch)
elena: recommended practices section
... example security configuration section
mccool: need to add content for specific security practices
e.g. scripting API
<kaz> [15]Elena's updates
[15] https://rawgit.com/ereshetova/wot-security/working/index.html
<kaz> [16]McCool's Working branch
[16] https://rawgit.com/w3c/wot-security/working/index.html
<kaz> mccool: would propose we merge Elena's changes to the
above Working branch
mccool: merging elena's PR into the working branch now (no
objections)
<kaz> [17]PR 12 has been merged
[17] https://github.com/w3c/wot-security/pull/12
<kaz>
[18]https://rawgit.com/w3c/wot-security/working/index.html is
updated now
[18] https://rawgit.com/w3c/wot-security/working/index.html
elena: will work on examples (section 5) next
mccool: created issue for tracking additions to the examples
section
[19]Issue on "Examples of security configurations"
[19] https://github.com/w3c/wot-security/issues/19
mccool: need to add vocabulary definitions
... created issue to track additions to the scenarios section
"business/corporate"
[20]Issue on "Business/corporate scenarios"
[20] https://github.com/w3c/wot-security/issues/20
mccool: added issue to track additions to
"industrial/commercial" scenarios
[21]Issue on "Industrial/critical scenarios"
[21] https://github.com/w3c/wot-security/issues/21
mccool: added issue to track scripting API additions
[22]Issue on "Scripting API"
[22] https://github.com/w3c/wot-security/issues/22
mccool: issue to track "validation "
[23]Issue on "Security validation"
[23] https://github.com/w3c/wot-security/issues/23
mccool: discuss whether security provisioning is in scope
[24]Issue on "Provisioning"
[24] https://github.com/w3c/wot-security/issues/15
elena: we need to make a defined set of assumptions about what
is done
... but can't specify how it's done
mccool: OK
... please add comments to the issue
... review the discussion on exposed vs. discoverable things
... are they separate ?
[25]Issue on "Discovery/Expose"
[25] https://github.com/w3c/wot-security/issues/14
<kaz> [26]discussion during the Scripting call (Member-only)
[26] https://www.w3.org/2017/09/25-wot-minutes.html
elena: what is the specific difference?
mccool: different kinds of discovery?
mjkoster: expose means interaction is available, discoverable
means TD is available
elena: when would a thing be exposed but not discoverable?
mccool: enumerantes types of discovery
... 4 ways to find a thing
... may already have a TD or know how to make a URL to get the
TD
... or maybe there is a scan function
mjkoster: consider the difference in security model between TD
and the Interactions
elena: how can we define the exact difference between TD and
interaction?
mccool: there are different calls in the scripting API
elena: how does the system get into a state where the
interactions are exposed but not discoverable?
mccool: things can't be discoverable but not exposed
mjkoster: it's about different layers of security for exposure
vs. discoverability
elena: OK, that is allowed for in the model
... if the proper access control is provided e.g. on actions,
then what else do we need to do?
mccool: OK, please continue the discussion in comments and
issues
... we need to align the current practices with security
mechanisms for the plugfest
... suggest we look at protocol binding priorities
elena: we should build the scenarios and examples based on
concrete protocols
mccool: the statement about wot security includes statements
about target protocols
... if we can cover security through a good comprehensive set
of bindings
... created an issue for tracking
workshop proposal for NDSS
mccool: good response so far
... most accepted
... update on IEEE S&P progress
... AOB?
elena: on holiday next week
... will queue up some material on PR and issues
mccool: would zkis start discussion on the scripting section?
zkis: OK
mccool: adjourn
Summary of Action Items
Summary of Resolutions
[End of minutes]
__________________________________________________________
Minutes formatted by David Booth's [27]scribe.perl version
1.152 ([28]CVS log)
$Date: 2017/09/26 04:04:07 $
[27] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
[28] http://dev.w3.org/cvsweb/2002/scribe/
Received on Monday, 2 October 2017 07:53:34 UTC