[wot-security] minutes - 4 September 2017 from Kazuyuki Ashimura on 2017-09-04 (public-wot-ig@w3.org from September 2017)

From: Kazuyuki Ashimura <ashimura@w3.org>
Date: Tue, 5 Sep 2017 00:28:03 +0900
To: Public Web of Things IG <public-wot-ig@w3.org>, public-wot-wg@w3.org
Message-ID: <CAJ8iq9WV=Oav=j_wLHbdoSFA1AM+0=3pde=VuSTdqPPR2H9Mgg@mail.gmail.com>
available at:
  https://www.w3.org/2017/09/04-wot-sec-minutes.html

also as text below.

Thanks a lot for taking these minutes, Uday!

Kazuyuki

---

   [1]W3C

      [1] http://www.w3.org/

                               - DRAFT -

                           WoT IG - Security

04 Sep 2017

   [2]Agenda

      [2] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Agenda

   See also: [3]IRC log

      [3] http://www.w3.org/2017/09/04-wot-sec-irc

Attendees

   Present
          Kaz_Ashimrua, Michale_McCool, Tomoaki_Mizushima,
          Uday_Davuluru, Zoltan_Kis, Elena_Reshetova,
          Michale_Koster

   Regrets
   Chair
          McCool

   Scribe
          uday

Contents

     * [4]Topics
         1. [5]Issues and next steps
         2. [6]NDSS workshop
     * [7]Summary of Action Items
     * [8]Summary of Resolutions
     __________________________________________________________

   <kaz> scribenick: uday

Issues and next steps

   McCool: Discusses issues and next steps
   ... starting with the discussion on pull request 349

   <kaz> [9]https://github.com/w3c/wot/pull/349 pull request 349
   has just been merged

      [9] https://github.com/w3c/wot/pull/349

   Elena: TD privacy and TD local storage updated
   ... Security consideration section: goal is to use this to
   adopt security scenario and build one's own security objects

   McCool: might get a conflict issue

   <kaz> Kaz: a quick question

   <kaz> ... do you want to commit this by Wednesday (=finalizing
   the whole group review)?

   <kaz> Elena: this is not ready for commit and need more
   discussion

   Kaz: can we include this in architecture doc

   McCool: no time till the first public draft
   ... need security repo

   Elena: can have a single big document or sub documents

   McCool: lengthy document might overshadow topics
   ... threat model and security consideration can be put into one
   doc
   ... privacy is missing in the doc, need to add this

   Elena: started to add privacy related threats in threat model
   itself
   ... explains privacy with examples

   <kaz> McCool: would try a vote. anybody object to have a
   separate document for "WoT Security and Privacy Consideration"?

   McCool: do anyone objects separate deliverable for WoT security
   considerations

   Elena: need to highlight important parts

   McCool: agree
   ... need to separate implementation details
   ... we should create new doc under WoT repo and have a security
   repo in parallel

   Kaz: can create a separate repo if needed

   <kaz> ... "wot-security"?

   McCool: wot-security would be a good name

   Kaz: need to use repo manager to publish

   <kaz> Kaz: as part of the normative WG deliverables? if so we
   need to use the repository manager as well

   <kaz> McCool: should be an informative deliverable, e.g., a WG
   Note

   McCool: normative and informative parts of security

   smilar to WoT architecture repo

   how do we publish security?

   shall we make security as a separate doc instead of merging in
   architecture doc

   <kaz> because the description would become long

   McCool: how do people handle this in another groups

   Kaz: maybe with separate normative doc

   McCool: don't want to ember all security stuff in architecture
   doc

   Kaz: makes sense to start with informative note and decide with
   the chairs call

   McCool: will also create hyperlink between docs

   <McCool> McCool: we will aim for a separate security document,
   "WoT Security and Privacy Considerations"

   <McCool> we'll talk to the editors/chairs to confirm this

   <McCool> the document will be informative, but published in
   such a way (note) that we can hyperlink to sections from the
   other documents

   <McCool> ideally, we would have it in its own repo, parallel to
   the wot-architecture

   <McCool> proposed name: wot-security

   McCool: security in architecture doc clan up

   <kaz>
   [10]https://w3c.github.io/wot-architecture/#security-considerat
   ions

     [10] https://w3c.github.io/wot-architecture/#security-considerations

   <zkis> [11]https://zolkis.github.io/wot-scripting-api/

     [11] https://zolkis.github.io/wot-scripting-api/

   ZK: already made a PR, can see on my gitthub page

   <kaz> [12]https://w3c.github.io/wot-scripting-api/#security

     [12] https://w3c.github.io/wot-scripting-api/#security

   <kaz> McCool: should read "The security section is under
   development and will be completed later."

   <kaz> ... on the other hand, there is a link to the threat
   model in the TD draft

   <kaz>
   [13]https://w3c.github.io/wot-thing-description/#threat-model

     [13] https://w3c.github.io/wot-thing-description/#threat-model

   <kaz> Kaz: do we want to update the Architecture/Scripting API
   as well with the detailed description?

   <kaz> ... or ok to publish them asis?

   <kaz> McCool: publishing them with the minimum description now
   is ok

   thanks for the filling kaz

   <kaz> ... but would like to remove "More general discussion of
   overall security of a Thing (for example, best practices for
   WoT Interface design) can be found in the WoT Architecture
   document. " from the "7. Security Consideration" section of the
   TD draft

   <kaz>
   [14]https://w3c.github.io/wot-thing-description/#security-consi
   deration

     [14] https://w3c.github.io/wot-thing-description/#security-consideration

   <kaz> McCool: and also for the architecture document

   <kaz> ... the Editor's note at "8. Security Considerations"

   <kaz> ... Security and privacy considerations are under
   development

   <kaz> ... and remove "For now, only the sub-section headings
   are included to indicate the roadmap for the WoT Architecture
   security considerations."

   <kaz> rsagent, make log public

   <kaz> [15]https://github.com/w3c/wot-architecture/issues

     [15] https://github.com/w3c/wot-architecture/issues

   <kaz> github issues for architecture above

   <kaz> McCool: add "Please see work in progress at WoT Security
   and Privacy."

   <kaz> ... linking to:
   [16]https://github.com/w3c/wot/tree/master/security-privacy

     [16] https://github.com/w3c/wot/tree/master/security-privacy

   <kaz> ... (creates a pull request on his own repo; and will
   create a pull request on the main repo)

   <kaz> ... next

   <kaz> ... Elena, if you can take out an overview on W3C WoT
   security and privacy

   <kaz> ... copy the framework from the WoT Architecture document

   McCool: next steps: ER to create new doc under WoT Security and
   privacy and start general documentation

   MM to make sure the draft is clean

   <kaz> Elena: regrets for the next call (Sp. 11)

   <kaz> McCool: if you can send a link to your repo, I can make a
   pull request

NDSS workshop

   <kaz> McCool: worked on the proposal

   McCool: proposal submitted to NDSS

   <kaz> McCool: deadlines:

   <kaz> ... cfp 25 sep 2017

   <kaz> ... now done and in the pipe

   <kaz> ... focused on standards

   <kaz> ... review of existing standards

   <kaz> ... including but not limited to W3C standards

   <kaz> ... will be held in February

   <kaz> Elena: paper deadline too close?

   <kaz> McCool: we should discuss that

   <kaz> ... notice to authors: 15 Jan 2018

   <kaz> ... not expecting a big paper, just 1-3 pages

   <kaz> ... publication-ready papers: 1 Feb. 2018

   <kaz> [ adjourned ]

Summary of Action Items

Summary of Resolutions

   [End of minutes]
     __________________________________________________________


    Minutes formatted by David Booth's [17]scribe.perl version
    1.152 ([18]CVS log)
    $Date: 2017/09/04 15:26:27 $

     [17] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
     [18] http://dev.w3.org/cvsweb/2002/scribe/
Received on Monday, 4 September 2017 15:29:16 UTC