- From: Kazuyuki Ashimura <ashimura@w3.org>
- Date: Tue, 7 Aug 2018 10:14:28 +0900
- To: public-wot-wg@w3.org, Public Web of Things IG <public-wot-ig@w3.org>
available at:
https://www.w3.org/2018/07/30-wot-sec-minutes.html
also as text below.
Thanks,
Kazuyuki
---
[1]W3C
[1] http://www.w3.org/
- DRAFT -
WoT Security
30 Jul 2018
Attendees
Present
Kaz_Ashimura, Michael_McCool, Tomoaki_Mizushima,
Kazuaki_Nimura, Barry_Leiba
Regrets
Elena
Chair
McCool
Scribe
kaz
Contents
* [2]Topics
1. [3]Review of minutes from last meeting
2. [4]PR 107
3. [5]Testing
4. [6]TD updates
5. [7]Actions
6. [8]Other issues
* [9]Summary of Action Items
* [10]Summary of Resolutions
__________________________________________________________
[11]prev minutes
[11] https://www.w3.org/2018/07/23-wot-sec-minutes.html
Review of minutes from last meeting
[12]prev minutes
[12] https://www.w3.org/2018/07/23-wot-sec-minutes.html
McCool: need to skip plugfest/f2f review again
... went over proposals
... (updates the agenda with "Testing plan")
... first action is done
... 2nd action, did the 2nd half
... waiting for answer
... carry forward with the 4 last actions
... and new action: "McCool to write PR on TD spec for security
definition"
... any objections to accept the prev minutes?
(none)
McCool: ok. so the minutes has been accepted
<inserted> (Barry joins)
McCool: (goes through the agenda for today)
... anything else?
(none)
PR 107
[13]PR 107
[13] https://github.com/w3c/wot-security/pull/107
McCool: happy with it
... a few minor fixes
... go ahead with the next step
... nothing major
... go ahead and accept that
... any objection to merge this?
(none)
McCool: ok. will merge it :)
... get action to clean it up
... one more chance to discuss before merging with the main
branch
Testing
McCool: follow through the action from f2f
... drafted a document here
[14]Testing Plan
[14] https://github.com/w3c/wot/blob/master/testing/plan.md
McCool: one thing would ask people to do
... go through the section on security testing
... limited scope (=list of "NOT do"s)
... lifecycle limitation for point 2
... protocols for point 3
... security best practices for point 4
... should have a separate document for security best practices
... but later
... MQTT - TODO: details: DTLS testing etc.
... for HTTP, I have SSL testing, etc.
Barry: we might do...
... to use HTTPS, CoAPS, MQTTS
... obvious to use secure version of protocols
McCool: ok
... need to have how to secure MQTT
Barry: need to see core working group document
McCool: create a PR for one paragraph?
Barry: can work on a shot
McCool: if you can send by email, I can make a PR
... CoAP-based protocol
... e.g., DTLS testing
... regarding HTTP, described web services here
... one of issues
... particular commercial service or tool?
... or standard
... may have political issues
... might have some example
... free/opensource one
... link to OWASP Testing Project
[15]OWASP
[15] https://www.owasp.org/index.php/OWASP_Testing_Project
McCool: and penetration testing
... these 2 things should be enough
... please review this section and give comments
... Metasploit is a framework
... thought that was a free one
TD updates
McCool: PSK and none schemes
[16]https://rawgit.com/w3c/wot-thing-description/TD-JSON-LD-1.1
/index.html#security
[16] https://rawgit.com/w3c/wot-thing-description/TD-JSON-LD-1.1/index.html#security
[17]https://github.com/w3c/wot-thing-description/pull/173
[17] https://github.com/w3c/wot-thing-description/pull/173
[18]https://github.com/w3c/wot-thing-description/pull/173/commi
ts/8bfdde781b354df848e0aed0bf8d21e3facb07bd
[18] https://github.com/w3c/wot-thing-description/pull/173/commits/8bfdde781b354df848e0aed0bf8d21e3facb07bd
McCool: maybe the rendered version not correctly submitted
yet...
<McCool>
[19]https://github.com/w3c/wot-thing-description/issues/165
[19] https://github.com/w3c/wot-thing-description/issues/165
McCool: created a TD issue above (165)
... Should "security" be mandatory
... can declare security "none" at the top level
... would like to respond to Ben and ask him clarification
... having nothing vs "none" have a bit different meanings
... actual implementations can do something if nothing is
specified
... but TD should have explicit information
... would discourage TD to be incomplete
... personally think security should be mandatory
... we could recommend security is mandatory for
machine-to-machine interaction
... would like to see people's opinions
Barry: definitely should be mandatory
McCool: others?
Nimura: should be mandatory
McCool: it is related to binding contract
Mizushima: no questions
McCool: (adds a comment to issue 165)
... discussed this in the security tf and the consensus was to
make "security" mandatory
... also, we felt that the security spec in the TD should be
"binding", e.g., it should be considered an error if the Thing
goes off and does security a different way.
... resolution: yes, make it mandatory. also binding.
Actions
McCool: we can remove the first action (from the prev minutes)
... need to ping IIC
... 3 other things got no progress yet
... new action
<scribe> ACTION: Barry to suggest DTLS testing plan applicable
for CoAP/MQTT
<McCool> ACTION: McCool to clean up Security and Privacy
Considerations documents for final update to master by next
week
McCool: also best practice document
<McCool> ACTION: everyone to generate set of best practices for
draft by next week
McCool: no update on the long-term schedule
... will update people to find out
Other issues
[20]issue 106
[20] https://github.com/w3c/wot-security/issues/106
McCool: leave it open
[21]issue 105
[21] https://github.com/w3c/wot-security/issues/105
McCool: any opinions?
... originally raised by Lagally during f2f
... more than form for different mechanisms
... any prioritization?
... any objections to leave out priorities?
Barry: makes sense
(no objections)
McCool: adds a comment to issue 105
... We discussed this in the Security TF and felt that
priorities caused more problems than they would solve and we
should leave them out.
[22]issue 102
[22] https://github.com/w3c/wot-security/issues/102
McCool: adds a comment
... We ARE going to have a Best Practices document of some kind
if only to limit the scope of testing. Initially this will just
be a section of the Security and Privacy Considerations
document although we should break it out into a separate
document eventually.
[adjourned]
Summary of Action Items
[ONGOING] ACTION: mccool to talk with IIC Security TF and W3C
Web Security IG about testing/validation timeline (first item
tbd; second item done)
[ONGOING] ACTION: mccool to work on issue 70 (Require Not
Exposing Immutable Hardware Identifiers?)
[ONGOING] ACTION: mjkoster/elena to review examples in the
security spec
[ONGOING] ACTION: mccool to look into URI templates (RFC6570)
for issue 98
[ONGOING] ACTION: mcCool to write PR on TD spec for security
definition
[NEW] ACTION: Barry to suggest DTLS testing plan applicable for
CoAP/MQTT
[NEW] ACTION: everyone to generate set of best practices for
draft by next week
[NEW] ACTION: McCool to clean up Security and Privacy
Considerations documents for final update to master by next
week
Summary of Resolutions
[End of minutes]
__________________________________________________________
Minutes formatted by David Booth's [23]scribe.perl version
1.152 ([24]CVS log)
$Date: 2018/08/07 01:04:09 $
[23] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
[24] http://dev.w3.org/cvsweb/2002/scribe/
Received on Tuesday, 7 August 2018 01:16:07 UTC