- From: Kazuyuki Ashimura <ashimura@w3.org>
- Date: Tue, 14 Aug 2018 21:53:48 +0900
- To: public-wot-wg@w3.org, Public Web of Things IG <public-wot-ig@w3.org>
available at:
https://www.w3.org/2018/08/06-wot-sec-minutes.html
also as text below.
Thanks,
Kazuyuki
---
[1]W3C
[1] http://www.w3.org/
- DRAFT -
WoT Security
06 Aug 2018
[2]Agenda
[2] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Agenda
Attendees
Present
Kaz_Ashimura, Michael_McCool, Elena_Reshetova,
Ryo_Kajiwara, Tomoaki_Mizushima, Kazuaki_Nimura,
Michael_Koster, Barry_Leiba
Regrets
Chair
McCool
Scribe
kaz
Contents
* [3]Topics
1. [4]Permissions workshop
2. [5]Agenda
3. [6]Review minutes from the lastmeeting
4. [7]TD Update Review
5. [8]Testing (Fuzz testing, DTLS)
6. [9]Permissions workshop (revisited)
7. [10]Best practices
8. [11]Issues/PRs
9. [12]Actions
* [13]Summary of Action Items
* [14]Summary of Resolutions
__________________________________________________________
Permissions workshop
McCool: any updates?
Ryo: not submitted to GH but can explain my ideas
Elena: background, etc., about the workshop?
[15]Permissions WS CfP
[15] https://www.w3.org/Privacy/permissions-ws-2018/cfp.html
McCool: CfP above
... (creating a README.md for our position paper on McCool's GH
repo)
Agenda
McCool: previous minutes review
... permissions workshop
... TD update review
... planning, issues/PRs
... any comments on the agenda?
Elena: new PR for the security scenario
McCool: ok
... captured within the PR review
Review minutes from the last meeting
[16]prev minutes
[16] https://www.w3.org/2018/07/30-wot-sec-minutes.html
McCool: skipped the f2f review
... (goes through the prev minutes)
<inserted> (Barry joins)
McCool: if any updates on DTLS, we can discuss that today
... (add that to the agenda for today)
... did these things...
... (goes through TD updates, actions, other issues, ...)
... there are bunch of actions here
... 1st ACTION: ongoing
... 2, 3, 4: we'll talk about these
... 5: need to do
... 6: no updates from Barry yet
... 8: not yet done
... comments?
... objections to accept the minutes?
(no objections)
McCool: ok. the minutes are accepted
... (goes through the updated agenda for today)
* W3C Permissions Workshop
* TD Update Review
* Testing (Fuzz testing, DTLS)
* Best practices (brainstorming)
* Planning: next steps
* Other issues and PRs
* Other business
]]
TD Update Review
[17]TD draft
[17] https://w3c.github.io/wot-thing-description/
[18]6.1.7 security
[18] https://w3c.github.io/wot-thing-description/#security-serialization-json
McCool: security mandated
... (goes through the examples)
... example 15, 16, 17
... fixed a bunch of things about security examples
[19]pr 183
[19] https://github.com/w3c/wot-thing-description/pull/183
McCool: the bottom line is fixing all the examples
... PSKSecurityScheme, etc., to be fixed as well
... NoneSecurityScheme is bizarre
Testing (Fuzz testing, DTLS)
McCool: (shows Elena's email)
... WoT Security testing
Elena: security testing to be moved to validation part?
McCool: is testing plan a separate document?
... the Charter says we produce a testing plan
... one big document including all the testing stuff
... all in one place
Kaz: what kind of content for that?
<inserted> policy? W3C WGs usually generate test planning
document and test report for each spec, one by one
Kaz: testing plan? policy?
McCool: scripting api and TD
... logically one WG
... we could split up various pieces into various documents
... network interface testing
Kaz: if that is a document on the testing infrastructure, that
could be a single separate document
McCool: we can have some discussion during the main call
... we can start with one document and split it up later
Elena: mentions some idea on fuzz testing
McCool: cites her message
... test suites available for example for HTTP
... probably CoAP need more work
Elena: Scapy is recommended for HTTP, MQTT and CoAP
... I've not tried this yet
[20]Scapy site
[20] https://scapy.net/
Elena: generates random input
... can try to study it
McCool: it seems there is CoAP support as well
... do you want to create a PR for testing document?
Elena: ok
Permissions workshop (revisited)
[21]CfP
[21] https://www.w3.org/Privacy/permissions-ws-2018/cfp.html
McCool: only Kajiwara-san can make the workshop
... do you have any specific input?
<ryo-k>
[22]https://github.com/mmccool/w3c-permissions-2018/blob/master
/0806-kajiwara-original-plans.txt
[22] https://github.com/mmccool/w3c-permissions-2018/blob/master/0806-kajiwara-original-plans.txt
Ryo: my proposal above
... medical prescription system
... access permission based on user consent
... my original intention was standardized way to manage that
on the large scale basis
McCool: giving people access?
Ryo: access control based on user consent is important because
some people don't want to let their data accessed
McCool: what would be the story?
... OCF is looking at medical use cases as well
Ryo: some kind of vital data can be accessed
... heartbeat rate, etc.
McCool: features of interest have been discussed
... measurement we can share
... share with the doctor
... but not family, etc.
... maybe you could use an example of medical device annotated
using "feature of interest"
Ryo: ok
Koster: feature of interest can specify special things like
medical data
... location and body part
... interesting design question
McCool: user decides whether the data is accessible or not
... but how to describe that?
Koster: makes perfect sense actually
McCool: category of information?
Ryo: something like "I don't share the information with
somebody."
... information about "who to what"
... interesting discussion during the workshop
McCool: (adds comment)
... wondering about the deadline
[23]https://www.w3.org/Privacy/permissions-ws-2018/cfp.html
[23] https://www.w3.org/Privacy/permissions-ws-2018/cfp.html
Kaz: August 17
Barry: it's extended till August 17
McCool: we can generate a one-pager
... Kajiwara-san, let's have discussion
Ryo: would like to hear background expectation from you as well
McCool: (adds some edits)
... use WoT as an example of "consent as access control"
Ryo: will give input to the GH repo
<McCool> [24]https://github.com/mmccool/w3c-permissions-2018
[24] https://github.com/mmccool/w3c-permissions-2018
McCool: (will make the repo public)
Best practices
McCool: we've been discussing a separate document on best
practices
[25]Security draft - 5. Recommended Security Practices
[25] https://w3c.github.io/wot-security/#recommended-security-practices
McCool: we could make this version more generic
... and create a separate document for more specific content
... how to make it testable
... for the moment, we can put specific content to this
section, though
... but a bit concerned to put too much specific content to
this Note itself
Kaz: maybe we can put all the content here first
... and if the structure gets too complicated, we can move some
of the detail into the appendix
... and split that appendix into a separate document later
McCool: that's fine
... note that we need a testable document and need to limit our
scope for testing
... let's just put things into the subsection of section 5
... and we should think about test on fuzzing, etc.
... testing the subsection of best practice section as well
... for now, let's stick into that approach
<McCool> [26]https://github.com/w3c/wot-security/pull/108
[26] https://github.com/w3c/wot-security/pull/108
Issues/PRs
[27]changes
[27] https://github.com/w3c/wot-security/pull/108/files
McCool: we should talk about industrial security scenarios
Elena: please take a look at the changes
McCool: ok
... let's discuss it next time
Actions
McCool: Barry, you can send me your proposal on DTLS
Barry: ok. btw, can I get Elena's proposal about security
testing?
McCool: Elena, you can send the proposal to the whole group?
Elena: ok
[adjourned]
Summary of Action Items
[ONGOING] ACTION: mccool to talk with IIC Security TF and W3C
Web Security IG about testing/validation timeline (first item
tbd; second item done)
[ONGOING] ACTION: mccool to work on issue 70 (Require Not
Exposing Immutable Hardware Identifiers?)
[ONGOING] ACTION: mjkoster/elena to review examples in the
security spec
[ONGOING] ACTION: mccool to look into URI templates (RFC6570)
for issue 98
[ONGOING] ACTION: mcCool to write PR on TD spec for security
definition
[ONGOING] ACTION: Barry to suggest DTLS testing plan applicable
for CoAP/MQTT
[ONGOING] ACTION: everyone to generate set of best practices
for draft by next week
[ONGOING] ACTION: McCool to clean up Security and Privacy
Considerations documents for final update to master by next
week
Summary of Resolutions
[End of minutes]
__________________________________________________________
Minutes formatted by David Booth's [28]scribe.perl version
1.152 ([29]CVS log)
$Date: 2018/08/14 12:49:13 $
[28] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
[29] http://dev.w3.org/cvsweb/2002/scribe/
Received on Tuesday, 14 August 2018 12:55:03 UTC