- From: Kazuyuki Ashimura <ashimura@w3.org>
- Date: Tue, 14 Aug 2018 21:53:48 +0900
- To: public-wot-wg@w3.org, Public Web of Things IG <public-wot-ig@w3.org>
available at: https://www.w3.org/2018/08/06-wot-sec-minutes.html also as text below. Thanks, Kazuyuki --- [1]W3C [1] http://www.w3.org/ - DRAFT - WoT Security 06 Aug 2018 [2]Agenda [2] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Agenda Attendees Present Kaz_Ashimura, Michael_McCool, Elena_Reshetova, Ryo_Kajiwara, Tomoaki_Mizushima, Kazuaki_Nimura, Michael_Koster, Barry_Leiba Regrets Chair McCool Scribe kaz Contents * [3]Topics 1. [4]Permissions workshop 2. [5]Agenda 3. [6]Review minutes from the lastmeeting 4. [7]TD Update Review 5. [8]Testing (Fuzz testing, DTLS) 6. [9]Permissions workshop (revisited) 7. [10]Best practices 8. [11]Issues/PRs 9. [12]Actions * [13]Summary of Action Items * [14]Summary of Resolutions __________________________________________________________ Permissions workshop McCool: any updates? Ryo: not submitted to GH but can explain my ideas Elena: background, etc., about the workshop? [15]Permissions WS CfP [15] https://www.w3.org/Privacy/permissions-ws-2018/cfp.html McCool: CfP above ... (creating a README.md for our position paper on McCool's GH repo) Agenda McCool: previous minutes review ... permissions workshop ... TD update review ... planning, issues/PRs ... any comments on the agenda? Elena: new PR for the security scenario McCool: ok ... captured within the PR review Review minutes from the last meeting [16]prev minutes [16] https://www.w3.org/2018/07/30-wot-sec-minutes.html McCool: skipped the f2f review ... (goes through the prev minutes) <inserted> (Barry joins) McCool: if any updates on DTLS, we can discuss that today ... (add that to the agenda for today) ... did these things... ... (goes through TD updates, actions, other issues, ...) ... there are bunch of actions here ... 1st ACTION: ongoing ... 2, 3, 4: we'll talk about these ... 5: need to do ... 6: no updates from Barry yet ... 8: not yet done ... comments? ... objections to accept the minutes? (no objections) McCool: ok. the minutes are accepted ... (goes through the updated agenda for today) * W3C Permissions Workshop * TD Update Review * Testing (Fuzz testing, DTLS) * Best practices (brainstorming) * Planning: next steps * Other issues and PRs * Other business ]] TD Update Review [17]TD draft [17] https://w3c.github.io/wot-thing-description/ [18]6.1.7 security [18] https://w3c.github.io/wot-thing-description/#security-serialization-json McCool: security mandated ... (goes through the examples) ... example 15, 16, 17 ... fixed a bunch of things about security examples [19]pr 183 [19] https://github.com/w3c/wot-thing-description/pull/183 McCool: the bottom line is fixing all the examples ... PSKSecurityScheme, etc., to be fixed as well ... NoneSecurityScheme is bizarre Testing (Fuzz testing, DTLS) McCool: (shows Elena's email) ... WoT Security testing Elena: security testing to be moved to validation part? McCool: is testing plan a separate document? ... the Charter says we produce a testing plan ... one big document including all the testing stuff ... all in one place Kaz: what kind of content for that? <inserted> policy? W3C WGs usually generate test planning document and test report for each spec, one by one Kaz: testing plan? policy? McCool: scripting api and TD ... logically one WG ... we could split up various pieces into various documents ... network interface testing Kaz: if that is a document on the testing infrastructure, that could be a single separate document McCool: we can have some discussion during the main call ... we can start with one document and split it up later Elena: mentions some idea on fuzz testing McCool: cites her message ... test suites available for example for HTTP ... probably CoAP need more work Elena: Scapy is recommended for HTTP, MQTT and CoAP ... I've not tried this yet [20]Scapy site [20] https://scapy.net/ Elena: generates random input ... can try to study it McCool: it seems there is CoAP support as well ... do you want to create a PR for testing document? Elena: ok Permissions workshop (revisited) [21]CfP [21] https://www.w3.org/Privacy/permissions-ws-2018/cfp.html McCool: only Kajiwara-san can make the workshop ... do you have any specific input? <ryo-k> [22]https://github.com/mmccool/w3c-permissions-2018/blob/master /0806-kajiwara-original-plans.txt [22] https://github.com/mmccool/w3c-permissions-2018/blob/master/0806-kajiwara-original-plans.txt Ryo: my proposal above ... medical prescription system ... access permission based on user consent ... my original intention was standardized way to manage that on the large scale basis McCool: giving people access? Ryo: access control based on user consent is important because some people don't want to let their data accessed McCool: what would be the story? ... OCF is looking at medical use cases as well Ryo: some kind of vital data can be accessed ... heartbeat rate, etc. McCool: features of interest have been discussed ... measurement we can share ... share with the doctor ... but not family, etc. ... maybe you could use an example of medical device annotated using "feature of interest" Ryo: ok Koster: feature of interest can specify special things like medical data ... location and body part ... interesting design question McCool: user decides whether the data is accessible or not ... but how to describe that? Koster: makes perfect sense actually McCool: category of information? Ryo: something like "I don't share the information with somebody." ... information about "who to what" ... interesting discussion during the workshop McCool: (adds comment) ... wondering about the deadline [23]https://www.w3.org/Privacy/permissions-ws-2018/cfp.html [23] https://www.w3.org/Privacy/permissions-ws-2018/cfp.html Kaz: August 17 Barry: it's extended till August 17 McCool: we can generate a one-pager ... Kajiwara-san, let's have discussion Ryo: would like to hear background expectation from you as well McCool: (adds some edits) ... use WoT as an example of "consent as access control" Ryo: will give input to the GH repo <McCool> [24]https://github.com/mmccool/w3c-permissions-2018 [24] https://github.com/mmccool/w3c-permissions-2018 McCool: (will make the repo public) Best practices McCool: we've been discussing a separate document on best practices [25]Security draft - 5. Recommended Security Practices [25] https://w3c.github.io/wot-security/#recommended-security-practices McCool: we could make this version more generic ... and create a separate document for more specific content ... how to make it testable ... for the moment, we can put specific content to this section, though ... but a bit concerned to put too much specific content to this Note itself Kaz: maybe we can put all the content here first ... and if the structure gets too complicated, we can move some of the detail into the appendix ... and split that appendix into a separate document later McCool: that's fine ... note that we need a testable document and need to limit our scope for testing ... let's just put things into the subsection of section 5 ... and we should think about test on fuzzing, etc. ... testing the subsection of best practice section as well ... for now, let's stick into that approach <McCool> [26]https://github.com/w3c/wot-security/pull/108 [26] https://github.com/w3c/wot-security/pull/108 Issues/PRs [27]changes [27] https://github.com/w3c/wot-security/pull/108/files McCool: we should talk about industrial security scenarios Elena: please take a look at the changes McCool: ok ... let's discuss it next time Actions McCool: Barry, you can send me your proposal on DTLS Barry: ok. btw, can I get Elena's proposal about security testing? McCool: Elena, you can send the proposal to the whole group? Elena: ok [adjourned] Summary of Action Items [ONGOING] ACTION: mccool to talk with IIC Security TF and W3C Web Security IG about testing/validation timeline (first item tbd; second item done) [ONGOING] ACTION: mccool to work on issue 70 (Require Not Exposing Immutable Hardware Identifiers?) [ONGOING] ACTION: mjkoster/elena to review examples in the security spec [ONGOING] ACTION: mccool to look into URI templates (RFC6570) for issue 98 [ONGOING] ACTION: mcCool to write PR on TD spec for security definition [ONGOING] ACTION: Barry to suggest DTLS testing plan applicable for CoAP/MQTT [ONGOING] ACTION: everyone to generate set of best practices for draft by next week [ONGOING] ACTION: McCool to clean up Security and Privacy Considerations documents for final update to master by next week Summary of Resolutions [End of minutes] __________________________________________________________ Minutes formatted by David Booth's [28]scribe.perl version 1.152 ([29]CVS log) $Date: 2018/08/14 12:49:13 $ [28] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm [29] http://dev.w3.org/cvsweb/2002/scribe/
Received on Tuesday, 14 August 2018 12:55:03 UTC