- From: Kazuyuki Ashimura <ashimura@w3.org>
- Date: Mon, 20 Aug 2018 22:24:04 +0900
- To: Public Web of Things IG <public-wot-ig@w3.org>, public-wot-wg@w3.org
available at:
https://www.w3.org/2018/08/13-wot-sec-minutes.html
also as text below.
Thanks a lot for taking these minutes, Michael Koster!
Kazuyuki
---
[1]W3C
[1] http://www.w3.org/
- DRAFT -
WoT Security
13 Aug 2018
[2]Agenda
[2] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Agenda
Attendees
Present
Kaz_Ashimura, Michael_McCool, Ryo_Kajiwara,
Michael_Koster, Elena_Reshetova
Regrets
Chair
McCool
Scribe
mjkoster
Contents
* [3]Topics
1. [4]Agenda review
2. [5]Review minutes from the last meeting
3. [6]Permissions workshop
4. [7]PR on Security scenarios
* [8]Summary of Action Items
* [9]Summary of Resolutions
__________________________________________________________
<kaz> scribenick: mjkoster
Agenda review
(McCool goes through the [10]draft agenda for today)
[10] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Agenda
Review minutes from the last meeting
<kaz> [11]minutes from last meeting
[11] https://www.w3.org/2018/08/06-wot-sec-minutes.html
McCool: last minute change to the term "none" to "nosec"
... any corrections to the minutes?
... minutes accepted
... please carry the action items to the next agenda
Permissions workshop
<McCool> [12]https://github.com/mmccool/w3c-permissions-2018
[12] https://github.com/mmccool/w3c-permissions-2018
Ryo: focus on user permission of access control and how users
decide which data to share
McCool: should mention how this aligns with the WoT approach of
access metadata
... could edit online
<McCool>
[13]https://github.com/mmccool/w3c-permissions-2018/blob/sec-ed
it/README.md
[13] https://github.com/mmccool/w3c-permissions-2018/blob/sec-edit/README.md
PR on Security scenarios
McCool: looks ready to merge
<inserted> [14]PR 108
[14] https://github.com/w3c/wot-security/pull/108
Elena: PR #108
... review and walk-through the PR
... this is a basic description of scenarios, does anyone have
feedback or comments
McCool: building tenants and employees may come and go,
requiring management of access rights to users
... when a tenant leaves there is a privacy issue where data
must not be retained
... for example, there may need to be temporary access granted
to an employee for the thermostat in a room while the employee
is in the room
... ideally there should be some access control that doesn't
require use of the device
Elena: threat model characterization
McCool: should emphasize that this is an office environment
Elena: it includes company information as a protected asset
McCool: also access to the premises
Elena: scenario3 is industrial, focus on safety and
availability, privacy is less important
... another assumption is access would be protected by
partitioning networks
McCool: for example access from the IT network to the OT
network to collect statistics
... but need to make it difficult to access the OT network by
compromising the IT network
... also has the requirement to manage employee access in a
dynamic way
... e.g. when employees transition in and out of the company
... does anyone else have comments, would anyone else be
willing to review?
... which issues can we close?
Elena: 20 and 21
<kaz> [15]issue 20
[15] https://github.com/w3c/wot-security/issues/20
<kaz> [16]issue 21
[16] https://github.com/w3c/wot-security/issues/21
McCool: review other issues
<kaz> [17]issue 44
[17] https://github.com/w3c/wot-security/issues/44
<kaz> [18]issue 48
[18] https://github.com/w3c/wot-security/issues/48
<kaz> [19]issue 106
[19] https://github.com/w3c/wot-security/issues/106
scribenick: kaz
McCool: this is out of the scope for standardization?
Koster: right
McCool: updates the issue and closes it
<inserted> [20]issue 70
[20] https://github.com/w3c/wot-security/issues/70
Elena: what is the hardware identifier discussed in issue 70?
McCool: there should be a short paragraph about immutability
... need to create a PR to use appropriate terminology
scribenick: mjkoster
<kaz> [21]TD draft - 5.2.1 Thing
[21] https://w3c.github.io/wot-thing-description/#thing
McCool: this has to do with the identifier of the TD
... create a PR to clarify the immutability of the "id"
property in Thing Description
<kaz> ACTION: mccool to create a PR to clarify the immutability
of the "id" property in Thing Description
McCool: mccool to edit the W3C permissions document
<kaz> ACTION: mccool to edit the W3C permissions document
McCool: creating a PR for CoAP DTLS scheme
... any input on what is needed
<scribe> ACTION: mccool to create 2 additional schemes for CoAP
DTLS
McCool: also need to discuss MQTT security scheme
[adjourn]
Summary of Action Items
[ONGOING] ACTION: mccool to talk with IIC Security TF and W3C
Web Security IG about testing/validation timeline (first item
tbd; second item done)
[ONGOING] ACTION: mccool to work on issue 70 (Require Not
Exposing Immutable Hardware Identifiers?)
[ONGOING] ACTION: mjkoster/elena to review examples in the
security spec
[ONGOING] ACTION: mccool to look into URI templates (RFC6570)
for issue 98
[ONGOING] ACTION: mcCool to write PR on TD spec for security
definition
[ONGOING] ACTION: Barry to suggest DTLS testing plan applicable
for CoAP/MQTT
[ONGOING] ACTION: everyone to generate set of best practices
for draft by next week
[ONGOING] ACTION: McCool to clean up Security and Privacy
Considerations documents for final update to master by next
week
[NEW] ACTION: create a PR to clarify the immutability of the
"id" property in Thing Description
[NEW] ACTION: mccool to create 2 additional schemes for CoAP
DTLS
[NEW] ACTION: mccool to edit the W3C permissions document
Summary of Resolutions
[End of minutes]
__________________________________________________________
Minutes formatted by David Booth's [22]scribe.perl version
1.152 ([23]CVS log)
$Date: 2018/08/14 12:45:43 $
[22] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
[23] http://dev.w3.org/cvsweb/2002/scribe/
Received on Monday, 20 August 2018 13:25:11 UTC