[wot-security] minutes - 18 June 2018 from Kazuyuki Ashimura on 2018-06-27 (public-wot-ig@w3.org from June 2018)

From: Kazuyuki Ashimura <ashimura@w3.org>
Date: Wed, 27 Jun 2018 14:28:45 +0900
To: Public Web of Things IG <public-wot-ig@w3.org>, public-wot-wg@w3.org
Message-ID: <CAJ8iq9XCpz5SsS2SpUxbrVQCCK_Ejytp9RD2kKHS5Jf0W+ozCw@mail.gmail.com>
available at:
  https://www.w3.org/2018/06/18-wot-sec-minutes.html

also as text below.

Thanks,

Kazuyuki

---

   [1]W3C

      [1] http://www.w3.org/

                               - DRAFT -

                              WoT Security

18 Jun 2018

   [2]Agenda

      [2] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Agenda

Attendees

   Present
          Kaz_Ashimura, Michael_McCool, Michael_Koster,
          Kazuaki_Nimura, Tomoaki_Mizushima, Barry_Leiba

   Regrets
          Zoltan, Elena

   Chair
          McCool

   Scribe
          kaz

Contents

     * [3]Topics
         1. [4]Agenda
         2. [5]Previous minutes
         3. [6]Elena's PR 103
         4. [7]Issues
               o [8]Issue 72
               o [9]Issue 70
               o [10]Issue 99
               o [11]Issue 100
               o [12]Issue 98
               o [13]Issue 97
               o [14]Issue 81
               o [15]Issue 71
               o [16]Issue 64
         5. [17]F2F agenda
         6. [18]AOB
     * [19]Summary of Action Items
     * [20]Summary of Resolutions
     __________________________________________________________

Agenda

   [21]previous minutes

     [21] https://www.w3.org/2018/06/11-wot-sec-minutes.html

   [22]Elena's PR 103

     [22] https://github.com/w3c/wot-security/pull/103

Previous minutes

   [23]previous minutes

     [23] https://www.w3.org/2018/06/11-wot-sec-minutes.html

   McCool: goes through the previous minutes
   ... "to date" should be "to date"
   ... wondering about the progress on url schema

   <mjkoster> URI templates are defined in [24]RFC 6570

     [24] https://tools.ietf.org/html/rfc6570

   Koster: Matthias made some concrete proposal
   ... very clear about how it works
   ... variables would be expanded
   ... we're calling payload schema

   McCool: ok
   ... minutes are OK with the small typo above
   ... any objections?

   (none)

   the minutes accepted but "to data" should be "to date"

Elena's PR 103

   <McCool> [25]https://github.com/w3c/wot-security/pull/103

     [25] https://github.com/w3c/wot-security/pull/103

   [26]Changes

     [26] https://github.com/w3c/wot-security/pull/103/files

   McCool: goes through the changes
   ... bunch of statements on mitigation
   ... e.g., access to TD limited to some certain clients
   ... for privacy
   ... and privacy consideration referring to coo13
   ... typo to be fixed
   ... and big change here
   ... L2384 => L2399
   ... some typical things
   ... threat never changes or changes rarely
   ... fingerprinting
   ... persistent tracking
   ... and TD id changed periodically
   ... probably TD changes and notification happens
   ... it's OK with it is though some more description might be
   better
   ... would accept this PR itself and polish it later

   Koster: there is another submission
   ... look fine to me

   McCool: don't think it's perfect but ok to accept
   ... and clean up and polish the text later
   ... OK to merge this?

   (no objections)

   McCool: merged PR 103
   ... ok
   ... now just one PR here

Issues

* Issue 72

   [27]issue 72

     [27] https://github.com/w3c/wot-security/issues/72

   McCool: adds notes to the issue
   ... fingerprinting risks now desicussed in text included in PR
   103
   ... @jasonanovak, do these changes sufficiently address the
   issue?

* Issue 70

   [28]issue 70

     [28] https://github.com/w3c/wot-security/issues/70

   McCool: adds notes
   ... discussed in PR 103.
   ... currently for various reasons the WoT TD actually requires
   unique id.
   ... however, it does not say they need to be "immutable" and
   they can be updated
   ... adds "@jasonanovak" to the notes so that Jason would notice
   the notes

* Issue 99

   [29]issue 99

     [29] https://github.com/w3c/wot-security/issues/99

   McCool: closed

   Barry: fine

* Issue 100

   [30]issue 100

     [30] https://github.com/w3c/wot-security/issues/100

   McCool: adds notes
   ... actually, TD notifications are useful to mitigate privacy
   issues...

* Issue 98

   [31]issue 98

     [31] https://github.com/w3c/wot-security/issues/98

   McCool: have not responded much to Matthias yet
   ... example of logging
   ... get access by credential presented every time
   ... exchange scheme seems to be useful
   ... one issue
   ... requiring semantics
   ... one way is simply to have credential
   ... need to look into URI template
   ... on my todo list

* Issue 97

   [32]issue 97

     [32] https://github.com/w3c/wot-security/issues/97

* Issue 81

   [33]issue 81

     [33] https://github.com/w3c/wot-security/issues/81

* Issue 71

   [34]issue 71

     [34] https://github.com/w3c/wot-security/issues/71

   McCool: guess this is still open
   ... would wait for Elena's update

* Issue 64

   [35]issue 64

     [35] https://github.com/w3c/wot-security/issues/64

   McCool: adds comments
   ... Actually, a TD update/notification can be used to mitigate
   certain forms of privacy risk
   ... for instance, theID can be updated periodically and only
   authorized subscribers notified

F2F agenda

   McCool: is there anybody to chair the possible security
   sessions during the upcoming f2f in Korea?
   ... shows the f2f agenda

   [36]f2f wiki

     [36] https://www.w3.org/WoT/IG/wiki/F2F_meeting,_30_June-5_July_2018,_Bundang,_Korea#Plenary_and_Breakouts

   McCool: quickly skims the agenda
   ... would add information on "session leaders" to the agenda
   ... there are 5 topics on security
   ... put McCool's name to some of the topics
   ... review security metadata and scripting (McCool)
   ... security testing and validation planning (McCool)
   ... plugfest security review (Elena/McCool)
   ... privacy threats and mitigations (Elena)
   ... security implementation recommendations (Elena)
   ... also some test topics
   ... specification validation tools (Ege and?)
   ... TD validation tools (Ege and ?)
   ... test sutie for scripting API (?)
   ... online testing/demonstration systems (McCool)

AOB

   Barry: regrets for the next week. see you in Korea!

   [adjourned]

Summary of Action Items

   [ONGOING] ACTION: mccool to write a short proposal on what
   security tools to use for the next plugfest
   [ONGOING] ACTION: mccool to talk with IIC Security TF and W3C
   Web Security IG about testing/validation timeline
   [ONGOING] ACTION: mccool to work on issue 70 (Require Not
   Exposing Immutable Hardware Identifiers?)
   [ONGOING] ACTION: mjkoster/elena to review examples in the
   security spec

   [NEW] ACTION: mccool to look into URI templates (RFC6570) for
   issue 98

Summary of Resolutions

   [End of minutes]
     __________________________________________________________


    Minutes formatted by David Booth's [37]scribe.perl version
    1.152 ([38]CVS log)
    $Date: 2018/06/27 05:15:37 $

     [37] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
     [38] http://dev.w3.org/cvsweb/2002/scribe/
Received on Wednesday, 27 June 2018 05:29:54 UTC