- From: Kazuyuki Ashimura <ashimura@w3.org>
- Date: Tue, 22 May 2018 08:09:57 +0900
- To: Public Web of Things IG <public-wot-ig@w3.org>, public-wot-wg@w3.org
available at:
https://www.w3.org/2018/04/30-wot-sec-minutes.html
also as text below.
Thanks a lot for taking these minutes, Michael Koster!
Kazuyuki
---
[1]W3C
[1] http://www.w3.org/
- DRAFT -
WoT Security
30 Apr 2018
Attendees
Present
Kaz_Ashimura, Elena_Reshetova, Michael_Koster,
Michael_McCool, Zoltan_Kis, Kazuaki_Nimura, Barry_Leiba,
Tomoaki_Mizushima
Regrets
Chair
McCool
Scribe
mjkoster
Contents
* [2]Topics
1. [3]Prev minutes
2. [4]Life cycle transition
3. [5]Review PRs
o [6]PR 90
o [7]PR 91
o [8]PR #92
4. [9]Issue #78
5. [10]Actions from today's call
* [11]Summary of Action Items
* [12]Summary of Resolutions
__________________________________________________________
<kaz> scribenick: mjkoster
Prev minutes
<kaz> [13]prev minutes
[13] https://www.w3.org/2018/04/23-wot-sec-minutes.html
<kaz> (several typos: s/tak/talk/; s/pare/pair/;)
<kaz> leftover actions:
<kaz> ACTION: [ONGOING] elena to work on issue 68 (Thing
Provider Data Specification) and issue 69 (Passive Observers
Risk)
<kaz> ACTION: [ONGOING] mccool to work on issue 70 (Require Not
Exposing Immutable Hardware Identifiers?)
<kaz> ACTION: [ONGOING] elena/koster to work on terminology
<kaz> ACTION: [ONGOING] mccool to talk with security guys about
testing/validation timeline
McCool: accept the minutes
<kaz> (other than the typos and the leftover actions)
McCool: any objections?
<kaz> (none)
Life cycle transition
Zoltan: we need a mechanism by which the consumed thing
application gets notified when the exposed thing is destroyed
McCool: can a management thing have en event?
Zoltan: it needs to tell which object is signalled
... simpler to have the object signal itself
McCool: so, a set of standard events
Zoltan: how does OCF work?
... can observe the /oic/res
McCool: standard APIs for components in the architecture
... network API for runtime using a management thing
Zoltan: how does the script get the signal?
McCool: change of state signal would also cover the unexpected
loss of a thing
... not sure what the security implications would be
(discussion on TD life cycle management interface)
McCool: seems incomplete without a TD state change mechanism
exposed
Zoltan: we can implement this with TD monitoring
... will create an issue
Review PRs
McCool: PR 90, 91, and 92
* PR #90
Elena: start with PR #90
... 3 issues addressed in this PR
... clarification on what is meant by System User Data
... clarified what is meant by System Provider Data
<kaz> [14]PR 90
[14] https://github.com/w3c/wot-security/pull/90
<kaz> [15]changed files
[15] https://github.com/w3c/wot-security/pull/90/files
Elena: clarified the attack model and including Thing Directory
... question: is Thing Directory out of scope?
McCool: Thing Directory could be addressed in the security
recommendations
Elena: it is difficult to define the threat model to the same
detail not knowing the protocol
... maybe we can make some general recommendations
McCool: we could explain this in the document
Elena: yes, we can clarify the scope
McCool: can we create an issue to address Thing Directory
security?
Elena: we need to add gateway security as out of scope also
since we don't cover end to end security
McCool: in a similar way we could make general recommendations
... we can cite external references like IIC
... capture this in the PR comments
... PR #90
* PR #91
McCool: next PR #91 on Security Metadata
<kaz> [16]pr 91
[16] https://github.com/w3c/wot-security/pull/91
McCool: starting with a simple example
... leading to more complex examples
<kaz> [17]Security Metadata proposal
[17] https://github.com/mmccool/wot-security/blob/3589a1e0e2c6c75aa004c83e9e0e8509bf16c0da/wot-security-metadata.md
McCool: ready to merge PR 91
* PR #92
<kaz> [18]PR 92
[18] https://github.com/w3c/wot-security/pull/92
McCool: Tunnel Configuration
<kaz> [19]changes
[19] https://github.com/w3c/wot-security/pull/92/files
McCool: changes to break up long text lines
... not ready to merge; adding a section on shadows
mjk: what about using the term "caching proxy"
Issue #78
<kaz> [20]issue 78
[20] https://github.com/w3c/wot-security/issues/78
McCool: management API that uses cookies for a use case
... out of time now, any other business?
Actions from today's call
McCool: tunneling+shadow
... elena's PR
<kaz> ACTION: mccool to work on tunneling/shadow for the
security metadata proposal
McCool: zoltan create scripting issue for TD life cycle in
scripting API
... review examples in the security spec (mjk, elena)
<kaz> ACTION: mccool to work on PR 90
<kaz> ACTION: zkis to create scripting issue for TD life cycle
in scripting api
McCool: adjourn
<kaz> ACTION: mjkoster/elena to review examples in the security
spec
Summary of Action Items
[ONGOING] ACTION: elena to work on issue 68 (Thing Provider
Data Specification) and issue 69 (Passive Observers Risk)
[ONGOING] ACTION: elena/koster to work on terminology
[ONGOING] ACTION: mccool to work on issue 70 (Require Not
Exposing Immutable Hardware Identifiers?)
[ONGOING] ACTION: mccool to talk with security guys about
testing/validation timeline
[NEW] ACTION: mccool to work on tunneling/shadow for the
security metadata proposal
[NEW] ACTION: mccool to work on PR 90
[NEW] ACTION: zkis to create scripting issue for TD life cycle
in scripting api
[NEW] ACTION: mjkoster/elena to review examples in the security
spec
Summary of Resolutions
[End of minutes]
__________________________________________________________
Minutes formatted by David Booth's [21]scribe.perl version
1.152 ([22]CVS log)
$Date: 2018/04/30 14:25:34 $
[21] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
[22] http://dev.w3.org/cvsweb/2002/scribe/
Received on Monday, 21 May 2018 23:11:06 UTC