- From: Kazuyuki Ashimura <ashimura@w3.org>
- Date: Wed, 30 May 2018 10:27:56 +0900
- To: Public Web of Things IG <public-wot-ig@w3.org>, public-wot-wg@w3.org
available at:
https://www.w3.org/2018/05/21-wot-sec-minutes.html
also as text below.
Thanks,
Kazuyuki
---
[1]W3C
[1] http://www.w3.org/
- DRAFT -
WoT Security
21 May 2018
Attendees
Present
Kaz_Ashimura, Elena_Reshetova, Michael_McCool,
Michael_Koster, Barry_Leiba, Tomoaki_Mizushima,
Zoltan_Kis, Kazuaki_Nimura
Regrets
Chair
McCool
Scribe
kaz
Contents
* [2]Topics
1. [3]Agenda
2. [4]Reviewing prev minutes
3. [5]Review PRs
4. [6]Plugfest
5. [7]Issue review
* [8]Summary of Action Items
* [9]Summary of Resolutions
__________________________________________________________
Agenda
McCool: testing vs plugfest?
... doodle for both
... maybe we can use the editor's call slot for this week?
... and doodle for the next week
... this week plugfest slot for testing discussion
... and next week for plugfest as well based on the doodle
results
[10]Agenda
[10] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Agenda
McCool: btw, any addition to the agenda?
... plugfest on Oct 20-21
... TPAC on Oct 22-26
[11]TPAC page
[11] https://www.w3.org/2018/10/TPAC/schedule.html
McCool: should be added to the WoT wiki as well
Elena: Lyon should be fine
Kaz: the f2f meeting will be held on Oct 25-26
Reviewing prev minutes
[12]Apr 30
[12] https://www.w3.org/2018/04/30-wot-sec-minutes.html
[13]May 7
[13] https://www.w3.org/2018/05/07-wot-sec-minutes.html
[14]May 14
[14] https://www.w3.org/2018/05/14-wot-sec-minutes.html
McCool: skimming the minutes
... ok with this
... any objections?
(none)
McCool: accept Apr 30 minutes
... next one, May 7
... a couple of PRs
... any comments/corrections?
(none)
McCool: accepted - May 7 minutes
... next May 14
... privacy considerations
... this week as well
... no actions captured
Kaz: can copy the remaining ones here
McCool: privacy section still pending
<scribe> ACTION: [ONGOING] elena to work on issue 68 (Thing
Provider Data Specification) and issue 69 (Passive Observers
Risk)
<scribe> ACTION: [ONGOING] elena/koster to work on terminology
<scribe> ACTION: [ONGOING] mccool to work on issue 70 (Require
Not Exposing Immutable Hardware Identifiers?)
<scribe> ACTION: [ONGOING] mccool to talk with security guys
about testing/validation timeline
<scribe> ACTION: [ONGOING] mccool to work on tunneling/shadow
for the security metadata proposal
<scribe> ACTION: [ONGOING] mccool to work on PR 90
<scribe> ACTION: [ONGOING] zkis to create scripting issue for
TD life cycle in scripting api
<scribe> ACTION: [ONGOING] mjkoster/elena to review examples in
the security spec
]]
Kaz: which action items are done?
McCool: ongoing last week and we can close then this week
... let's copy them asis and talk about the status today
Kaz: ok
McCool: except that, the minutes are accepted - May 14
Review PRs
[15]PRs
[15] https://github.com/w3c/wot-security/pulls
McCool: would close #92 first
[16]PR 92
[16] https://github.com/w3c/wot-security/pull/92
McCool: added a diagram
... and caching algorithm
Elena: cache combined with security
McCool: could address it
... question of how to interpret it
Elena: encryption
... good to mention both encryption and authentication
McCool: encryption, authentication and integrity of
confidentiality?
... (goes to his repo)
... referring to a new figure with caching proxy
... have to check if the link is ok
Elena: problem with another link too
McCool: (fixed the links)
Elena: need clarification to [[The cache can either be combined
with the security endpoint proxy or can be instantiated as a
separate service or "middleware layer".]]
McCool: (add explanation)
... will remove "middleware layer"
... (add comment about the changes)
... let's accept the PR now
... we can add fixes later
... next thing to do is...
... PR 94
[17]PR 94
[17] https://github.com/w3c/wot-security/pull/94
Elena: don't see mitigation yet
McCool: why don't we add some text for mitigation then?
... (create an issue)
... add mitigations to privacy section
... we can discuss mitigation separately
... to follow up on PR 94
... (as issue #99)
Elena: link to my repo?
[18]Elena's repo
[18] https://github.com/ereshetova/wot-security/blob/working/index.html
McCool: possibly a separate subsection for mitigation
... now any objections to accept PR 94?
(none)
McCool: will merge it then
... (add a note)
... privacy threats now listed
... next PR 95
... (shows "working" branch)
[19]working branch
[19] https://github.com/w3c/wot-security/blob/working/index.html
McCool: Elena, did you merge the change with the working
branch?
Elena: yes
[20]rawgit version
[20] https://rawgit.com/w3c/wot-security/working/index.html
McCool: any objections to merge PR 95?
(none)
McCool: will merge this
... (and merged PR #95)
... (and then check the master branch)
Plugfest
McCool: would more things to happen for the next plugfest
... some issues with security metadata
... and created GH issues for them
... security and privacy sections
... (add items to the Bundang f2f wiki)
[21]f2f wiki
[21] https://www.w3.org/WoT/IG/wiki/F2F_meeting,_30_June-5_July_2018,_Bundang,_Korea#Plenary_and_Breakouts
McCool: Review security metadata
... security testing/validation plan
... plugfest security recap
... anything else we should add?
(none at the moment)
McCool: regarding plugfest...
... Michael, is it ok if I add something like this...
... goal, objection, etc.
Koster: this is high-level description
... so would make sense
McCool: (adds topics)
... testing
... security implementations and interop testing
Koster: application scenarios
... proxy configurations
McCool: (adds them)
... 5 items should suffice at the moment
... and then
... (goes back to "Plenary and Breakouts")
... (and add some points to "WoT Testing")
... let's go back to issue reviews
Issue review
[22]security issues
[22] https://github.com/w3c/wot-security/issues
McCool: issue 98 on form-based authentication schemes on digest
authentication
[23]https://github.com/w3c/wot-security/issues/96
[23] https://github.com/w3c/wot-security/issues/96
McCool: issue 98
[24]https://github.com/w3c/wot-security/issues/98
[24] https://github.com/w3c/wot-security/issues/98
McCool: issue 97 on TLS-SRP authentication scheme/
[25]https://github.com/w3c/wot-security/issues/97
[25] https://github.com/w3c/wot-security/issues/97
McCool: issue 93 on Thing end of life signaling
[26]https://github.com/w3c/wot-security/issues/93
[26] https://github.com/w3c/wot-security/issues/93
McCool: security implication change?
... broader issue on accessing security metadata in TD?
... (shows section 5.1.1 of wot security draft)
[27]5.1.1 Secure Delivery and Storage of Thing Description
[27] https://rawgit.com/w3c/wot-security/working/index.html#secure-delivery-and-storage-of-thing-description
McCool: (create an issue on "Discuss Security Implications of
TD Change and Deletion Notification" as Issue 100)
Koster: makes sense
McCool: (adds link to issue #114 of wot-scripting-api)
... this issue supersedes original issue 93
... (and add "superseded by issue 100" to issue 93)
... now we have more general issue
... another issue for today
... issue 83
... would close this
[28]https://github.com/w3c/wot-security/issues/83
[28] https://github.com/w3c/wot-security/issues/83
McCool: any comments?
(none)
McCool: (and closed issue 83)
... next issue 78
[29]https://github.com/w3c/wot-security/issues/78
[29] https://github.com/w3c/wot-security/issues/78
McCool: does WoT use cookies?
... think yes
... (add notes)
Koster: share them between clients?
McCool: could be a token or actual data
Koster: use them for session keys?
McCool: related to the issue #98
... would close issue 78
Koster: ok
McCool: please give comments to the other issues
[adjourned]
Summary of Action Items
[DONE] ACTION: elena to work on issue 68 (Thing Provider Data
Specification) and issue 69 (Passive Observers Risk)
[DONE] ACTION: elena/koster to work on terminology
[ONGOING] ACTION: mccool to talk with security guys about
testing/validation timeline
[ONGOING] ACTION: mccool to work on issue 70 (Require Not
Exposing Immutable Hardware Identifiers?)
[DONE] ACTION: mccool to work on tunneling/shadow for the
security metadata proposal
[DONE] ACTION: mccool to work on PR 90
[DONE] ACTION: zkis to create scripting issue for TD life cycle
in scripting api
[ONGOING] ACTION: mjkoster/elena to review examples in the
security spec
Summary of Resolutions
[End of minutes]
__________________________________________________________
Minutes formatted by David Booth's [30]scribe.perl version
1.152 ([31]CVS log)
$Date: 2018/05/22 11:21:55 $
[30] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
[31] http://dev.w3.org/cvsweb/2002/scribe/
Received on Wednesday, 30 May 2018 01:29:05 UTC