[wot-security] 10 September 2018 from Kazuyuki Ashimura on 2018-10-10 (public-wot-ig@w3.org from October 2018)

From: Kazuyuki Ashimura <ashimura@w3.org>
Date: Wed, 10 Oct 2018 16:12:27 +0900
To: Public Web of Things IG <public-wot-ig@w3.org>, public-wot-wg@w3.org
Message-ID: <CAJ8iq9X6b-OzcpyKE2vUE+QJUuKD+ZcLUxB1X3eyvJY6USoBRA@mail.gmail.com>
available at:
  https://www.w3.org/2018/09/10-wot-sec-minutes.html

also as text below.

Thanks a lot for taking these minutes, Ryo!

Kazuyuki

---

   [1]W3C

      [1] http://www.w3.org/

                               - DRAFT -

                              WoT Security

10 Sep 2018

   [2]Agenda

      [2] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Agenda

Attendees

   Present
          Kaz_Ashimura, Michael_McCool, Kazuaki_Nimura,
          Ryo_Kajiwara, Tomoaki_Mizushima

   Regrets

   Chair
          McCool

   Scribe
          ryo-k

Contents

     * [3]Topics
         1. [4]Agenda
         2. [5]Next call
         3. [6]Review of last minutes
         4. [7]Security and Privacy Considerations
         5. [8]PR 207
         6. [9]Online plugfest
         7. [10]Best Practice document review
     * [11]Summary of Action Items
     * [12]Summary of Resolutions
     __________________________________________________________

Agenda

   [13]https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Agenda

     [13] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Actions

   <kaz> scribenick: ryo-k

Next call

   Online plugfest next week; do we move the security conference?

   Kaz: it's actually in 2 weeks

   McCool: security call will be held as normal

Review of last minutes

   <kaz> [Kaz to add the link from the prev minutes to the action
   wiki]

   no changes to last week's minutes

   <kaz> [14]https://www.w3.org/2018/09/03-wot-sec-minutes.html

     [14] https://www.w3.org/2018/09/03-wot-sec-minutes.html

Security and Privacy Considerations

   McCool: adding kaz to the editor list

   -> talk later when there are more people in the call

   <McCool>
   [15]https://rawgit.com/w3c/wot-security/master/index.html

     [15] https://rawgit.com/w3c/wot-security/master/index.html

   <kaz> latest draft above

   RESOLUTION: No objection, so we will publish the current
   version in GitHub if the main call agrees

PR 207

   reviewing
   [16]https://github.com/w3c/wot-thing-description/pull/207

     [16] https://github.com/w3c/wot-thing-description/pull/207

   McCool: not decided on what to do with mlagally's feedback,
   have to update PR

   6.2 User Consent -> should be a SHOULD statement

Online plugfest

   Nimura: how to handle TD's security in plugfest?

   McCool: in the unmerged TD security best practice: TDs should
   be only accessible to authorized users

   (please correct me if I got anything wrong; wasn't able to hear
   well

   McCool: (showing wot-proxy implementation
   ... wrap Siemens's thing directory (that has no authentication)
   with wot-proxy and give them authentication

   <kaz> [17]TD draft for PR207

     [17] https://rawgit.com/w3c/wot-thing-description/0aa72308cdb8e0743a503ebdd98ddeff78d77995/index.html

   McCool: security metadata happens outside of scripting API
   right now
   ... but we don't want scripting API to modify security metadata

   <kaz> [18]preparation-intel.md

     [18] https://github.com/w3c/wot/blob/master/plugfest/2018-sept-online/preparation-intel.md

   McCool: will implement more schemes into wot proxy

   Nimura: we can test "no security scheme" as it's part of the
   standard

   McCool: security scheme is now mandatory; if there is no
   security then at the minimum include "scheme" : "nosec"

   (the coaps security scheme in the example should be "psk" not
   "apikey"

   McCool: need a TD rewriter that replaces nosec with basic auth
   etc
   ... secure delivery of TD itself is a different issue

   Nimura: how to access TD securely?

   McCool: it boils down to secure transport + secure
   authentication
   ... consuming a TD securely with node-wot does not work right
   now

Best Practice document review

   <kaz> [19]WoT Security Best Practices

     [19] https://github.com/w3c/wot-security/blob/master/wot-security-best-practices.md

   McCool: the authentication server checks access rights based on
   role; the 'thing' does not know about the role

   topics for next week

   Ryo: if there are any updates on Privacy and User Consent
   workshop I will send it to the public mailing list

   <kaz> [adjourned]

Summary of Action Items

   See [20]the Action wiki.

     [20] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Actions

Summary of Resolutions

    1. [21]No objection, so we will publish the current version in
       GitHub if the main call agrees

   [End of minutes]
     __________________________________________________________


    Minutes formatted by David Booth's [22]scribe.perl version
    1.152 ([23]CVS log)
    $Date: 2018/09/24 11:51:06 $

     [22] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
     [23] http://dev.w3.org/cvsweb/2002/scribe/
Received on Wednesday, 10 October 2018 07:13:34 UTC