W3C home > Mailing lists > Public > public-wot-ig@w3.org > April 2019

[wot-security] minutes - 15 April 2019

From: Kazuyuki Ashimura <ashimura@w3.org>
Date: Tue, 30 Apr 2019 02:34:36 +0900
Message-ID: <CAJ8iq9W3f0VkwPiyJ0wwj4TPKMKmG6feoGSqSmmkBXDdrjaBFQ@mail.gmail.com>
To: Public Web of Things IG <public-wot-ig@w3.org>, public-wot-wg@w3.org
available at:
  https://www.w3.org/2019/04/15-wot-sec-minutes.html

also as text below.

Thanks,

Kazuyuki

---

   [1]W3C

      [1] http://www.w3.org/

                               - DRAFT -

                              WoT Security

15 Apr 2019

   [2]Agenda

      [2] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#April_15.2C_2019

Attendees

   Present
          Michael_McCool, Elena_Reshetova, Kaz_Ashimura,
          Tomoaki_Mizushima

   Regrets

   Chair
          McCool

   Scribe
          kaz

Contents

     * [3]Topics
         1. [4]Agenda
         2. [5]New Security Quesionnaire
         3. [6]Review progress
         4. [7]Previous minutes review
         5. [8]Penetration test
         6. [9]Actions and Schedule
         7. [10]Issues and PRs
     * [11]Summary of Action Items
     * [12]Summary of Resolutions
     __________________________________________________________

   <scribe> scribenick: kaz

Agenda

   McCool: minutes review later

New Security Quesionnaire

   [13]Security questionnaire

     [13] https://w3ctag.github.io/security-questionnaire/

   McCool: the security self-review questionnaire has been updated
   ... threat model, etc.
   ... not looked into the details. can discuss it next time

Review progress

   McCool: currently aiming the CR transition on Friday this week
   ... will get back to reviewers inside Intel
   ... regarding non-normative sections, we have some more time
   ... would ask IIC for review as well
   ... more or less the TAG is reviewing security portions
   ... this updated security questionnaire look more complete than
   the old one

Previous minutes review

   [14]https://www.w3.org/2019/01/14-wot-sec-minutes.html

     [14] https://www.w3.org/2019/01/14-wot-sec-minutes.html

   [15]https://www.w3.org/2019/02/11-wot-sec-minutes.html

     [15] https://www.w3.org/2019/02/11-wot-sec-minutes.html

   [16]https://www.w3.org/2019/02/18-wot-sec-minutes.html

     [16] https://www.w3.org/2019/02/18-wot-sec-minutes.html

   [17]https://www.w3.org/2019/02/25-wot-sec-minutes.html

     [17] https://www.w3.org/2019/02/25-wot-sec-minutes.html

   [18]https://www.w3.org/2019/03/04-wot-sec-minutes.html

     [18] https://www.w3.org/2019/03/04-wot-sec-minutes.html

   [19]https://www.w3.org/2019/03/18-wot-sec-minutes.html

     [19] https://www.w3.org/2019/03/18-wot-sec-minutes.html

   [20]https://www.w3.org/2019/03/25-wot-sec-minutes.html

     [20] https://www.w3.org/2019/03/25-wot-sec-minutes.html

   [21]https://www.w3.org/2019/04/01-wot-sec-minutes.html

     [21] https://www.w3.org/2019/04/01-wot-sec-minutes.html

   McCool: starting with Jan 14
   ... (going through the minutes)
   ... penetration security plan, etc.
   ... a typo there
   ... ah, privilege preferred but priviledge is ok

   Kaz: can fix it

   McCool: other than that, we accept the minutes
   ... next Feb. 11
   ... (going through the minutes)
   ... don't see any problems and would accept this
   ... any objections?

   (none)

   McCool: accepted
   ... next Feb. 18

   Kaz: chairs name is missing, will add it

   <McCool> victoria fenwick

   McCool: Victoria's correct name above

   Kaz: will fix it

   McCool: move to accept it?

   (no objections)

   McCool: accepted
   ... next, Feb. 25
   ... Chair's name?

   Kaz: will fix it

   <McCool> Ben Schecker should be Sven Schrecker

   Kaz: also Victoria's name again

   McCool: and Blanca's name?

   Elena: should be ok

   McCool: and another person
   ... let me check

   <McCool> also Pulido, Rodrigo

   McCool: and accepted
   ... next, Mar. 4
   ... this is correct
   ... Blanca and Rodrigo are doing test
   ... another person working on review?

   <McCool> change her contacts, say "Terri Oda"

   Kaz: will do

   McCool: other than that, we accept the minutes

   (no objections)

   McCool next, Mar. 18

   <McCool> change "BPs" to "Best Practices"

   McCool: happy with this other than that
   ... no objections, so accept this
   ... next, Mar. 25
   ... don't see anything to change
   ... move to accept
   ... next, Apr. 1
   ... chair should be myself

   Kaz: will fix it

   McCool: other than that would move and accept

Penetration test

   McCool: need a document
   ... will run the system again
   ... the earliest would be next week
   ... reasonable to do penetration test next month?

   Elena: want to ping them

   McCool: ok, let me set up the system first
   ... need to do security description as well
   ... update various things for TD again
   ... let me do my part
   ... and then look it back next Monday

   Elena: after that I can talk with my team guys again
   ... note that I'll be travelling mid May

   McCool: we can start to ask people before that and see the
   result after you're available?
   ... let me do my homework first

Actions and Schedule

   McCool: checks the actions
   ... wide review?

   Kaz: we're already asking the TAG for review
   ... will send a concrete review request to a11y and i18n

   McCool: what about Web Application Security WG?
   ... can send a message to the Chairs

   Kaz: you can mention that we're already getting the TAG review

Issues and PRs

   <McCool> closed [22]https://github.com/w3c/wot-security/pull/37

     [22] https://github.com/w3c/wot-security/pull/37

   comment added to
   [23]https://github.com/w3c/wot-security/issues/123

     [23] https://github.com/w3c/wot-security/issues/123

   deferred [24]https://github.com/w3c/wot-security/issues/122

     [24] https://github.com/w3c/wot-security/issues/122

   support for CORS
   [25]https://github.com/w3c/wot-security/issues/121

     [25] https://github.com/w3c/wot-security/issues/121

   McCool: related to one the questions from the security
   questionnaire
   ... in general, IoT devices should be allowed to get connected
   with cross-origin services
   ... let me think about some note
   ... what i'm wondering about is whether this is something that
   should be in the protocol binding for HTTP
   ... should IoT devices always allow connections to devices from
   other origins?
   ... what are the exact use cases?
   ... see:
   [26]https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS

     [26] https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS

   [adjourned]

Summary of Action Items

Summary of Resolutions

   [End of minutes]
     __________________________________________________________


    Minutes manually created (not a transcript), formatted by
    David Booth's [27]scribe.perl version 1.154 ([28]CVS log)
    $Date: 2019/04/16 19:42:20 $

     [27] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
     [28] http://dev.w3.org/cvsweb/2002/scribe/
Received on Monday, 29 April 2019 17:35:38 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:27:36 UTC