- From: Kazuyuki Ashimura <ashimura@w3.org>
- Date: Mon, 21 Jan 2019 21:49:29 +0900
- To: Public Web of Things IG <public-wot-ig@w3.org>, public-wot-wg@w3.org
available at:
https://www.w3.org/2018/12/17-wot-sec-minutes.html
also as text below.
Thanks,
Kazuyuki
---
[1]W3C
[1] http://www.w3.org/
- DRAFT -
WoT-Security
17 Dec 2018
Attendees
Present
Kaz_Ashimura, Michael_McCool, Elena_Reshetova,
Tomoaki_Mizushima, Zoltan_Kis
Regrets
Chair
McCool
Scribe
kaz
Contents
* [2]Topics
1. [3]Review of minutes from previous meetings
2. [4]Publication status
3. [5]TestFest
4. [6]External review
5. [7]Security&Privacy considerations for Scripting API
6. [8]Remaining issues
7. [9]Next meeting
* [10]Summary of Action Items
* [11]Summary of Resolutions
__________________________________________________________
<McCool> [12]https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf
[12] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf
<McCool> [13]https://www.w3.org/2018/12/03-wot-sec-minutes.html
[13] https://www.w3.org/2018/12/03-wot-sec-minutes.html
<scribe> scribenick: kaz
Review of minutes from previous meetings
[14]prev minutes
[14] https://www.w3.org/2018/12/03-wot-sec-minutes.html
McCool: (goes through the prev minutes)
... any objections?
(none)
McCool: accepted
Kaz: will fix the style later and then send them out
Publication status
McCool: security and privacy consideration published on Dec 3
[15]security draft (published version)
[15] https://www.w3.org/TR/2018/NOTE-wot-security-20181203/
McCool: unfortunately, new security/privacy considerations not
included in the published TD spec
Elena: PR for the architecture draft
<elena> [16]https://github.com/w3c/wot-architecture/pull/63
[16] https://github.com/w3c/wot-architecture/pull/63
McCool: runtime considerations
<elena> [17]https://github.com/w3c/wot-scripting-api/pull/155
[17] https://github.com/w3c/wot-scripting-api/pull/155
McCool: rutime considerations to be taken out form the
scripting api draft
... we should discuss the status/progress with the architecture
editors
... 2 more items here
... documentation planning and implementation report
... what we should do
... create a repo and prepare for a skeleton
... wot-security-best-practices and wot-security-testing-plan
... focus of security testing plan
... kind of involving document
... normal penetration testing
... more a living academic document
... the work we did on threat modeling
... something we need to push to the next level
Elena: anyone from W3C for penetration testing?
McCool: W3C folks are not really in charge of testing
Elena: somebody supposed to do something
McCool: library expectation
... checking implementation has poor input validation, etc.
... we should create an appropriate repo
... and the next step is to create a skeleton
... we should cover the outline
... can do that during the Christmas vacation
... we can send out an email to get a final confirmation
... updating Notes is not difficult
Kaz: the only question is just that the expected URL shortname
is unique
... the proposed names are ok
... I can create GitHub repos after getting groups'
confirmation
McCool: ok
... let's confirm that during the main call this Wed
TestFest
McCool: we had TestFest
[18]Test result
[18] https://cdn.staticaly.com/gh/mmccool/wot-thing-description/updated-test-results/testing/report.html
McCool: implementation description here within the pink area
... but not yet for SmartThings or Siemens
... main thing is identifying the gap
... to improve the tests
... the result table has Pass/Fail/Not-impl
... still need to work on pink assertions
... not well-represented
... eventing, etc., to be taken care
... links also left out
... assuming people will work on that shortly
... easier to fix
... rest of the stuff
... security mostly
... td-security-binding, td-security-no-extras
... required security schemes
... only myself reported these features
... but shouldn't be hard to achieve, e.g., using node-wot
... the rest of these
... scopes and bunch of stuff
... more aggressive to get implementations
... some of them pretty easy
... easy to add default value
... need to flesh out them
... in terms of schemes
... easy to expose each scheme
... which implementations did which?
... regarding security: nosc, basic, cert, digest, bearer, pop,
psk, public, oauth2, apikey
... any comments?
(some discussion with Elena)
McCool: everyone uses same library for TLS
... what is independent code-base?
... still waiting for node-wot result and smartthings result
... will update on Wednesday for reporting at the main call
External review
<McCool>
[19]https://github.com/w3c/wot-thing-description/pull/314
[19] https://github.com/w3c/wot-thing-description/pull/314
McCool: we're getting 6-month extension for the WG
... can be as far out as March 2019
... before we're entering into CR/PR
... who will do this?
... mizushima-san, any idea?
mizu: no, not at the moment
McCool: W3C official review for security?
Kaz: can ask security groups and TAG
McCool: would like to ask Valerie Fenwick from Intel (Web
Application Security WG) for help
... (checks actions)
... convirm final decision on the main call on Dec 19
... will talk to the W3C WEb Security IG about formal security
validation
... btw, decide whether to make Kaz an editor for the security
note?
... can do an email vote
Security&Privacy considerations for Scripting API
[20]PR 155
[20] https://github.com/w3c/wot-scripting-api/pull/155
McCool: waiting for architecture merge
Remaining issues
[21]issue 102
[21] https://github.com/w3c/wot-security/issues/102
McCool: confirm one more time in the main call
[22]TD issue 300
[22] https://github.com/w3c/wot-thing-description/issues/300
"security": {
"type": "array",
"items": {
"oneOf":
{ "type": "string" },
{ "$ref": "#/definitions/securityScheme" }
]
}
}
]]
McCool: discussion on Friday?
Next meeting
McCool: Dec 24/31 no meetings
... next meeting will be Jan 7
[adjourned]
Summary of Action Items
See [23]the Action wiki.
[23] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Actions
Summary of Resolutions
[End of minutes]
__________________________________________________________
Minutes manually created (not a transcript), formatted by
David Booth's [24]scribe.perl version 1.154 ([25]CVS log)
$Date: 2019/01/14 13:13:09 $
[24] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
[25] http://dev.w3.org/cvsweb/2002/scribe/
Received on Monday, 21 January 2019 12:50:31 UTC