- From: Kazuyuki Ashimura <ashimura@w3.org>
- Date: Mon, 21 Jan 2019 21:49:29 +0900
- To: Public Web of Things IG <public-wot-ig@w3.org>, public-wot-wg@w3.org
available at: https://www.w3.org/2018/12/17-wot-sec-minutes.html also as text below. Thanks, Kazuyuki --- [1]W3C [1] http://www.w3.org/ - DRAFT - WoT-Security 17 Dec 2018 Attendees Present Kaz_Ashimura, Michael_McCool, Elena_Reshetova, Tomoaki_Mizushima, Zoltan_Kis Regrets Chair McCool Scribe kaz Contents * [2]Topics 1. [3]Review of minutes from previous meetings 2. [4]Publication status 3. [5]TestFest 4. [6]External review 5. [7]Security&Privacy considerations for Scripting API 6. [8]Remaining issues 7. [9]Next meeting * [10]Summary of Action Items * [11]Summary of Resolutions __________________________________________________________ <McCool> [12]https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf [12] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf <McCool> [13]https://www.w3.org/2018/12/03-wot-sec-minutes.html [13] https://www.w3.org/2018/12/03-wot-sec-minutes.html <scribe> scribenick: kaz Review of minutes from previous meetings [14]prev minutes [14] https://www.w3.org/2018/12/03-wot-sec-minutes.html McCool: (goes through the prev minutes) ... any objections? (none) McCool: accepted Kaz: will fix the style later and then send them out Publication status McCool: security and privacy consideration published on Dec 3 [15]security draft (published version) [15] https://www.w3.org/TR/2018/NOTE-wot-security-20181203/ McCool: unfortunately, new security/privacy considerations not included in the published TD spec Elena: PR for the architecture draft <elena> [16]https://github.com/w3c/wot-architecture/pull/63 [16] https://github.com/w3c/wot-architecture/pull/63 McCool: runtime considerations <elena> [17]https://github.com/w3c/wot-scripting-api/pull/155 [17] https://github.com/w3c/wot-scripting-api/pull/155 McCool: rutime considerations to be taken out form the scripting api draft ... we should discuss the status/progress with the architecture editors ... 2 more items here ... documentation planning and implementation report ... what we should do ... create a repo and prepare for a skeleton ... wot-security-best-practices and wot-security-testing-plan ... focus of security testing plan ... kind of involving document ... normal penetration testing ... more a living academic document ... the work we did on threat modeling ... something we need to push to the next level Elena: anyone from W3C for penetration testing? McCool: W3C folks are not really in charge of testing Elena: somebody supposed to do something McCool: library expectation ... checking implementation has poor input validation, etc. ... we should create an appropriate repo ... and the next step is to create a skeleton ... we should cover the outline ... can do that during the Christmas vacation ... we can send out an email to get a final confirmation ... updating Notes is not difficult Kaz: the only question is just that the expected URL shortname is unique ... the proposed names are ok ... I can create GitHub repos after getting groups' confirmation McCool: ok ... let's confirm that during the main call this Wed TestFest McCool: we had TestFest [18]Test result [18] https://cdn.staticaly.com/gh/mmccool/wot-thing-description/updated-test-results/testing/report.html McCool: implementation description here within the pink area ... but not yet for SmartThings or Siemens ... main thing is identifying the gap ... to improve the tests ... the result table has Pass/Fail/Not-impl ... still need to work on pink assertions ... not well-represented ... eventing, etc., to be taken care ... links also left out ... assuming people will work on that shortly ... easier to fix ... rest of the stuff ... security mostly ... td-security-binding, td-security-no-extras ... required security schemes ... only myself reported these features ... but shouldn't be hard to achieve, e.g., using node-wot ... the rest of these ... scopes and bunch of stuff ... more aggressive to get implementations ... some of them pretty easy ... easy to add default value ... need to flesh out them ... in terms of schemes ... easy to expose each scheme ... which implementations did which? ... regarding security: nosc, basic, cert, digest, bearer, pop, psk, public, oauth2, apikey ... any comments? (some discussion with Elena) McCool: everyone uses same library for TLS ... what is independent code-base? ... still waiting for node-wot result and smartthings result ... will update on Wednesday for reporting at the main call External review <McCool> [19]https://github.com/w3c/wot-thing-description/pull/314 [19] https://github.com/w3c/wot-thing-description/pull/314 McCool: we're getting 6-month extension for the WG ... can be as far out as March 2019 ... before we're entering into CR/PR ... who will do this? ... mizushima-san, any idea? mizu: no, not at the moment McCool: W3C official review for security? Kaz: can ask security groups and TAG McCool: would like to ask Valerie Fenwick from Intel (Web Application Security WG) for help ... (checks actions) ... convirm final decision on the main call on Dec 19 ... will talk to the W3C WEb Security IG about formal security validation ... btw, decide whether to make Kaz an editor for the security note? ... can do an email vote Security&Privacy considerations for Scripting API [20]PR 155 [20] https://github.com/w3c/wot-scripting-api/pull/155 McCool: waiting for architecture merge Remaining issues [21]issue 102 [21] https://github.com/w3c/wot-security/issues/102 McCool: confirm one more time in the main call [22]TD issue 300 [22] https://github.com/w3c/wot-thing-description/issues/300 "security": { "type": "array", "items": { "oneOf": { "type": "string" }, { "$ref": "#/definitions/securityScheme" } ] } } ]] McCool: discussion on Friday? Next meeting McCool: Dec 24/31 no meetings ... next meeting will be Jan 7 [adjourned] Summary of Action Items See [23]the Action wiki. [23] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Actions Summary of Resolutions [End of minutes] __________________________________________________________ Minutes manually created (not a transcript), formatted by David Booth's [24]scribe.perl version 1.154 ([25]CVS log) $Date: 2019/01/14 13:13:09 $ [24] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm [25] http://dev.w3.org/cvsweb/2002/scribe/
Received on Monday, 21 January 2019 12:50:31 UTC