[wot-security] minutes - 11 November 2019

available at:
  https://www.w3.org/2019/11/11-wot-sec-minutes.html

also as text below.

Thanks a lot for taking the minutes, Taki!

Kazuyuki

---
   [1]W3C

      [1] http://www.w3.org/

                               - DRAFT -

                              WoT Security

11 Nov 2019

Attendees

   Present
          Oliver_Pfaff, Michael_McCool, Taki_Kamiya

   Regrets
          Kaz_Ashimura

   Chair
          Michael McCool

   Scribe
          Taki Kamiya

Contents

     * [2]Topics
         1. [3]Privacy discussion
         2. [4]Issue #148
         3. [5]Issue #146.
         4. [6]Issue #145
     * [7]Summary of Action Items
     * [8]Summary of Resolutions
     __________________________________________________________

   <scribe> ScribeNick: taki

Privacy discussion

   McCool: I want to mention something about the issues.
   ... privacy. I want to expand privacy discussions.

   <McCool>
   [9]https://github.com/w3c/wot/blob/master/proposals/privacy.md

      [9] https://github.com/w3c/wot/blob/master/proposals/privacy.md

   McCool: targeted assertions targeting privacy.
   ... I listed possible assertions.
   ... We made "id" non-unique and optional.
   ... there are also best practices in the document.
   ... privacy in discovery search.
   ... privacy of requester for discovery search.
   ... please take a look at it.

Issue #148

   <McCool> [10]https://github.com/w3c/wot-security/issues/148

     [10] https://github.com/w3c/wot-security/issues/148

   McCool: server authentication. we used to call it this way.
   ... we changed "client" to consumer.
   ... server, or producer, we have not formally defined.
   ... Thing generally match server.
   ... In pub-sub, the role is slightly different.
   ... we need to expand on this.
   ... How specific we are. We are not looking for a new scheme.
   We can refer existing documents.

   Oliver: Let me think about consumer perspective.
   ... authentication is important.
   ... server authentication is common concern.
   ... It relates to WoT.
   ... actual/expected value is one.
   ... We need people to be aware of server authentication.

   McCool: we need to summarize how server authentication
   generally happens.
   ... and how it is related to WoT.
   ... In IoT, which is server is not very clear, for example.

   McCool is summarizing discussion in GitHub #148 comment...

   McCool: In the case of HTTP server, we should follow existing
   practices.

   Oliver: If things are familiar, we do not want to screw things
   up.

   McCool: next step is to make a PR.
   ... first step is to make a PR.
   ... to summarize existing web server authentication mechanism.

   McCool assigned issue #148 to Oliver for now...

   Oliver: I will try to make something meaningful. I also will
   get in touch with Sebastian.

   Issue: #147

   McCool: We focused on HTTP. There is also CoAP.
   ... We need to address ACE.
   ... we have a long list of references. We did not use all of
   them necessarily.

   Oliver: ACE delivers part of what is needed.
   ... In implementation, people realize something is missing.
   ... We need people to understand this.
   ... domain-specific on-boarding, for example.

   McCool: we can refer to references, but they are not complete.
   ... Things are still in flight.
   ... we can refer to Anima reference.
   ... when we introduce ACE, we can introduce Anima.

   Oliver: Anima can complement ACE.
   ... Anima includes on-boarding.

   McCool: We have a life cycle discussion. ACE takes place in
   operation phase.
   ... We can discuss Anima in on-boarding section.

   Oliver: good approach.
   ... ob-boarding needs security, and Anima is one that can help.

   McCool: We limited our scope to operation phase.
   ... We received lots of criticism from people about this.
   ... Why we do not cover on-boarding, for example.

   Oliver: I did not realize it was out of scope.

   McCool: We have a life cycle section. There we say about scope.
   ... Life cycle diagram can move to architecture document.
   ... we can refer to architecture doc.
   ... there is also decommissioning.

   Oliver: on-boarding, off-boarding phase takes about half of
   time in implementation projects I was involved.

Issue #146.

   <McCool> [11]https://github.com/w3c/wot-security/issues/146

     [11] https://github.com/w3c/wot-security/issues/146

   Oliver: This is minor issue.

   McCool: Are you willing to make a PR?

   Oliver: That is a good start for me. I will learn about how to
   make PR.

   McCool: About the list of references, you can take a look at it
   and comment.
   ... references, lots of them are local. We should use re-spec
   references.
   ... localBiblio is strongly discouraged.

   <McCool> right now we use a lot of this:
   [12]https://github.com/w3c/respec/wiki/localBiblio

     [12] https://github.com/w3c/respec/wiki/localBiblio

   <McCool> we should be doing this: [13]https://www.specref.org/

     [13] https://www.specref.org/

   McCool: we should use specref database.
   ... we should replace localBiblio.

Issue #145

   <McCool> [14]https://github.com/w3c/wot-security/issues/145

     [14] https://github.com/w3c/wot-security/issues/145

   McCool: best practices can reduce testing.
   ... testing framework is about how we do tests.
   ... W3C does not do conformance.
   ... first, people should follow best practices before doing
   security test.
   ... we did not have time to do MQTT and CoAP.
   ... there are few tools for CoAP penetration test when we look
   at it.
   ... We should create a section and say we will work on that.

   Oliver: Yes, we cannot do everything at once.
   ... we can apply technique of client-server, but there is also
   pub-sub.
   ... I understand there is tool perspective.
   ... OPC-UA is both client-server and pub-sub.
   ... It used to be only client-server.
   ... There is TLS, and also their own. two security mechanisms.
   ... For end-to-end application security.

   McCool: we can mention dimensions.
   ... In the case of OPC-UA, we can limit our scope to systems
   that follow OPC-UA.
   ... Some companies want to focus on HTTP, but do not like
   protocols such as OPC-UA.
   ... There is a scope problem.
   ... Abstraction system can cover different aspects.
   ... We can mostly be focused on REST/HTTP.
   ... We should outline the scope we want to cover.
   ... e.g. which protocols we care about.
   ... WoT can cover diverse protocols.
   ... But we want to limit the scope.
   ... We need to explicitly decide.
   ... Then we look at patterns of object security, token
   mechanism, access control, etc.
   ... OPC-UA has best practice, and we can refer to it.

   McCool is summarizing the discussion in GitHub comment...

   McCool: we should also explicitly defined bad practices.
   ... basic authentication with no encryption, etc.
   ... architecture doc has definition of security/privacy.
   ... I am not happy with ISO definition of privacy.
   ... It is a bit circular.
   ... We should expand definition of privacy. It needs to address
   trust, for example.

   Oliver: ok.

   McCool: end-of-end security definition is also an issue.
   ... I can make the next three weeks meeting, but cannot
   guarantee I can fully.
   ... I will capture the minutes and send it to Kaz.

   [adjourned]

Summary of Action Items

Summary of Resolutions

   [End of minutes]
     __________________________________________________________


    Minutes formatted by David Booth's [15]scribe.perl version
    1.152 ([16]CVS log)
    $Date: 2019/11/18 17:54:21 $

     [15] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
     [16] http://dev.w3.org/cvsweb/2002/scribe/

Received on Monday, 18 November 2019 17:56:07 UTC