[wot-security] minutes - 1 June 2020

available at:
  https://www.w3.org/2020/06/01-wot-sec-minutes.html

also as text below.

Thanks,

Kazuyuki

---
   [1]W3C

      [1] http://www.w3.org/

                               - DRAFT -

                              WoT Security

01 Jun 2020

   [2]Agenda

      [2] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Agenda

Attendees

   Present
          Kaz_Ashimura, Cristiano_Aguzzi, Michael_McCool,
          Tomoaki_Mizushima, David_Ezell, Elena_Reshetova,
          Zoltan_Kis

   Regrets

   Chair
          McCool

   Scribe
          kaz

Contents

     * [3]Topics
         1. [4]Prev minutes
         2. [5]OAuth2 Use case
         3. [6]Conexxus security and privacy threat model
         4. [7]F2F prep
     * [8]Summary of Action Items
     * [9]Summary of Resolutions
     __________________________________________________________

Prev minutes

   [10]May 25

     [10] https://www.w3.org/2020/05/25-wot-sec-minutes.html

   McCool: any objections?

   (none)

   McCool: approved

OAuth2 Use case

   [11]OAuth2 use case

     [11] https://github.com/w3c/wot-architecture/blob/master/USE-CASES/oauth.md

   McCool: Cristiano should once remove the current PR 515
   ... and create a new one after his joining the WG a an IE

   [12]PR 515

     [12] https://github.com/w3c/wot-architecture/pull/515

   [13]Changes

     [13] https://github.com/w3c/wot-architecture/pull/515/files

   McCool: cloud provider might be involved in this use case
   ... so far there is a list of stakeholders to be chosen, though

   Cristiano: remove "operator" from "directory service operator"

   McCool: should keep the name given it's included in the
   candidate list
   ... regarding the motivation section, we need to see the spec
   again

   Cristiano: ok

   McCool: but this is a good starting point
   ... expected devices should include a token server

   Cristiano: wondering who the "resource owner" is

   McCool: wondering about the names here
   ... resource owner
   ... should it be a "resource server"?
   ... let's keep this asis at the moment and continue the review

   Cristiano: code flow section
   ... (starting with line 112)

   McCool: we should be careful about the wording
   ... possible delegation to a third party
   ... I can do another review path and give comments

   Cristiano: great

   McCool: you can close this PR 515 itself and submit a new one
   with your account as an Invited Expert
   ... (and closed PR 515)

   Zoltan: btw, wondering about the status of Cristiano's IE
   status

   Cristiano: submitted an application and has just been approved

Conexxus security and privacy threat model

   [14]Issue 170

     [14] https://github.com/w3c/wot-security/issues/170

   David: no public resource so far
   ... but can clarify the points

   McCool: we can mail them to provide summary
   ... to ask for clarification

   David: sure

   McCool: about threat model and implementation recommendations
   ... let's extract our main points

   David: can we go through the requirements?

   McCool: sure

   David: (gives some background about Conexxus; like Conexxus is
   creating interfaces)
   ... there are two design documents

   McCool: (looking for the document)

   David: (shares his screen for the document)
   ... there is data confidentiality and data encryption within
   the data protection section

   McCool: would be useful to have questions about the design
   review

   David: questions about confidentiality and encryption
   ... and then data integrity
   ... this came from the payment network
   ... there is a question about 2-factor or multi-factor
   authentication

   McCool: OAuth allows multi-factor authentication. right?

   David: right
   ... and then here is a "Compliance" section here

   McCool: a possible addition is government regulation compliance

   David: right

   McCool: this is great
   ... having a design document and a check list is good
   ... wondering about if it's kind of Web-oriented
   ... we should have an IoT-oriented one
   ... the next step should be distributing the resource to the
   group
   ... the concept of a check list is great
   ... to be included in the best practices document

   David: will send the resource to you

   McCool: and I can share it with part of the group as the
   starting point

F2F prep

   [15]June meeting wiki

     [15] https://www.w3.org/WoT/IG/wiki/F2F_meeting_2020_2nd

   McCool: we need to talk about when/how
   ... don't have done concrete agenda items yet

   [16]F2F topics

     [16] https://www.w3.org/WoT/IG/wiki/F2F_meeting_2020_2nd#Topics_.28Tentative.29

   McCool: Best practice topics should be included
   ... need to work on presentations
   ... note that June 11 is holiday in Europe
   ... this is my initial list of topics to be discussed next week
   ... do we have any topics which need input here?
   ... (adds Best practices under "Gather input")
   ... next week will be the last security call before the
   PlugFest/F2F
   ... but next Monday, there will be the T2TRG workshop at 8-11am
   EDT
   ... so we need to cancel the Security call next week as well
   ... (updates the Agenda section of the Security wiki)
   ... cancel the all on June 8 and June 15
   ... and then will have a Security session during the F2F on
   June 22
   ... anyway, please watch Cristiano's new PR and review it
   ... anything else?

   (none)

   [adjourned]

Summary of Action Items

Summary of Resolutions

   [End of minutes]
     __________________________________________________________


    Minutes manually created (not a transcript), formatted by
    David Booth's [17]scribe.perl version ([18]CVS log)
    $Date: 2020/06/08 01:40:47 $

     [17] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
     [18] http://dev.w3.org/cvsweb/2002/scribe/

Received on Tuesday, 7 July 2020 11:27:30 UTC