W3C home > Mailing lists > Public > public-wot-ig@w3.org > May 2020

[wot-security] minutes - 27 April 2020

From: Kazuyuki Ashimura <ashimura@w3.org>
Date: Fri, 08 May 2020 06:47:35 +0900
Message-ID: <871rnva03s.wl-ashimura@w3.org>
To: public-wot-ig@w3.org, public-wot-wg@w3.org
available at:
  https://www.w3.org/2020/04/27-wot-sec-minutes.html

also as text below.

Thanks,

Kazuyuki

---
   [1]W3C

      [1] http://www.w3.org/

                               - DRAFT -

                              WoT Security

27 Apr 2020

Attendees

   Present
          Kaz_Ashimura, Michael_McCool, Elena_Reshetova,
          Oliver_Pfaff, David_Ezell, Zoltan_Kis

   Regrets

   Chair
          McCool

   Scribe
          kaz

Contents

     * [2]Topics
         1. [3]Review minutes
         2. [4]Agenda
         3. [5]Lifecycle
         4. [6]Requirements template
     * [7]Summary of Action Items
     * [8]Summary of Resolutions
     __________________________________________________________

   <scribe> scribenick: kaz

Review minutes

   [9]Apr-20 minutes

      [9] https://www.w3.org/2020/04/20-wot-sec-minutes.html

   McCool: (goes through the minutes)
   ... any comments/corrections?
   ... any objections?

   (none)

   McCool: approved

Agenda

   McCool: reviews the agenda for today

Lifecycle

   McCool: anything to do today here?

   Elena: (summarizes the discussion during the Architecture call
   on Apr. 23)

   McCool: discussion on stack of layers
   ... Zoltan took an action to do that
   ... having a table listing various players for each state
   ... relates to other fuzzy authentication

   [10]related to Issue 148

     [10] https://github.com/w3c/wot-security/issues/148

   McCool: got a comment from Zoltan

   [11]Zoltan's comment to Issue 148

     [11] https://github.com/w3c/wot-security/issues/148#issuecomment-619904349

   McCool: (responds to Zoltan)

   [12]McCool's response to Zoltan

     [12] https://github.com/w3c/wot-security/issues/148#issuecomment-619951263

   Zoltan: (joins)

   McCool: we're talking about your comment on Issue 148
   ... (goes through the conversation on 148)

   Zoltan: just wanted to mention Lagally had created
   wot-architecture issue 476

   [13]wot-architecture issue 476

     [13] https://github.com/w3c/wot-architecture/issues/476

   McCool: the issue was that we needed a table of actors
   ... currently have TD's server authentication
   ... the point is we need to see the lifecycle before solving
   the issue

   Zoltan: ok
   ... it's kind of chicken and eggs problem

   McCool: we need to narrow the current definition of "Thing
   authentication"

   Zoltan: we need to define identification, then authentication.
   right?

   McCool: good example

   Zoltan: make sense to talk about authentication only during the
   operational state

   McCool: right...
   ... let's talk about this after your updating the lifecycle
   diagram

   Oliver: what is the identification and what is expected after
   that?

   Zoltan: many protocols use similar mechanisms
   ... some shared key
   ... we're modeling the abstract lifecycle states

   Oliver: comparison depends on the catalog of protocols,
   addressing scheme, etc.

   McCool: e.g., DID, doesn't handle authentication in that way...

   Oliver: my expectation is having clear understanding about the
   components
   ... then protocols and addressing schemes

   McCool: addition of actors to components?
   ... in general, it's open ended
   ... need some general principle including the possible future
   protocols
   ... would propose we wait one more week until the lifecycle
   diagram is updated

   Oliver: sounds good

   McCool: Oliver, I'd like to ask you for advice
   ... about how to proceed
   ... on this issue 148

   Oliver: ok, will do

Requirements template

   [14]Issue 472

     [14] https://github.com/w3c/wot-architecture/issues/472

   McCool: would add security/privacy considerations to the use
   case template
   ... eventually, make it included in the Security/Privacy
   guidelines doc
   ... Lagally gave comments

   [15]Lagally's comments

     [15] https://github.com/w3c/wot-architecture/issues/472#issuecomment-616990357

   <McCool>
   [16]https://www.w3.org/TR/security-privacy-questionnaire/

     [16] https://www.w3.org/TR/security-privacy-questionnaire/

   self-review security questionnaire above

   [17]Issue 168

     [17] https://github.com/w3c/wot-security/issues/168

   McCool: what we should do is
   ... to the use case template, we add security/privacy
   considerations section
   ... and to the requirements template, we add security/privacy
   requirements section

   Kaz: sounds good

   Elena: but what was the original purposes?

   McCool: (explains the background)

   Elena: in terms the requirements, not only OAuth as a possible
   mechanism but various mechanisms to be mentioned?

   McCool: right
   ... but as the starting point, we should add a section

   Kaz: yeah
   ... when we add those sections (considerations/requirements),
   we should think about what kind of features should be added
   there

   McCool: right
   ... let me capture those points here within the comment for
   issue 472 or wot-architecture

   David: at Conexxus, we have similar problems
   ... we look at applications in security terms
   ... the asset to be protected, etc.
   ... people should worry about

   Kaz: do you have any concrete template about that?

   David: sure
   ... let me check

   McCool: one possible question to be included is "what are the
   assets?"
   ... can you check those questions?

   David: let me do that

   McCool: we need to have something like this document (self
   security review) for us

   Kaz: maybe we should reuse some of the existing ones?

   McCool: yes, we should look into the existing questionnaire and
   see which parts are relevant to WoT and which are not
   ... (updates the comments for wot-architecture issue 472)
   ... I'd suggest we merge a PR for this issue so that we can
   start use cases discussion based on the new template (and avoid
   fixing the existing ones with the updated security/privacy
   sections)
   ... we need to define schemes and features
   ... features can be extracted from the requirements documents
   ... the question is where to put the table?
   ... probably to the best practices document?

   Elena: don't want to create a new document for that purpose :)

   McCool: me neither

   [18]McCool's comments to wot-architecture issue 472

     [18] https://github.com/w3c/wot-architecture/issues/472#issuecomment-619971454

   [adjourned]

Summary of Action Items

Summary of Resolutions

   [End of minutes]
     __________________________________________________________


    Minutes manually created (not a transcript), formatted by
    David Booth's [19]scribe.perl version 1.154 ([20]CVS log)
    $Date: 2020/04/29 07:57:12 $

     [19] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
     [20] http://dev.w3.org/cvsweb/2002/scribe/
Received on Thursday, 7 May 2020 21:47:23 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 7 May 2020 21:47:24 UTC