W3C home > Mailing lists > Public > public-wot-ig@w3.org > September 2020

[wot-security] minutes - 24 August 2020

From: Kazuyuki Ashimura <ashimura@w3.org>
Date: Mon, 07 Sep 2020 16:05:51 +0900
Message-ID: <87363um5gw.wl-ashimura@w3.org>
To: public-wot-ig@w3.org, public-wot-wg@w3.org
available at:
  https://www.w3.org/2020/08/24-wot-sec-minutes.html

also as text below.

Thanks a lot for taking the minutes, Cristiano!

Kazuyuki

---
   [1]W3C

      [1] http://www.w3.org/

                               - DRAFT -

                              WoT Security

24 Aug 2020

Attendees

   Present
          Tomoaki_Mizushima, David_Ezell, Kaz_Ashimura,
          Michael_McCool, Clerley_Silveira, Cristiano_Aguzzi,
          Elena_Reshetova, Oliver_Pfaff

   Regrets

   Chair
          McCool

   Scribe
          crist

Contents

     * [2]Topics
         1. [3]Previous minutes
         2. [4]Agenda
         3. [5]Conexxus
         4. [6]Combination security schema PR
         5. [7]Inline security definitions PR
         6. [8]Proof chain sections
         7. [9]reconsider mandatory items for OAuth2
     * [10]Summary of Action Items
     * [11]Summary of Resolutions
     __________________________________________________________

Previous minutes

   <inserted> [12]Aug-17

     [12] https://www.w3.org/2020/08/17-wot-sec-minutes.html

   McCool: I put on the agenda OAuth2 again
   ... anybody have any comments?

   (none)

   McCool: ok, minutes will be published

Agenda

   McCool: no guest today
   ... Elena will talk about conexxus
   ... then we have a bunch of PRs ready to be reviewed and maybe
   closed
   ... we also have open discussion topics
   ... like OAuth2 and lifecycle
   ... anything else?

   Kaz: the agenda section for today had a wrong date, so I've
   just fixed it. please reload the agenda.

   McCool: ok.

   <McCool>
   [13]https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#24_Augus
   t_2020

     [13] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#24_August_2020

Conexxus

   Elena: Conexxus have defined a threat model for API designers

   Clerley: we actually have three model templates
   ... one is the current one. Another is the implementation
   threat model, which can be used to describe how to security is
   implemented

   Elena: how do you know how to be complaint? For example in the
   different section what would we check

   McCool: I think this is for a particular application. I saw
   this also this in Intel.

   Elena: ok, let's continue and see each chapter
   ... it starts from API description and then use case
   ... In 4 the template asks to identify resources at risk

   Clerley: usually, the template is not used as whole. People
   chose some chapter and our internal security group review the
   document

   Elena: why do you have different section for assets and data?

   David: maybe it is a bug... it is probably redundant
   ... it helps people think about it more than once

   McCool: I was thinking that assets were more physical... but
   the examples do not match

   Clerley: maybe

   Elena: next the document talks about the threat boundery
   ... after that we have API consumers chapter

   McCool: is there a stakeholder section

   Elena: I think this chapter should be used... but I am not sure

   Clerley: this section describes the interaction between systems
   i.e. payment system --> pump

   Elena: inside wot is difficult to fill this document, because
   we are at the interface level. Probably it might be easier for
   a particular WoT application

   Clerley: I agree some section are pretty specific. I suggest to
   go back to data section if you are dealing with more abstract
   usecases

   Elena: ok moving on. There is a section about data integrity
   and finally a logging and auditing section
   ... in wot we have to think more about logging and auditing
   ... my final comment about the document is that from my point
   of view is a bit hard to use

   Clerley: you are free to use the document for your needs,
   feedback is welcomed

   McCool: we can use it to feel the threats in wot and create a
   checklist for usecases.
   ... about feedback, Elena my add comments to the document.
   would it work?

   Elena: I do not have more detailed feedback on that document

   <McCool> [14]https://github.com/w3c/wot-security/issues/170

     [14] https://github.com/w3c/wot-security/issues/170

   Clerley: We certainly report what Elena said today

   McCool: we can use the github issue (above).
   ... conexxus personal can have a look there
   ... the question now is what are we going to do inside WoT?
   ... I'll create an issue about a security template for wot
   ... we should at least point to the conexxus document inside
   our security documentation.
   ... let's gather more input in the issue
   ... oliver did you finished the lifecycle review?

   Oliver: I made a couple of comments and started the review

   McCool: ok thanks

Combination security schema PR

   <inserted> [15]wot-thing-description PR 944

     [15] https://github.com/w3c/wot-thing-description/pull/944

   McCool: if we make the combination scheme the default, it
   cleans lot a lot the security field syntax
   ... However, it might cause compatibility problems
   ... I laid down a plan to address this change in step
   ... it is available on the pr/s.
   ... let me show how the PR looks
   ... anybody have any comments?

Inline security definitions PR

   <inserted> [16]wot-thing-description PR 945

     [16] https://github.com/w3c/wot-thing-description/pull/945

   McCool: I think it lacks an example
   ... I think this week we'll close combination and simplified PR
   ... any comments on this two?
   ... ok Ege was happy with it, I'll chage it to ready

Proof chain sections

   <inserted> [17]wot-thing-description PR 943

     [17] https://github.com/w3c/wot-thing-description/pull/943

   McCool: I think we have to wait a little bit. I'll leave it
   untill the next week

Reconsider mandatory items for OAuth2

   <inserted> [18]wot-thing-description OAuth2 issues

     [18] https://github.com/w3c/wot-thing-description/issues?q=is:issue+is:open+oauth

   McCool: I am thinking that they should not be mandatory for
   reasons described in the issue
   ... ok we are out of time now
   ... is there any final concern?
   ... ok, let's close the issue

   [adjourned]

Summary of Action Items

Summary of Resolutions

   [End of minutes]
     __________________________________________________________


    Minutes manually created (not a transcript), formatted by
    David Booth's [19]scribe.perl version ([20]CVS log)
    $Date: 2020/08/31 12:09:38 $

     [19] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
     [20] http://dev.w3.org/cvsweb/2002/scribe/
Received on Monday, 7 September 2020 07:05:58 UTC

This archive was generated by hypermail 2.4.0 : Monday, 7 September 2020 07:06:00 UTC