[wot-security][DRAFT] minutes - 14 September 2020 from Kazuyuki Ashimura on 2020-09-21 (public-wot-ig@w3.org from September 2020)

From: Kazuyuki Ashimura <ashimura@w3.org>
Date: Mon, 21 Sep 2020 18:32:05 +0900
To: public-wot-ig@w3.org, public-wot-wg@w3.org
Message-ID: <87h7rr327e.wl-ashimura@w3.org>
available at:
  https://www.w3.org/2020/09/14-wot-sec-minutes.html

also as text below.

Thanks a lot for taking the minutes, Elena!

Kazuyuki

---
   [1]W3C

      [1] http://www.w3.org/

                               - DRAFT -

                              WoT Security

14 Sep 2020

   [2]Agenda

      [2] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#14_September_2020

Attendees

   Present
          Kaz_Ashimura, Clerley_Silveira, Elena_Reshetova,
          Michael_McCool, Oliver_Pfaff, Tomoaki_Mizushima,
          Cristiano_Aguzzi, David_Ezell

   Regrets

   Chair
          McCool

   Scribe
          elena

Contents

     * [3]Topics
         1. [4]Review the minutes from last meeting
         2. [5]Issue 183
         3. [6]Issue 180
         4. [7]Issue 170
     * [8]Summary of Action Items
     * [9]Summary of Resolutions
     __________________________________________________________

   <kaz> scribenick: elena

Review the minutes from last meeting

   <kaz> [10]Sep-7

     [10] https://www.w3.org/2020/09/07-wot-sec-minutes.html

   McCool: any objections publishing the minutes?

   no objections, minutes approved

   McCool: any updates from anyone?
   ... we might need two producers and two consumers for
   implementation to be approved. This can be a problem for Oauth
   implementations.
   ... does anyone know about wot-node and oauth?

   Cristiano: difference in implementations between producers and
   consumers can be very minimal for node-wot

   McCool: need to bring it up with node-wot, could Cristiano
   create an issue about this and test cases for node-wot?
   ... let me do issue creation now

   McCool creates a new issue in wot-testing

   Cristiano: I am afraid that LinkSmart wont implement consumer
   side

   McCool: we need then another consumer
   ... node-gen or node-RED might be an option for that
   ... we need to have two tests per flow

   Cristiano: code is not implemented in node-wot, might be a
   problem

   McCool: node-wot also assumes that security configuration is
   the same, another thing that needs review

   <McCool> [11]https://github.com/w3c/wot-testing/issues/51

     [11] https://github.com/w3c/wot-testing/issues/51

   McCool: we need to review security implementation of node-wot

   McCool creates a new issue under wot-security on this

   [12]https://github.com/w3c/wot-security/issues/184

     [12] https://github.com/w3c/wot-security/issues/184

   McCool: Cristiano, could you walk us through node-wot
   implementation since you know it well?

   Cristiano agrees

   McCool: we should also dig into node-gen also
   ... are we doing something special for plugfest? I have not
   seen any security focus there
   ... does anyone have any thoughts on this?
   ... oauth is something we should do but we dont have enough
   time for this plugfest. Maybe next plugfest that is in
   February/March?
   ... if we want to be safe to get things done in time, we need
   to finalize test cases by the end of the year

   Kaz: a bit off topic but I attended the Singapore Geospatial
   Week's Smart Cities session this afternoon and some of the
   presenters mentioned end-to-end security would be important for
   IoT purposes. so I'm wondering how to deal with end-to-end
   security in wot.

   Oliver: that depends on definition of the ends

   McCool: should we have security schemes for object security?

   Oliver: we have to double check first how to express object
   security in order not to redo this in TD

   McCool: we don't have any existing issues about object security
   and how to deal with it
   ... we need to decide how we support object security

   McCool creates a new issue for this

   [13]https://github.com/w3c/wot-security/issues/185

     [13] https://github.com/w3c/wot-security/issues/185

   Kaz: this issue 185 could include a definition of end-to-end
   security. right?

   McCool: we need to make a list of object security alternatives

   McCool adds some initial options to the issue 185

   Oliver proposes more schemes that McCool adds to the issue 185

   McCool: next let's look into issue tracker

Issue 183

   McCool looks into issue
   [14]https://github.com/w3c/wot-security/issues/183

     [14] https://github.com/w3c/wot-security/issues/183

   <kaz> [15]Issue 183

     [15] https://github.com/w3c/wot-security/issues/183

   McCool: should we also add monitoring into this issue?

   elena: IMO it should go into separate issue

   McCool creates a new issue
   [16]https://github.com/w3c/wot-security/issues/186 on
   monitoring

     [16] https://github.com/w3c/wot-security/issues/186

   <kaz> [17]related issue on IETF MUD

     [17] https://github.com/w3c/wot-security/issues/153

Issue 180

   McCool: next issue
   [18]https://github.com/w3c/wot-security/issues/180

     [18] https://github.com/w3c/wot-security/issues/180

   McCool adds some todos to the issue

   McCool: should we also be looking into mozilla hub or other
   hubs?
   ... what about open Hab?

   McCool creates a new issue on OpenHab
   [19]https://github.com/w3c/wot-security/issues/187

     [19] https://github.com/w3c/wot-security/issues/187

   <criis> [20]https://github.com/iobridge/thingspeak

     [20] https://github.com/iobridge/thingspeak

   McCool creates another issue on mozilla WebThings gateway
   [21]https://github.com/w3c/wot-security/issues/188

     [21] https://github.com/w3c/wot-security/issues/188

   McCool creates an issue on ThingSpeak
   [22]https://github.com/w3c/wot-security/issues/189

     [22] https://github.com/w3c/wot-security/issues/189

   McCool: we don't have wot integrated in projects like the above
   ... we need to talk to these groups
   ... and we need to look into their security architecture to
   make sure we are compatible

Issue 170

   McCool: let's look into issue
   [23]https://github.com/w3c/wot-security/issues/170
   ... last time we created issues for follow up work, should we
   close this issue?
   ... or do we still have some missing actions?

     [23] https://github.com/w3c/wot-security/issues/170

   elena: i don't see anything else from my side

   McCool: let's create an issue about trust levels of actors and
   then we can close the issue 170

   McCool creates a new issue
   [24]https://github.com/w3c/wot-security/issues/190 on this

     [24] https://github.com/w3c/wot-security/issues/190

   McCool: any objections to close 170?

   no objections, closed

   <kaz> [adjourned]

Summary of Action Items

Summary of Resolutions

   [End of minutes]
     __________________________________________________________


    Minutes manually created (not a transcript), formatted by
    David Booth's [25]scribe.perl version ([26]CVS log)
    $Date: 2020/09/21 09:29:28 $

     [25] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
     [26] http://dev.w3.org/cvsweb/2002/scribe/
Received on Monday, 21 September 2020 09:32:11 UTC