[wot-security] minutes - 7 September 2020

available at:
  https://www.w3.org/2020/09/07-wot-sec-minutes.html

also as text below.

Thanks a lot for taking the minutes, Cristiano!

Kazuyuki

---
   [1]W3C

      [1] http://www.w3.org/

                               - DRAFT -

                              WoT Security

07 Sep 2020

   [2]Agenda

      [2] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#7_September_2020

Attendees

   Present
          Kaz_Ashimura, Michael_McCool, Elena_Reshetova,
          Cristiano_Aguzzi, Tomoaki_Mizushima

   Regrets

   Chair
          McCool

   Scribe
          cris

Contents

     * [3]Topics
         1. [4]Previous minutes
         2. [5]TD security PRs
         3. [6]Lifecycle review
         4. [7]Directory security
         5. [8]Clean up issues
     * [9]Summary of Action Items
     * [10]Summary of Resolutions
     __________________________________________________________

   <kaz> scribenick: cris

Previous minutes

   <kaz> [11]Aug-31

     [11] https://www.w3.org/2020/08/31-wot-sec-minutes.html

   McCool: by the way it is labor day in the U.S.
   ... by looking into the minutes it is not clear what Cristiano
   is agreeing to .. please kaz could you fix this?
   ... aside from that issue I am ok with the minutes

   Kaz: Ok the plan you mentioned has been added

   McCool: any other comments? should we make this public?
   ... ok published.

TD security PRs

   <inserted> [12]wot-thing-description PR945

     [12] https://github.com/w3c/wot-thing-description/pull/945

   <inserted> [13]wot-thing-description PR944

     [13] https://github.com/w3c/wot-thing-description/pull/944

   McCool: TD group provided some feedback on the PR about
   security
   ... the main concern was about the fact that we still does not
   have an implementation of the proposed changes in the PR
   ... however we do not really define new functionalities in the
   PR. Infact both of them propose feature that can be easily
   translated back to the old TD model
   ... like inline definition can be prepocessed back to a
   securityDefinition
   ... anyway the two PRs right now are still on hold... we still
   have to implement a pre-processor to test them

   Elena: do we have existing use cases for combination schema?

   McCool: yes we have an example in the TD document (Example 11).
   There a proxy is described using a TD
   ... on the other hand, example 15 shows the problem of
   redundancy for multiple or security schemas. This is solved by
   the combination scheme (see Example 16)
   ... it is an improved syntax for "and" and "or" security
   constraints

   Elena: it looks good. Also the inline feature is fine.

   McCool: we need implementation, for example node-wot still does
   not support "and" combination (even the old version with the
   array is not supported)

Lifecycle review

   <kaz> [14]Issue 169

     [14] https://github.com/w3c/wot-security/issues/169

   McCool: Oliver was confused about roles and entities. I
   suggested to add the word "role" at the end of some terms to
   make it clearer
   ... if have any comments please use the issue comment section.

Directory security

   McCool: we still have to really discuss in depth the issue
   ... for example what should it be the default method?
   ... any other topics to add to the agenda for today? otherwise
   I'd rather try to close some open issues
   ... ok

Clean up issues

   <kaz> [15]Issue 169

     [15] https://github.com/w3c/wot-security/issues/169

   McCool: I'd propose to close #169 since we already did the
   review

   Elena: we probably need a new issue to track additional review
   work on the lifecycle

   McCool: I suggest to do additional reviews when the Arch
   document goes to CR
   ... ok closed

   <kaz> [16]Issue 173

     [16] https://github.com/w3c/wot-security/issues/173

   McCool: #173 we already completed the task described there. So
   I'm closing it
   ... any objection?
   ... ok closed.

   <kaz> [17]Issue 177

     [17] https://github.com/w3c/wot-security/issues/177

   McCool: #177 still has some open points

   Cristiano: I think the review is done. We may open a new issue
   to track the left points

   McCool: yes, let's create an issue in the use-case repository
   ... I'll assign cristiano to this new issue

   <McCool> [18]https://github.com/w3c/wot-usecases/issues/49

     [18] https://github.com/w3c/wot-usecases/issues/49

   McCool: ok now let's close #177
   ... closed.

   <kaz> [19]Issue 170

     [19] https://github.com/w3c/wot-security/issues/170

   Elena: I am not sure how to update the Threat Model.

   McCool: I think we can discuss this in a issue

   Elena: if we decide that the modification is trivial I can just
   add two lines there however if we plan to create a new section
   it is better to have a discussion

   McCool: I think a new issue is the best place to decide this.
   ... I'm creating a new one in the wot-security repository

   <kaz> [20]New Issue 183

     [20] https://github.com/w3c/wot-security/issues/183

   McCool: Elena any other issue that we should add here?

   Elena: not really

   <kaz> [21]Issue 170 on Conexxus security and privacy threat
   model

     [21] https://github.com/w3c/wot-security/issues/170

   McCool: I added a Consider closing label to #170
   ... we still have open points and issues to create
   ... EdgeX have their own internal system for authentication.

   <kaz> [22]Issue 180 on EdgeX

     [22] https://github.com/w3c/wot-security/issues/180

   McCool: I'd prefer to see a more extensible support
   ... so I'll the issue open to track the discussion
   ... I think that a solution for #168 is to create an issue for
   each use case that still miss security/privacy section.

   <kaz> [23]Issue 168 - security and privacy considerations for
   all the use cases (or requirements)

     [23] https://github.com/w3c/wot-security/issues/168

   <kaz> [24]Issue 166 - integrity protection

     [24] https://github.com/w3c/wot-security/issues/166

   McCool: any final things?
   ... Ok let's close the meeting

   <kaz> [adjourned]

Summary of Action Items

Summary of Resolutions

   [End of minutes]
     __________________________________________________________


    Minutes manually created (not a transcript), formatted by
    David Booth's [25]scribe.perl version ([26]CVS log)
    $Date: 2020/09/09 01:29:37 $

     [25] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
     [26] http://dev.w3.org/cvsweb/2002/scribe/

Received on Monday, 21 September 2020 09:36:21 UTC