- From: Kazuyuki Ashimura <ashimura@w3.org>
- Date: Mon, 15 Feb 2021 21:30:48 +0900
- To: public-wot-ig@w3.org, public-wot-wg@w3.org
available at: https://www.w3.org/2021/02/01-wot-sec-minutes.html also as text below. Thanks, Kazuyuki --- [1]W3C [1] https://www.w3.org/ WoT Security 01 February 2021 [2]Agenda. [3]IRC log. [2] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#1_February_2021 [3] https://www.w3.org/2021/02/01-wot-sec-irc Attendees Present Cristiano_Aguzzi, Kaz_Ashimura, Michael_McCool, Oliver_Pfaff, Tomoaki_Mizushima Regrets Elena_Reshetova Chair McCool Scribe kaz Contents 1. [4]Prev minutes 2. [5]WIP: add URI template location for security scheme parameters #1032 3. [6]Consider security issues in Discovery #196 4. [7]AOB Meeting minutes Prev minutes [8]Jan-25 [8] https://www.w3.org/2021/01/25-wot-sec-minutes.html McCool: would be better to add titles for issues/PRs... McCool: (goes through the sections on apikeys from the editor's draft of the Thing Description spec) WIP: add URI template location for security scheme parameters #1032 [9]PR 1032 [9] https://github.com/w3c/wot-thing-description/pull/1032 McCool: (explains the points) [10]McCool's comments [10] https://github.com/w3c/wot-thing-description/pull/1032#issuecomment-766835622 "securityDefinitions": { "template": { "scheme": "uri", "uriVariables": { "ID" : { "type": "string", "@type": "SecurityID" }, "KEY" : { "type": "string", "@type": "SecurityKey" } } } } ]] (example above) McCool: (adds some more comments in response to the comments from Cristiano and Ege) … (put a "uri_key" entry, a "uri_id" entry and a combo entry to a new example) McCool: (shoes the ED of the TD spec again) [11]Thing Description Editor's Draft - 5.3.3.6 APIKeySecurityScheme [11] https://w3c.github.io/wot-thing-description/#apikeysecurityscheme [12]McCool's updated comments including the new example of the combo security [12] https://github.com/w3c/wot-thing-description/pull/1032#issuecomment-770853792 McCool: go with the "name" option Consider security issues in Discovery #196 [13]Issue 196 [13] https://github.com/w3c/wot-security/issues/196 [14]related PR - Update SPARQL DDoS ed note #107 [14] https://github.com/w3c/wot-discovery/pull/107 <kaz> s/relate PR/relate PR for wot-discovery/ [15]Section 7. Security and Privacy Considerations [15] https://pr-preview.s3.amazonaws.com/w3c/wot-discovery/pull/107.html#security-considerations McCool: (shows the related PR 107 for WoT Discovery and its preview) … (and then goes back to the Issue 196 itself) … (adds comments) … location may be implicit … if a TD simply *appears* in a directory, then we know the Thing is in range (e.g. of WiFi) so it can register with the TDD … (adds some more comments) … in general, "disabling" geolocation for personal devices may be necessary, although it still is useful for institutional use cases … another option would be to use a "code generator" to generate IDs (perhaps in combination with encrypted TDs) that is synchronized between the device and another application available to the user … so, for example, a user could use an app on their laptop to generate the current ID and then do a discovery search to find the location of their car, which had registered an encrypted TD with tat (rotating) ID with a discovery service. Kaz: yeah, this discussion is very important for security purposes … note that we should be get ready for the privacy review at some point (within 6 months) McCool: yeah … we need to work on this … probably we need to allow "nosec" although it's probably a very bad idea except for development use cases. … we could perhaps add an assertion that [[if a TDD service is available to anyone other than the developer and supports registration of third-party TDs then it MUST NOT use the "nosec" scheme]] AOB McCool: aob? (none) [adjourned] Minutes manually created (not a transcript), formatted by [16]scribe.perl version 127 (Wed Dec 30 17:39:58 2020 UTC). [16] https://w3c.github.io/scribe2/scribedoc.html
Received on Monday, 15 February 2021 12:35:54 UTC