(resending) [wot-security] minutes - 8 November 2021 from Kazuyuki Ashimura on 2022-01-10 (public-wot-ig@w3.org from January 2022)

From: Kazuyuki Ashimura <ashimura@w3.org>
Date: Mon, 10 Jan 2022 17:52:19 +0900
To: public-wot-ig@w3.org, public-wot-wg@w3.org
Message-ID: <87h7ac0y7w.wl-ashimura@w3.org>
(sorry but resending with the correct text version)

available at:
  https://www.w3.org/2021/11/08-wot-sec-minutes.html

also as text below.

Thanks,

Kazuyuki

---
   [1]W3C

      [1] https://www.w3.org/

                              WoT Security

08 November 2021

   [2]Agenda. [3]IRC log.

      [2] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#8_November_2021
      [3] https://www.w3.org/2021/11/08-wot-sec-irc

Attendees

   Present
          Cristiano_Aguzzi, Jiye_Park, Kaz_Ashimura,
          Michael_McCool, Sebastian_Kaebisch, Tomoaki_Mizushima,
          Zoltan_Kis

   Regrets
          -

   Chair
          McCool

   Scribe
          kaz

Contents

    1. [4]Preliminary
    2. [5]Issues related to the Scripting API
    3. [6]AOB

Meeting minutes

  Preliminary

   Jiye: Jiye Park from Siemens
   … taking over the role from Oliver

   <sebastiankaebisch> Hello

   McCool: (gives basic instructions)

   <McCool> [7]https://www.w3.org/WoT/IG/wiki/
   IG_Security_WebConf#8_November_2021

      [7] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#8_November_2021

   McCool: you can bookmark the URL of the wiki page above

   <Jiye> thanks!

   McCool: we have 2 documents
   … Security and Privacy Guidelines
   … and Security Best Practices document
   … tell people the best strategy for security and privacy
   … currently the document is thin
   … need use cases and best practices
   … including HTTPS and OAuth
   … as discussed during the vF2F, we require authentication
   … separate spec for key distribution
   … the best practices document is not yet published

   <McCool> [8]https://github.com/w3c/wot-security

      [8] https://github.com/w3c/wot-security

   <McCool> [9]https://w3c.github.io/wot-security/

      [9] https://w3c.github.io/wot-security/

   McCool: we use separate GitHub repositories for spec work for
   easier rendering
   … GitHub and HTML rendering for WoT Security and Privacy
   Guidelines above

   <McCool> [10]https://github.com/w3c/wot-security-best-practices

     [10] https://github.com/w3c/wot-security-best-practices

   McCool: the Best Practices document will be changed in the
   future
   … meant to be an appendix

   <McCool> [11]https://w3c.github.io/wot-security-best-practices/

     [11] https://w3c.github.io/wot-security-best-practices/

   <sebastian> sorry, I need to go now. Bye

   McCool: we have two large sections for the Security Best
   Practices document

   Jiye: thanks for the summary

  Issues related to the Scripting API

   McCool: anything to be added to the agenda?

   Zoltan: would it make sense to have generic guidelines for
   exposing/consuming Things?
   … there should be different requirements for exposing Thing and
   consuming Thing

   McCool: ok
   … let me capture the points within an issue

   [12]wot-security-best-practices issue 26 - Use Cases for
   Exposed and Consumed Things

     [12] https://github.com/w3c/wot-security-best-practices/issues/26

   McCool: and another issue on onboarding and key distribution

   [13]wot-security-best-practices issue 27 - Add Onboarding/Key
   Distribution Section

     [13] https://github.com/w3c/wot-security-best-practices/issues/26

   McCool: keys are needed for TLS
   … in a global network, existing CA-based mechanisms can and
   should be used
   … in local and offline networks, a separate key distribution
   mechanisms is needed in order to use TLS
   … this is currently a gap but we should define the requirements
   here
   … iscovery may also be needed
   … explain how this relates to WoT Discovry
   … bunch of stuff being discussed on onboarding

   Zoltan: can give some comments
   … to the GitHub Issue

   Cristiano: we're also tracking issue for Scripting API

   <cris_> [14]https://github.com/w3c/wot-scripting-api/issues/315

     [14] https://github.com/w3c/wot-scripting-api/issues/315

   Zoltan: should belong to another issue on provisioning

   <cris_> (to be more precise we have this issue [15]https://
   github.com/w3c/wot-scripting-api/issues/298)

     [15] https://github.com/w3c/wot-scripting-api/issues/298

   McCool: (adds that point to the Issue 27)

   [16]Issue 27 - Add Onboarding/Key Distribution Section

     [16] https://github.com/w3c/wot-security-best-practices/issues/27

   Cristiano: two links above
   … wot-scripting-api issue 298 should be better to use here

   McCool: (adds a link for wot-scripting-api issue 298 to
   wot-security-best-practices issue 27)

   [17]updated comments for Issue 27

     [17] https://github.com/w3c/wot-security-best-practices/issues/27#issue-1047450206

   McCool: it's a separate issue from key management
   … we should look into the library
   … (adds comments to wot-scripting-api issue 298)
   … we should add exploratory work
   … (adds comments to wot issue 978 about the WoT WG renewal)

   [18]wot issue 978 - WoT WG renewal 2021

     [18] https://github.com/w3c/wot/issues/978

   McCool: Management API as a separate API from the Scripting API
   … including configuring security schemes and establishing keys
   … onboarding process results in a set of "key objects"

   [19]updated comments for wot issue 978

     [19] https://github.com/w3c/wot/issues/978#issuecomment-963160698

   Kaz: 2 comments
   … we should work with the DAS WG about this point
   … also we should have generic issue on onboarding and key
   management for the wot-security repository as well as the
   wot-best-practices repository

   McCool: yeah
   … would consider making the "Security Best Practices" a
   normative document
   … but we'd like to update the document based on the latest best
   practices

   Kaz: in that case, Note would be a better direction

   McCool: or might be a evergreen approach
   … need to consider how this relates to certification

   <McCool> [20]https://www.chromium.org/teams/
   web-capabilities-fugu

     [20] https://www.chromium.org/teams/web-capabilities-fugu

   McCool: possibility of Fugu above

  AOB

   McCool: we had joint discussion on Signature, etc., with the
   DID WG guys
   … they have a mechanism to distribute keys

   Zoltan: any idea on offloading by Web Assembly, etc.?

   McCool: similar discussion during the breakout by the Web
   Networks guys
   … our own question is do we want to work on that ourselves?
   … or would the other group(s) to work on that?
   … need to look into Web Workers as well
   … let's continue to work on the topics
   … will review the prev minutes next week.

   [adjourned]


    Minutes manually created (not a transcript), formatted by
    [21]scribe.perl version 159 (Fri Nov 5 17:37:14 2021 UTC).

     [21] https://w3c.github.io/scribe2/scribedoc.html
Received on Monday, 10 January 2022 08:52:26 UTC