W3C home > Mailing lists > Public > public-wot-wg@w3.org > December 2017

[wot-security] minutes - 11 December 2017

From: Kazuyuki Ashimura <ashimura@w3.org>
Date: Thu, 21 Dec 2017 00:16:32 +0900
Message-ID: <CAJ8iq9U=T4RVrWLOTh9rG0DPfC4SJJZZhKXin5O4Kx08ZdmA3Q@mail.gmail.com>
To: Public Web of Things IG <public-wot-ig@w3.org>, public-wot-wg@w3.org
available at:

also as text below.





      [1] http://www.w3.org/

                               - DRAFT -

                              WoT Security

11 Dec 2017


          Kaz_Ashimura, Elena_Reshetova, Michael_Koster,
          Michael_McCool, Tomoaki_Mizushima, Barry_Leiba





     * [2]Topics
         1. [3]NDSS paper
         2. [4]publication status
         3. [5]NDSS paper (revisited)
         4. [6]wot-security issues
         5. [7]next meeting
         6. [8]prev minutes
     * [9]Summary of Action Items
     * [10]Summary of Resolutions

   <scribe> scribenick: kaz

NDSS paper

   mccool: deadline on Dec 11
   ... 4 commits after Barry's review
   ... can walk through the updates

publication status

   kaz: Elena created a pullrequest about my question

   elena: have fixed all the problems you mentioned

   -> [11]https://github.com/w3c/wot-security/pulls/57 Kaz's

     [11] https://github.com/w3c/wot-security/pulls/57

   kaz: added the UID (W3C account id) for McCool and Elena

   mccool: ok

   mccool: merges the change

   -> [12]https://github.com/w3c/wot-security/pull/58 Elena's
   pullrequest on fixing problems Kaz pointed out

     [12] https://github.com/w3c/wot-security/pull/58

   mccool: goes through the changes

   (fixed broken links at reference)

   mccool: merges the fix

   kaz: will check the document using the checker again
   ... and will work with the webmaster for the publication

NDSS paper (revisited)

   mccool: submission 3 and 4

   barry: reviewed submission 3
   ... clarifying the goal of the paper would be helpful

   mccool: 30 submissions so far
   ... 12 of them are expected at the workshop
   ... we're talking about reviewing the draft spec
   ... in the context of reviewing a standard
   ... I myself am one of the organizers, so can't support this
   paper itself due to Conflict of Interest

   t-sec.pdf PDF version

     [13] https://github.com/mmccool/ndss-wot-sec/blob/master/ndss-wot-sec.pdf

   barry: looks good to me but how about the others?
   ... this is a workshop paper, not a conference paper
   ... explicitly mentioning that we've started some work

   mccool: important exercise for people to participate in
   ... concept of reviewing the standard asap

   elena: shorten the background section?

   mccool: changed the examples to actual examples
   ... example of an application servient

   (some more discussion)

   mccool: C. Endpoint Adaptation
   ... will try one more around update
   ... if you find any small problems (typos, missing words, etc.)
   please create pullrequests

   kaz: ok to fix the URL for link 14 after the publication of the

   mccool: can fix it now, and also can update later as well

   [Kaz's comment on reference [14]]
   The link "https://www.w3.org/TR/2017/WD-wot-security-20171116/"

   E. Reshetova and M. McCool, “Web of Things (WoT) Security
   and Privacy Considerations,” W3C, W3C Note, Sep. 2017.
   Available: https://www.w3.org/TR/2017/WD-wot-security-20171116/
   sould be:

   as the generic URL at the moment (but should be update with the
   dated URL, e.g.,
   once the document is published
   also "Sep." should be "Dec."

     [14] https://github.com/w3c/wot-security/issues/59

   mccool: ok

wot-security issues

   [14]https://github.com/w3c/wot-security/issues/59 TD/API
   security requirements for the next plugfest

     [14] https://github.com/w3c/wot-security/issues/59

   ment-350662317 related issue on Scripting

     [15] https://github.com/w3c/wot-scripting-api/issues/82#issuecomment-350662317

   mccool: 2 issues here
   ... added a comment here to the scripting issue 82
   ... and created another issue for security repo 59
   ... adding another description to security issue 59
   ... perhaps there are two issues
   ... 1. specifying "security" section of an exposed TD. The
   requirements for the scripting API will be given entirely by
   the requirements for the TD spec. Right now the TD spec has an
   "open" format for the security metadata so probably the API
   should just allow similar arbitary data in the API

   elena: 2nd issue would be much bigger?

   mccool: 2. A possibly related issue is now "provisioned
   security data" (keys, etc.) are provided to a particular
   instanc of a WoT object, e.g., for a service
   ... do we assume a WoT servient magically find that key?
   ... how to handle this?

   kaz: maybe we need 3 different kinds of identifiers?
   ... one for the devices, 2nd for the apps and 3rd for the
   ... and some mechanism to how to identify the combination of
   those three identifiers

   elena: depends on the application

   mccool: the first point is easier
   ... related to the problem of lifecycle

   elena: we have the 2nd point within the privacy consideration?
   ... the lifecycle issue is related to how to handle the
   credential for multiple apps

   mccool: we can add a link from the security document to
   specific issues on the GitHub repo
   ... any other issues to review?

   [16]https://github.com/w3c/wot-security/issues/52 Blockchains
   for WoT

     [16] https://github.com/w3c/wot-security/issues/52

   mccool: blockchains may fit with WoT
   ... the Payment WG is working on rechartering
   ... interledger would be a good place to start for "blockchain

   [17]https://github.com/w3c/wot-security/issues/53 authorization
   and minimizing access to TD in Things directory

     [17] https://github.com/w3c/wot-security/issues/53

   mccool: possibly multiple questions here...
   ... 1. who is authorized to use the Thing Directory Web
   service? shince this is a Web service, it can be handled like
   other Web service.
   ... 2. How can/should we support sub-setting of Thing
   Descriptions, i.e., should a Thing Directory support different
   levels of authorization?
   ... 3. if we do a semantic search, the data that can be used
   for inferencing should also only be data that the user has
   authorization to access.
   ... for example, could have two levels of access, full and
   partial, Then a user with partial access can only do
   inferencing over partial TDs.
   ... a related problem
   ... Thing Directories are not officially part of the WoT
   ... this may be a problem since we may leave out important
   security hooks like the identity of the entity doing discovery.

next meeting

   elena: not available on 18th

   mccool: can handle the next meeting
   ... let's talk about lifecycle, etc.

   barry: won't be available on 18th

   mccool: ah, in that case, maybe we can simply cancel the
   meeting on 18th
   ... can just have discussion on publication with Kaz

prev minutes

   [18]https://www.w3.org/2017/12/04-wot-sec-minutes.html prev

     [18] https://www.w3.org/2017/12/04-wot-sec-minutes.html

   mccool: don't see problems

   elena: we should update the publication plan

   publication schedule

     [19] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Schedule

   mccool: we'll update the publication with Feb. 15 (Thu)
   ... the prev minutes themselves are accepted


Summary of Action Items

Summary of Resolutions

   [End of minutes]

    Minutes formatted by David Booth's [20]scribe.perl version
    1.147 ([21]CVS log)
    $Date: 2017/12/20 15:13:54 $

     [20] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
     [21] http://dev.w3.org/cvsweb/2002/scribe/
Received on Wednesday, 20 December 2017 15:17:43 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:27:49 UTC