- From: Kazuyuki Ashimura <ashimura@w3.org>
- Date: Thu, 21 Dec 2017 00:16:32 +0900
- To: Public Web of Things IG <public-wot-ig@w3.org>, public-wot-wg@w3.org
available at: https://www.w3.org/2017/12/11-wot-sec-minutes.html also as text below. Thanks, Kazuyuki --- [1]W3C [1] http://www.w3.org/ - DRAFT - WoT Security 11 Dec 2017 Attendees Present Kaz_Ashimura, Elena_Reshetova, Michael_Koster, Michael_McCool, Tomoaki_Mizushima, Barry_Leiba Regrets Chair McCool Scribe kaz Contents * [2]Topics 1. [3]NDSS paper 2. [4]publication status 3. [5]NDSS paper (revisited) 4. [6]wot-security issues 5. [7]next meeting 6. [8]prev minutes * [9]Summary of Action Items * [10]Summary of Resolutions __________________________________________________________ <scribe> scribenick: kaz NDSS paper mccool: deadline on Dec 11 ... 4 commits after Barry's review ... can walk through the updates publication status kaz: Elena created a pullrequest about my question elena: have fixed all the problems you mentioned -> [11]https://github.com/w3c/wot-security/pulls/57 Kaz's pullrequest [11] https://github.com/w3c/wot-security/pulls/57 kaz: added the UID (W3C account id) for McCool and Elena mccool: ok mccool: merges the change -> [12]https://github.com/w3c/wot-security/pull/58 Elena's pullrequest on fixing problems Kaz pointed out [12] https://github.com/w3c/wot-security/pull/58 mccool: goes through the changes (fixed broken links at reference) mccool: merges the fix kaz: will check the document using the checker again ... and will work with the webmaster for the publication NDSS paper (revisited) mccool: submission 3 and 4 barry: reviewed submission 3 ... clarifying the goal of the paper would be helpful mccool: 30 submissions so far ... 12 of them are expected at the workshop ... we're talking about reviewing the draft spec ... in the context of reviewing a standard ... I myself am one of the organizers, so can't support this paper itself due to Conflict of Interest -> [13]https://github.com/mmccool/ndss-wot-sec/blob/master/ndss-wo t-sec.pdf PDF version [13] https://github.com/mmccool/ndss-wot-sec/blob/master/ndss-wot-sec.pdf barry: looks good to me but how about the others? ... this is a workshop paper, not a conference paper ... explicitly mentioning that we've started some work mccool: important exercise for people to participate in ... concept of reviewing the standard asap elena: shorten the background section? mccool: changed the examples to actual examples ... example of an application servient (some more discussion) mccool: C. Endpoint Adaptation ... will try one more around update ... if you find any small problems (typos, missing words, etc.) please create pullrequests kaz: ok to fix the URL for link 14 after the publication of the Note? mccool: can fix it now, and also can update later as well [Kaz's comment on reference [14]] The link "https://www.w3.org/TR/2017/WD-wot-security-20171116/" at: E. Reshetova and M. McCool, “Web of Things (WoT) Security and Privacy Considerations,” W3C, W3C Note, Sep. 2017. [Online]. Available: https://www.w3.org/TR/2017/WD-wot-security-20171116/ ]] sould be: https://www.w3.org/TR/NOTE-wot-security/ ]] as the generic URL at the moment (but should be update with the dated URL, e.g., https://www.w3.org/TR/2017/NOTE-wot-security-20171214/ once the document is published also "Sep." should be "Dec." [14] https://github.com/w3c/wot-security/issues/59 mccool: ok wot-security issues [14]https://github.com/w3c/wot-security/issues/59 TD/API security requirements for the next plugfest [14] https://github.com/w3c/wot-security/issues/59 [15]https://github.com/w3c/wot-scripting-api/issues/82#issuecom ment-350662317 related issue on Scripting [15] https://github.com/w3c/wot-scripting-api/issues/82#issuecomment-350662317 mccool: 2 issues here ... added a comment here to the scripting issue 82 ... and created another issue for security repo 59 ... adding another description to security issue 59 ... perhaps there are two issues ... 1. specifying "security" section of an exposed TD. The requirements for the scripting API will be given entirely by the requirements for the TD spec. Right now the TD spec has an "open" format for the security metadata so probably the API should just allow similar arbitary data in the API elena: 2nd issue would be much bigger? mccool: 2. A possibly related issue is now "provisioned security data" (keys, etc.) are provided to a particular instanc of a WoT object, e.g., for a service ... do we assume a WoT servient magically find that key? ... how to handle this? kaz: maybe we need 3 different kinds of identifiers? ... one for the devices, 2nd for the apps and 3rd for the users? ... and some mechanism to how to identify the combination of those three identifiers elena: depends on the application mccool: the first point is easier ... related to the problem of lifecycle elena: we have the 2nd point within the privacy consideration? ... the lifecycle issue is related to how to handle the credential for multiple apps mccool: we can add a link from the security document to specific issues on the GitHub repo ... any other issues to review? [16]https://github.com/w3c/wot-security/issues/52 Blockchains for WoT [16] https://github.com/w3c/wot-security/issues/52 mccool: blockchains may fit with WoT ... the Payment WG is working on rechartering ... interledger would be a good place to start for "blockchain authorization" [17]https://github.com/w3c/wot-security/issues/53 authorization and minimizing access to TD in Things directory [17] https://github.com/w3c/wot-security/issues/53 mccool: possibly multiple questions here... ... 1. who is authorized to use the Thing Directory Web service? shince this is a Web service, it can be handled like other Web service. ... 2. How can/should we support sub-setting of Thing Descriptions, i.e., should a Thing Directory support different levels of authorization? ... 3. if we do a semantic search, the data that can be used for inferencing should also only be data that the user has authorization to access. ... for example, could have two levels of access, full and partial, Then a user with partial access can only do inferencing over partial TDs. ... a related problem ... Thing Directories are not officially part of the WoT architecture. ... this may be a problem since we may leave out important security hooks like the identity of the entity doing discovery. next meeting elena: not available on 18th mccool: can handle the next meeting ... let's talk about lifecycle, etc. barry: won't be available on 18th mccool: ah, in that case, maybe we can simply cancel the meeting on 18th ... can just have discussion on publication with Kaz prev minutes [18]https://www.w3.org/2017/12/04-wot-sec-minutes.html prev minutes [18] https://www.w3.org/2017/12/04-wot-sec-minutes.html mccool: don't see problems elena: we should update the publication plan [19]https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Schedule publication schedule [19] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Schedule mccool: we'll update the publication with Feb. 15 (Thu) ... the prev minutes themselves are accepted [adjourned] Summary of Action Items Summary of Resolutions [End of minutes] __________________________________________________________ Minutes formatted by David Booth's [20]scribe.perl version 1.147 ([21]CVS log) $Date: 2017/12/20 15:13:54 $ [20] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm [21] http://dev.w3.org/cvsweb/2002/scribe/
Received on Wednesday, 20 December 2017 15:17:43 UTC