[wot-security] minutes - 30 July 2018

available at:

also as text below.





      [1] http://www.w3.org/

                               - DRAFT -

                              WoT Security

30 Jul 2018


          Kaz_Ashimura, Michael_McCool, Tomoaki_Mizushima,
          Kazuaki_Nimura, Barry_Leiba





     * [2]Topics
         1. [3]Review of minutes from last meeting
         2. [4]PR 107
         3. [5]Testing
         4. [6]TD updates
         5. [7]Actions
         6. [8]Other issues
     * [9]Summary of Action Items
     * [10]Summary of Resolutions

   [11]prev minutes

     [11] https://www.w3.org/2018/07/23-wot-sec-minutes.html

Review of minutes from last meeting

   [12]prev minutes

     [12] https://www.w3.org/2018/07/23-wot-sec-minutes.html

   McCool: need to skip plugfest/f2f review again
   ... went over proposals
   ... (updates the agenda with "Testing plan")
   ... first action is done
   ... 2nd action, did the 2nd half
   ... waiting for answer
   ... carry forward with the 4 last actions
   ... and new action: "McCool to write PR on TD spec for security
   ... any objections to accept the prev minutes?


   McCool: ok. so the minutes has been accepted

   <inserted> (Barry joins)

   McCool: (goes through the agenda for today)
   ... anything else?


PR 107

   [13]PR 107

     [13] https://github.com/w3c/wot-security/pull/107

   McCool: happy with it
   ... a few minor fixes
   ... go ahead with the next step
   ... nothing major
   ... go ahead and accept that
   ... any objection to merge this?


   McCool: ok. will merge it :)
   ... get action to clean it up
   ... one more chance to discuss before merging with the main


   McCool: follow through the action from f2f
   ... drafted a document here

   [14]Testing Plan

     [14] https://github.com/w3c/wot/blob/master/testing/plan.md

   McCool: one thing would ask people to do
   ... go through the section on security testing
   ... limited scope (=list of "NOT do"s)
   ... lifecycle limitation for point 2
   ... protocols for point 3
   ... security best practices for point 4
   ... should have a separate document for security best practices
   ... but later
   ... MQTT - TODO: details: DTLS testing etc.
   ... for HTTP, I have SSL testing, etc.

   Barry: we might do...
   ... to use HTTPS, CoAPS, MQTTS
   ... obvious to use secure version of protocols

   McCool: ok
   ... need to have how to secure MQTT

   Barry: need to see core working group document

   McCool: create a PR for one paragraph?

   Barry: can work on a shot

   McCool: if you can send by email, I can make a PR
   ... CoAP-based protocol
   ... e.g., DTLS testing
   ... regarding HTTP, described web services here
   ... one of issues
   ... particular commercial service or tool?
   ... or standard
   ... may have political issues
   ... might have some example
   ... free/opensource one
   ... link to OWASP Testing Project


     [15] https://www.owasp.org/index.php/OWASP_Testing_Project

   McCool: and penetration testing
   ... these 2 things should be enough
   ... please review this section and give comments
   ... Metasploit is a framework
   ... thought that was a free one

TD updates

   McCool: PSK and none schemes


     [16] https://rawgit.com/w3c/wot-thing-description/TD-JSON-LD-1.1/index.html#security


     [17] https://github.com/w3c/wot-thing-description/pull/173


     [18] https://github.com/w3c/wot-thing-description/pull/173/commits/8bfdde781b354df848e0aed0bf8d21e3facb07bd

   McCool: maybe the rendered version not correctly submitted


     [19] https://github.com/w3c/wot-thing-description/issues/165

   McCool: created a TD issue above (165)
   ... Should "security" be mandatory
   ... can declare security "none" at the top level
   ... would like to respond to Ben and ask him clarification
   ... having nothing vs "none" have a bit different meanings
   ... actual implementations can do something if nothing is
   ... but TD should have explicit information
   ... would discourage TD to be incomplete
   ... personally think security should be mandatory
   ... we could recommend security is mandatory for
   machine-to-machine interaction
   ... would like to see people's opinions

   Barry: definitely should be mandatory

   McCool: others?

   Nimura: should be mandatory

   McCool: it is related to binding contract

   Mizushima: no questions

   McCool: (adds a comment to issue 165)
   ... discussed this in the security tf and the consensus was to
   make "security" mandatory
   ... also, we felt that the security spec in the TD should be
   "binding", e.g., it should be considered an error if the Thing
   goes off and does security a different way.
   ... resolution: yes, make it mandatory. also binding.


   McCool: we can remove the first action (from the prev minutes)
   ... need to ping IIC
   ... 3 other things got no progress yet
   ... new action

   <scribe> ACTION: Barry to suggest DTLS testing plan applicable
   for CoAP/MQTT

   <McCool> ACTION: McCool to clean up Security and Privacy
   Considerations documents for final update to master by next

   McCool: also best practice document

   <McCool> ACTION: everyone to generate set of best practices for
   draft by next week

   McCool: no update on the long-term schedule
   ... will update people to find out

Other issues

   [20]issue 106

     [20] https://github.com/w3c/wot-security/issues/106

   McCool: leave it open

   [21]issue 105

     [21] https://github.com/w3c/wot-security/issues/105

   McCool: any opinions?
   ... originally raised by Lagally during f2f
   ... more than form for different mechanisms
   ... any prioritization?
   ... any objections to leave out priorities?

   Barry: makes sense

   (no objections)

   McCool: adds a comment to issue 105
   ... We discussed this in the Security TF and felt that
   priorities caused more problems than they would solve and we
   should leave them out.

   [22]issue 102

     [22] https://github.com/w3c/wot-security/issues/102

   McCool: adds a comment
   ... We ARE going to have a Best Practices document of some kind
   if only to limit the scope of testing. Initially this will just
   be a section of the Security and Privacy Considerations
   document although we should break it out into a separate
   document eventually.


Summary of Action Items

   [ONGOING] ACTION: mccool to talk with IIC Security TF and W3C
   Web Security IG about testing/validation timeline (first item
   tbd; second item done)
   [ONGOING] ACTION: mccool to work on issue 70 (Require Not
   Exposing Immutable Hardware Identifiers?)
   [ONGOING] ACTION: mjkoster/elena to review examples in the
   security spec
   [ONGOING] ACTION: mccool to look into URI templates (RFC6570)
   for issue 98
   [ONGOING] ACTION: mcCool to write PR on TD spec for security
   [NEW] ACTION: Barry to suggest DTLS testing plan applicable for
   [NEW] ACTION: everyone to generate set of best practices for
   draft by next week
   [NEW] ACTION: McCool to clean up Security and Privacy
   Considerations documents for final update to master by next

Summary of Resolutions

   [End of minutes]

    Minutes formatted by David Booth's [23]scribe.perl version
    1.152 ([24]CVS log)
    $Date: 2018/08/07 01:04:09 $

     [23] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
     [24] http://dev.w3.org/cvsweb/2002/scribe/

Received on Tuesday, 7 August 2018 01:16:12 UTC