- From: Kazuyuki Ashimura <ashimura@w3.org>
- Date: Tue, 7 Aug 2018 10:14:28 +0900
- To: public-wot-wg@w3.org, Public Web of Things IG <public-wot-ig@w3.org>
available at: https://www.w3.org/2018/07/30-wot-sec-minutes.html also as text below. Thanks, Kazuyuki --- [1]W3C [1] http://www.w3.org/ - DRAFT - WoT Security 30 Jul 2018 Attendees Present Kaz_Ashimura, Michael_McCool, Tomoaki_Mizushima, Kazuaki_Nimura, Barry_Leiba Regrets Elena Chair McCool Scribe kaz Contents * [2]Topics 1. [3]Review of minutes from last meeting 2. [4]PR 107 3. [5]Testing 4. [6]TD updates 5. [7]Actions 6. [8]Other issues * [9]Summary of Action Items * [10]Summary of Resolutions __________________________________________________________ [11]prev minutes [11] https://www.w3.org/2018/07/23-wot-sec-minutes.html Review of minutes from last meeting [12]prev minutes [12] https://www.w3.org/2018/07/23-wot-sec-minutes.html McCool: need to skip plugfest/f2f review again ... went over proposals ... (updates the agenda with "Testing plan") ... first action is done ... 2nd action, did the 2nd half ... waiting for answer ... carry forward with the 4 last actions ... and new action: "McCool to write PR on TD spec for security definition" ... any objections to accept the prev minutes? (none) McCool: ok. so the minutes has been accepted <inserted> (Barry joins) McCool: (goes through the agenda for today) ... anything else? (none) PR 107 [13]PR 107 [13] https://github.com/w3c/wot-security/pull/107 McCool: happy with it ... a few minor fixes ... go ahead with the next step ... nothing major ... go ahead and accept that ... any objection to merge this? (none) McCool: ok. will merge it :) ... get action to clean it up ... one more chance to discuss before merging with the main branch Testing McCool: follow through the action from f2f ... drafted a document here [14]Testing Plan [14] https://github.com/w3c/wot/blob/master/testing/plan.md McCool: one thing would ask people to do ... go through the section on security testing ... limited scope (=list of "NOT do"s) ... lifecycle limitation for point 2 ... protocols for point 3 ... security best practices for point 4 ... should have a separate document for security best practices ... but later ... MQTT - TODO: details: DTLS testing etc. ... for HTTP, I have SSL testing, etc. Barry: we might do... ... to use HTTPS, CoAPS, MQTTS ... obvious to use secure version of protocols McCool: ok ... need to have how to secure MQTT Barry: need to see core working group document McCool: create a PR for one paragraph? Barry: can work on a shot McCool: if you can send by email, I can make a PR ... CoAP-based protocol ... e.g., DTLS testing ... regarding HTTP, described web services here ... one of issues ... particular commercial service or tool? ... or standard ... may have political issues ... might have some example ... free/opensource one ... link to OWASP Testing Project [15]OWASP [15] https://www.owasp.org/index.php/OWASP_Testing_Project McCool: and penetration testing ... these 2 things should be enough ... please review this section and give comments ... Metasploit is a framework ... thought that was a free one TD updates McCool: PSK and none schemes [16]https://rawgit.com/w3c/wot-thing-description/TD-JSON-LD-1.1 /index.html#security [16] https://rawgit.com/w3c/wot-thing-description/TD-JSON-LD-1.1/index.html#security [17]https://github.com/w3c/wot-thing-description/pull/173 [17] https://github.com/w3c/wot-thing-description/pull/173 [18]https://github.com/w3c/wot-thing-description/pull/173/commi ts/8bfdde781b354df848e0aed0bf8d21e3facb07bd [18] https://github.com/w3c/wot-thing-description/pull/173/commits/8bfdde781b354df848e0aed0bf8d21e3facb07bd McCool: maybe the rendered version not correctly submitted yet... <McCool> [19]https://github.com/w3c/wot-thing-description/issues/165 [19] https://github.com/w3c/wot-thing-description/issues/165 McCool: created a TD issue above (165) ... Should "security" be mandatory ... can declare security "none" at the top level ... would like to respond to Ben and ask him clarification ... having nothing vs "none" have a bit different meanings ... actual implementations can do something if nothing is specified ... but TD should have explicit information ... would discourage TD to be incomplete ... personally think security should be mandatory ... we could recommend security is mandatory for machine-to-machine interaction ... would like to see people's opinions Barry: definitely should be mandatory McCool: others? Nimura: should be mandatory McCool: it is related to binding contract Mizushima: no questions McCool: (adds a comment to issue 165) ... discussed this in the security tf and the consensus was to make "security" mandatory ... also, we felt that the security spec in the TD should be "binding", e.g., it should be considered an error if the Thing goes off and does security a different way. ... resolution: yes, make it mandatory. also binding. Actions McCool: we can remove the first action (from the prev minutes) ... need to ping IIC ... 3 other things got no progress yet ... new action <scribe> ACTION: Barry to suggest DTLS testing plan applicable for CoAP/MQTT <McCool> ACTION: McCool to clean up Security and Privacy Considerations documents for final update to master by next week McCool: also best practice document <McCool> ACTION: everyone to generate set of best practices for draft by next week McCool: no update on the long-term schedule ... will update people to find out Other issues [20]issue 106 [20] https://github.com/w3c/wot-security/issues/106 McCool: leave it open [21]issue 105 [21] https://github.com/w3c/wot-security/issues/105 McCool: any opinions? ... originally raised by Lagally during f2f ... more than form for different mechanisms ... any prioritization? ... any objections to leave out priorities? Barry: makes sense (no objections) McCool: adds a comment to issue 105 ... We discussed this in the Security TF and felt that priorities caused more problems than they would solve and we should leave them out. [22]issue 102 [22] https://github.com/w3c/wot-security/issues/102 McCool: adds a comment ... We ARE going to have a Best Practices document of some kind if only to limit the scope of testing. Initially this will just be a section of the Security and Privacy Considerations document although we should break it out into a separate document eventually. [adjourned] Summary of Action Items [ONGOING] ACTION: mccool to talk with IIC Security TF and W3C Web Security IG about testing/validation timeline (first item tbd; second item done) [ONGOING] ACTION: mccool to work on issue 70 (Require Not Exposing Immutable Hardware Identifiers?) [ONGOING] ACTION: mjkoster/elena to review examples in the security spec [ONGOING] ACTION: mccool to look into URI templates (RFC6570) for issue 98 [ONGOING] ACTION: mcCool to write PR on TD spec for security definition [NEW] ACTION: Barry to suggest DTLS testing plan applicable for CoAP/MQTT [NEW] ACTION: everyone to generate set of best practices for draft by next week [NEW] ACTION: McCool to clean up Security and Privacy Considerations documents for final update to master by next week Summary of Resolutions [End of minutes] __________________________________________________________ Minutes formatted by David Booth's [23]scribe.perl version 1.152 ([24]CVS log) $Date: 2018/08/07 01:04:09 $ [23] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm [24] http://dev.w3.org/cvsweb/2002/scribe/
Received on Tuesday, 7 August 2018 01:16:12 UTC