W3C home > Mailing lists > Public > public-wot-wg@w3.org > August 2018

[wot-security] minutes - 13 August 2018

From: Kazuyuki Ashimura <ashimura@w3.org>
Date: Mon, 20 Aug 2018 22:24:04 +0900
Message-ID: <CAJ8iq9XJAkjqh8_Ck31LLWpgam2aUjzfC5MUy-F8wxmPEZfquQ@mail.gmail.com>
To: Public Web of Things IG <public-wot-ig@w3.org>, public-wot-wg@w3.org
available at:
  https://www.w3.org/2018/08/13-wot-sec-minutes.html

also as text below.

Thanks a lot for taking these minutes, Michael Koster!

Kazuyuki

---

   [1]W3C

      [1] http://www.w3.org/

                               - DRAFT -

                              WoT Security

13 Aug 2018

   [2]Agenda

      [2] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Agenda

Attendees

   Present
          Kaz_Ashimura, Michael_McCool, Ryo_Kajiwara,
          Michael_Koster, Elena_Reshetova

   Regrets

   Chair
          McCool

   Scribe
          mjkoster

Contents

     * [3]Topics
         1. [4]Agenda review
         2. [5]Review minutes from the last meeting
         3. [6]Permissions workshop
         4. [7]PR on Security scenarios
     * [8]Summary of Action Items
     * [9]Summary of Resolutions
     __________________________________________________________

   <kaz> scribenick: mjkoster

Agenda review

   (McCool goes through the [10]draft agenda for today)

     [10] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Agenda

Review minutes from the last meeting

   <kaz> [11]minutes from last meeting

     [11] https://www.w3.org/2018/08/06-wot-sec-minutes.html

   McCool: last minute change to the term "none" to "nosec"
   ... any corrections to the minutes?
   ... minutes accepted
   ... please carry the action items to the next agenda

Permissions workshop

   <McCool> [12]https://github.com/mmccool/w3c-permissions-2018

     [12] https://github.com/mmccool/w3c-permissions-2018

   Ryo: focus on user permission of access control and how users
   decide which data to share

   McCool: should mention how this aligns with the WoT approach of
   access metadata
   ... could edit online

   <McCool>
   [13]https://github.com/mmccool/w3c-permissions-2018/blob/sec-ed
   it/README.md

     [13] https://github.com/mmccool/w3c-permissions-2018/blob/sec-edit/README.md

PR on Security scenarios

   McCool: looks ready to merge

   <inserted> [14]PR 108

     [14] https://github.com/w3c/wot-security/pull/108

   Elena: PR #108
   ... review and walk-through the PR
   ... this is a basic description of scenarios, does anyone have
   feedback or comments

   McCool: building tenants and employees may come and go,
   requiring management of access rights to users
   ... when a tenant leaves there is a privacy issue where data
   must not be retained
   ... for example, there may need to be temporary access granted
   to an employee for the thermostat in a room while the employee
   is in the room
   ... ideally there should be some access control that doesn't
   require use of the device

   Elena: threat model characterization

   McCool: should emphasize that this is an office environment

   Elena: it includes company information as a protected asset

   McCool: also access to the premises

   Elena: scenario3 is industrial, focus on safety and
   availability, privacy is less important
   ... another assumption is access would be protected by
   partitioning networks

   McCool: for example access from the IT network to the OT
   network to collect statistics
   ... but need to make it difficult to access the OT network by
   compromising the IT network
   ... also has the requirement to manage employee access in a
   dynamic way
   ... e.g. when employees transition in and out of the company
   ... does anyone else have comments, would anyone else be
   willing to review?
   ... which issues can we close?

   Elena: 20 and 21

   <kaz> [15]issue 20

     [15] https://github.com/w3c/wot-security/issues/20

   <kaz> [16]issue 21

     [16] https://github.com/w3c/wot-security/issues/21

   McCool: review other issues

   <kaz> [17]issue 44

     [17] https://github.com/w3c/wot-security/issues/44

   <kaz> [18]issue 48

     [18] https://github.com/w3c/wot-security/issues/48

   <kaz> [19]issue 106

     [19] https://github.com/w3c/wot-security/issues/106

   scribenick: kaz

   McCool: this is out of the scope for standardization?

   Koster: right

   McCool: updates the issue and closes it

   <inserted> [20]issue 70

     [20] https://github.com/w3c/wot-security/issues/70

   Elena: what is the hardware identifier discussed in issue 70?

   McCool: there should be a short paragraph about immutability
   ... need to create a PR to use appropriate terminology

   scribenick: mjkoster

   <kaz> [21]TD draft - 5.2.1 Thing

     [21] https://w3c.github.io/wot-thing-description/#thing

   McCool: this has to do with the identifier of the TD
   ... create a PR to clarify the immutability of the "id"
   property in Thing Description

   <kaz> ACTION: mccool to create a PR to clarify the immutability
   of the "id" property in Thing Description

   McCool: mccool to edit the W3C permissions document

   <kaz> ACTION: mccool to edit the W3C permissions document

   McCool: creating a PR for CoAP DTLS scheme
   ... any input on what is needed

   <scribe> ACTION: mccool to create 2 additional schemes for CoAP
   DTLS

   McCool: also need to discuss MQTT security scheme

   [adjourn]

Summary of Action Items

   [ONGOING] ACTION: mccool to talk with IIC Security TF and W3C
   Web Security IG about testing/validation timeline (first item
   tbd; second item done)
   [ONGOING] ACTION: mccool to work on issue 70 (Require Not
   Exposing Immutable Hardware Identifiers?)
   [ONGOING] ACTION: mjkoster/elena to review examples in the
   security spec
   [ONGOING] ACTION: mccool to look into URI templates (RFC6570)
   for issue 98
   [ONGOING] ACTION: mcCool to write PR on TD spec for security
   definition
   [ONGOING] ACTION: Barry to suggest DTLS testing plan applicable
   for CoAP/MQTT
   [ONGOING] ACTION: everyone to generate set of best practices
   for draft by next week
   [ONGOING] ACTION: McCool to clean up Security and Privacy
   Considerations documents for final update to master by next
   week
   [NEW] ACTION: create a PR to clarify the immutability of the
   "id" property in Thing Description
   [NEW] ACTION: mccool to create 2 additional schemes for CoAP
   DTLS
   [NEW] ACTION: mccool to edit the W3C permissions document

Summary of Resolutions

   [End of minutes]
     __________________________________________________________


    Minutes formatted by David Booth's [22]scribe.perl version
    1.152 ([23]CVS log)
    $Date: 2018/08/14 12:45:43 $

     [22] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
     [23] http://dev.w3.org/cvsweb/2002/scribe/
Received on Monday, 20 August 2018 13:25:10 UTC

This archive was generated by hypermail 2.3.1 : Monday, 20 August 2018 13:25:11 UTC