[wot-security] minutes - 20 August 2018

available at:

Thanks a lot for taking these minutes, Nimura-san!




      [1] http://www.w3.org/

                               - DRAFT -

                              WoT Security

20 Aug 2018


          Kaz_Ashimura, Michael_McCool, Elena_Reshetova,
          Xiaoru_Li, Kazuaki_Nimura, Tomoaki_Mizushima,





     * [2]Topics
         1. [3]Invited guest from Baidu
         2. [4]Review previous minutes
         3. [5]New DTLS schemes: cert, public
         4. [6]MQTT Security (wrt DTLS security schemes)
         5. [7]Permissions workshop
         6. [8]Remaining issues
         7. [9]AOB
     * [10]Summary of Action Items
     * [11]Summary of Resolutions

Invited guest from Baidu

   scribenick: kaz

   Kaz: is it OK by you to invite Xiaoru to the meeting today?
   ... note the invited guest also should be aware of the W3C
   Patent Policy below
   ... but this is an IG call, so we have less problem

   <kaz> [12]https://www.w3.org/Consortium/Patent-Policy-20170801/

     [12] https://www.w3.org/Consortium/Patent-Policy-20170801/

   <kaz> [13]https://www.w3.org/2003/12/22-pp-faq.html

     [13] https://www.w3.org/2003/12/22-pp-faq.html

   McCool: OK to invite her

Review previous minutes

   scribenick: nimura

   <McCool> [14]https://www.w3.org/2018/08/13-wot-sec-minutes.html

     [14] https://www.w3.org/2018/08/13-wot-sec-minutes.html

   reviewing last minutes.

   <kaz> mm: regarding the actions, the second last one on CoAP
   DTLS is retired. other actions to be carried over for today

   <kaz> (minutes accepted)

   guest from Baidu, Xiaoru Li

   McCool: during TPAC, would have extra meeting in early week,
   say Monday

New DTLS schemes: cert, public

   <kaz> [15]TD pullrequest 198 - Add CoAP/DTLS "cert" and
   "public" security schemes

     [15] https://github.com/w3c/wot-thing-description/pull/198

   created PR that current TD is checked

   <kaz> [16]TD draft - 5.4.1 SecurityScheme

     [16] https://w3c.github.io/wot-thing-description/#securityscheme

   added two new scheme and merged.

   CoAP: private, shared, : pre destributed keys

   <kaz> [17]TD draft - 5.4.6 PSKSecurityScheme

     [17] https://w3c.github.io/wot-thing-description/#psksecurityscheme

   cert and public key: give identity of system

   TD spec does not updated properly yet.

   no section for those for public and cert somehow

   <kaz> McCool: will check why

MQTT Security (wrt DTLS security schemes)

   <kaz> McCool: need Koster's input

Permissions workshop

   kajiwara san submitted W3C permission for the application

Remaining issues

   Issue #109

   <inserted> [18]issue 109

     [18] https://github.com/w3c/wot-security/issues/109

   mostly done, but rendering issue.

   <McCool> [19]https://tools.ietf.org/html/rfc7252#section-9.1

     [19] https://tools.ietf.org/html/rfc7252#section-9.1

   <inserted> The Constrained Application Protocol (CoAP)

   Section 9.1: defines three schemes

   there are some algorithm choices.

   this PR is not clitical for current TD

   Issue #105

   <inserted> [20]issue 105

     [20] https://github.com/w3c/wot-security/issues/105

   difficult to prioritize security scheme.

   assume implementers work one by one.

   security TF does not feel additional feature for prioritize
   security is necessary.

   Issue #102

   <kaz> [21]issue 102

     [21] https://github.com/w3c/wot-security/issues/102

   Testing TF need to have sets of security recommendation

   prioritize CoAP over UDP, but not prioritize others

   we will focus on HTTPS-TLS CoAPS-DTLS and MQTT-TLS

   but leave out others.

   In terms of the recommendation, is there any particular reason
   to recommend CoAPS-TLS over CoAPS-DTLS?

   from the security point of view.

   create another md document for collecting those recommendation.

   describing wot security best practice.

   recommendation for pretty good security and easy to implement

   In the current main document, recommendation is high level and
   good structure.


     [22] https://github.com/w3c/wot-security/blob/master/wot-security-best-practices.md

   will include recommended best practice.

   Issue #100

   <inserted> [23]issue 100

     [23] https://github.com/w3c/wot-security/issues/100

   TD Change and Deletion notification

   this relates to immutable identifiers.

   Issue #98

   <kaz> [24]issue 98

     [24] https://github.com/w3c/wot-security/issues/98

   URI template are coming.

   Issue #77

   <kaz> [25]issue 77

     [25] https://github.com/w3c/wot-security/issues/77

   can close this.


   kajiwara-san: notification of workshop will be received by this
   Friday or so.

   <kaz> [adjourned]

Summary of Action Items

   [ONGOING] ACTION: mccool to talk with IIC Security TF and W3C
   Web Security IG about testing/validation timeline (first item
   tbd; second item done)
   [ONGOING] ACTION: mccool to work on issue 70 (Require Not
   Exposing Immutable Hardware Identifiers?)
   [ONGOING] ACTION: mjkoster/elena to review examples in the
   security spec
   [ONGOING] ACTION: mccool to look into URI templates (RFC6570)
   for issue 98
   [ONGOING] ACTION: mcCool to write PR on TD spec for security
   [ONGOING] ACTION: Barry to suggest DTLS testing plan applicable
   for CoAP/MQTT
   [ONGOING] ACTION: everyone to generate set of best practices
   for draft by next week
   [ONGOING] ACTION: McCool to clean up Security and Privacy
   Considerations documents for final update to master by next
   [ONGOING] ACTION: create a PR to clarify the immutability of
   the "id" property in Thing Description
   [ONGOING] ACTION: mccool to edit the W3C permissions document

Summary of Resolutions

   [End of minutes]

    Minutes formatted by David Booth's [26]scribe.perl version
    1.152 ([27]CVS log)
    $Date: 2018/08/28 02:56:08 $

     [26] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
     [27] http://dev.w3.org/cvsweb/2002/scribe/

Received on Tuesday, 28 August 2018 03:04:21 UTC