- From: Kazuyuki Ashimura <ashimura@w3.org>
- Date: Tue, 31 Jul 2018 15:02:46 +0900
- To: public-wot-wg@w3.org, Public Web of Things IG <public-wot-ig@w3.org>
Sorry for the delay. The minutes from the Security call on June 25 are available at: https://www.w3.org/2018/06/25-wot-sec-minutes.html also as text below. Thanks, Kazuyuki --- [1]W3C [1] http://www.w3.org/ - DRAFT - WoT Security 25 Jun 2018 [2]Agenda [2] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Agenda Attendees Present Kaz_Ashimura, Elena_Reshetova, Michael_McCool, Tomoaki_Mizushima, Kazuaki_Nimura Regrets Chair McCool Scribe kaz Contents * [3]Topics 1. [4]previous minutes 2. [5]Plugfest Preparation 3. [6]External review 4. [7]Issues and PRs o [8]PR 104 o [9]Issue 102 o [10]issue 100 o [11]issue 98 o [12]issue 97 o [13]issue 94 o [14]issue 81 o [15]issue 80 o [16]issue 77 o [17]issue 76 o [18]issue 75 o [19]issue 72 o [20]issue 71 o [21]issue 70 * [22]Summary of Action Items * [23]Summary of Resolutions __________________________________________________________ <scribe> scribenick: kaz previous minutes [24]prev minutes [24] https://www.w3.org/2018/06/18-wot-sec-minutes.html McCool: looked at number of issues ... Elena's PR ... should be accepted ... I'll polish the PR update by the f2f ... (goes through the issues) ... brought issue 70 to the TD call as well ... fundamental assumption of URL is immutable ... complicated mechanism ... issue 99 was addressed ... issue 100 ... issue 98 ... whole bunch of discussions ... mixture of different level ... issue 64, again notification ... f2f ... actions all ongoing ... carry on discussion this week ... would update the action status ... "talk with security guys" to be updated as "IIC Security TF and W3C Web Security IG" ... "look into URI" is ongoing ... and one typo "would access this PR" to be fixed as "would accept this PR" ... accept the minutes? (no objections) [the previous minutes have been accepted with the above changes] Plugfest Preparation McCool: Matthias is working on the schedule [25]f2f agenda [25] https://www.w3.org/WoT/IG/wiki/F2F_meeting,_30_June-5_July_2018,_Bundang,_Korea#Plenary_and_Breakouts McCool: (goes through the agenda) ... (changes the moderator of PlugFest Security Review to "McCool/Elena") ... (and Secure Implementation Recommendation to "Elena/McCool") Elena: mentions her availability for the f2f ... can join webex after 11am Korea time McCool: Monday/Tuesday in CET? Elena: yes ... Monday/Tuesday/Wednesday after 11am Korea time McCool: ideally Tuesday afternoon ... want to talk about the schedule [26]publication schedule [26] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Schedule McCool: (updated the schedule) ... external review and finalization ... final version to be in Nov. ... if we can get extension, +3 months would make sense, i.e., Feb. 2019 ... regarding external review ... should be Sep-Oct ... if we get 3-month extension, can be Dec-Jan ... would aim the first date (for the first round) ... first external review by Sep-Oct ... good first draft by Nov ... implication here is that we need to have ... first draft for review by end of Aug ... meaning in 2 months ... next release after the Bundang f2f, i.e., mid-July ... empty sections can be kicked out from the review External review McCool: talked with IIC guys ... Dave is the liaison contact for IIC ... would like security review ... actually 3 topics ... security topics, semantic interoperability, use cases/testbeds ... used to know one of the guys ... we can hopefully get something scheduled ... getting someone to review ... can negotiate the timing ... also W3C Web Security IG ... questions/comments? (none) Issues and PRs * PR 104 McCool: would open a new PR ... working->master 2018.06.25 ... update, prior to Bundang plugfest ... can merge this? (no objections) McCool: merges PR 104 [27]PR 104 merged [27] https://github.com/w3c/wot-security/pull/104 * Issue 102 McCool: (adds comments to issue 102) [28]issue 102 [28] https://github.com/w3c/wot-security/issues/102 McCool: should cover both security and privacy * issue 100 [29]issue 100 [29] https://github.com/w3c/wot-security/issues/100 McCool: authorize users ... then mitigate privacy issues ... associate new things ... comments? Elena: no * issue 98 [30]issue 98 [30] https://github.com/w3c/wot-security/issues/98 McCool: custom login page ... you have to put parameters ... we need to do something about this ... one of the issues ... associate semantic meanings ... need to be able to associate common variables ... URL template kind of assume the same ... annoying assumption [[ parameters with fixed names that the system "knows" mean certain things. But then you run into the problem of what to do it those names don't match what is needed in the query parameter (eg if the "special name" in the TD is "password" but the API needs the query parameter "pw"... I have to look to see if there are URI templates that let you separately specify the name and the value, as I mentioned in the meeting. ]] * issue 97 McCool: suspended issue [31]issue 97 [31] https://github.com/w3c/wot-security/issues/97 McCool: would put a label ... (adds a new label of "SUSPENDED") ... will leave open but suspend action on it unless we see an actual use case ... marked as "SUSPENDED" which means "won't fix unless someone comes up with a use case that needs it" * issue 94 [32]issue 84 [32] https://github.com/w3c/wot-security/issues/84 McCool: potentially superseded by security by IIC * issue 81 [33]issue 81 [33] https://github.com/w3c/wot-security/issues/81 McCool: think this is resolved but we should wait until after the Bundang plugfest ... and implementation feedback from Matthias ... one issue is dealing with both protocol-aware proxies (e.g., HTTP Proxy) and transparent (application-level) proxies ... may require different strategies * issue 80 [34]issue 80 [34] https://github.com/w3c/wot-security/issues/80 McCool: a little bit old * issue 77 [35]issue 77 [35] https://github.com/w3c/wot-security/issues/77 McCool: Matthias suggested we merge this issue with issue 80 ... need to leave it open until we talk with Matthias again * issue 76 [36]issue 76 [36] https://github.com/w3c/wot-security/issues/76 McCool: maybe we can close this? ... will leave interledger out in this version ... not clear interledger in particular will also be standardized in time ... maybe next version Kaz: do we want to add some specific label for that purpose? McCool: (adds "DEFERED" label) * issue 75 [37]issue 75 [37] https://github.com/w3c/wot-security/issues/75 McCool: suspended ... (adds "SUSPENDED" label) * issue 72 [38]issue [38] https://github.com/w3c/wot-security/issues/72 McCool: documentation thing * issue 71 [39]issue 71 [39] https://github.com/w3c/wot-security/issues/71 McCool: (responds to @jasonnovak on the GH issue 71) * issue 70 [40]issue 70 [40] https://github.com/w3c/wot-security/issues/70 McCool: immutable hardware identifies ... there was some discussion about this ... unique identifier by hash would be easier to clarify the dependency ... have to have update mechanism ... things can identify who get access, etc. ... another counter proposal by linked data community ... would keep this issue open at the moment ... bunch of stuff to look at ... maybe next time we should talk about issue 67 ... any questions? concerns? (none) McCool: we should discuss privacy mitigation ... and may discuss proposals by the main call on Wednesday ... will move to adjourn the call [adjourned] Summary of Action Items [ONGOING] ACTION: mccool to write a short proposal on what security tools to use for the next plugfest [ONGOING] ACTION: mccool to talk with IIC Security TF and W3C Web Security IG about testing/validation timeline [ONGOING] ACTION: mccool to work on issue 70 (Require Not Exposing Immutable Hardware Identifiers?) [ONGOING] ACTION: mjkoster/elena to review examples in the security spec [ONGOING] ACTION: mccool to look into URI templates (RFC6570) for issue 98 Summary of Resolutions [End of minutes] __________________________________________________________ Minutes formatted by David Booth's [41]scribe.perl version 1.152 ([42]CVS log) $Date: 2018/06/27 12:39:51 $ [41] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm [42] http://dev.w3.org/cvsweb/2002/scribe/
Received on Tuesday, 31 July 2018 06:04:14 UTC