[wot-security] minutes - 25 June 2018 from Kazuyuki Ashimura on 2018-07-31 (public-wot-wg@w3.org from July 2018)

From: Kazuyuki Ashimura <ashimura@w3.org>
Date: Tue, 31 Jul 2018 15:02:46 +0900
To: public-wot-wg@w3.org, Public Web of Things IG <public-wot-ig@w3.org>
Message-ID: <CAJ8iq9W_i0rRBQMPWM_9kU8QuDPVexQ0RamWT6=KGS6Z9XYWyQ@mail.gmail.com>
Sorry for the delay.

The minutes from the Security call on June 25 are available at:
  https://www.w3.org/2018/06/25-wot-sec-minutes.html

also as text below.

Thanks,

Kazuyuki

---

   [1]W3C

      [1] http://www.w3.org/

                               - DRAFT -

                              WoT Security

25 Jun 2018

   [2]Agenda

      [2] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Agenda

Attendees

   Present
          Kaz_Ashimura, Elena_Reshetova, Michael_McCool,
          Tomoaki_Mizushima, Kazuaki_Nimura

   Regrets

   Chair
          McCool

   Scribe
          kaz

Contents

     * [3]Topics
         1. [4]previous minutes
         2. [5]Plugfest Preparation
         3. [6]External review
         4. [7]Issues and PRs
               o [8]PR 104
               o [9]Issue 102
               o [10]issue 100
               o [11]issue 98
               o [12]issue 97
               o [13]issue 94
               o [14]issue 81
               o [15]issue 80
               o [16]issue 77
               o [17]issue 76
               o [18]issue 75
               o [19]issue 72
               o [20]issue 71
               o [21]issue 70
     * [22]Summary of Action Items
     * [23]Summary of Resolutions
     __________________________________________________________

   <scribe> scribenick: kaz

previous minutes

   [24]prev minutes

     [24] https://www.w3.org/2018/06/18-wot-sec-minutes.html

   McCool: looked at number of issues
   ... Elena's PR
   ... should be accepted
   ... I'll polish the PR update by the f2f
   ... (goes through the issues)
   ... brought issue 70 to the TD call as well
   ... fundamental assumption of URL is immutable
   ... complicated mechanism
   ... issue 99 was addressed
   ... issue 100
   ... issue 98
   ... whole bunch of discussions
   ... mixture of different level
   ... issue 64, again notification
   ... f2f
   ... actions all ongoing
   ... carry on discussion this week
   ... would update the action status
   ... "talk with security guys" to be updated as "IIC Security TF
   and W3C Web Security IG"
   ... "look into URI" is ongoing
   ... and one typo "would access this PR" to be fixed as "would
   accept this PR"
   ... accept the minutes?

   (no objections)

   [the previous minutes have been accepted with the above
   changes]

Plugfest Preparation

   McCool: Matthias is working on the schedule

   [25]f2f agenda

     [25] https://www.w3.org/WoT/IG/wiki/F2F_meeting,_30_June-5_July_2018,_Bundang,_Korea#Plenary_and_Breakouts

   McCool: (goes through the agenda)
   ... (changes the moderator of PlugFest Security Review to
   "McCool/Elena")
   ... (and Secure Implementation Recommendation to
   "Elena/McCool")

   Elena: mentions her availability for the f2f
   ... can join webex after 11am Korea time

   McCool: Monday/Tuesday in CET?

   Elena: yes
   ... Monday/Tuesday/Wednesday after 11am Korea time

   McCool: ideally Tuesday afternoon
   ... want to talk about the schedule

   [26]publication schedule

     [26] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Schedule

   McCool: (updated the schedule)
   ... external review and finalization
   ... final version to be in Nov.
   ... if we can get extension, +3 months would make sense, i.e.,
   Feb. 2019
   ... regarding external review
   ... should be Sep-Oct
   ... if we get 3-month extension, can be Dec-Jan
   ... would aim the first date (for the first round)
   ... first external review by Sep-Oct
   ... good first draft by Nov
   ... implication here is that we need to have
   ... first draft for review by end of Aug
   ... meaning in 2 months
   ... next release after the Bundang f2f, i.e., mid-July
   ... empty sections can be kicked out from the review

External review

   McCool: talked with IIC guys
   ... Dave is the liaison contact for IIC
   ... would like security review
   ... actually 3 topics
   ... security topics, semantic interoperability, use
   cases/testbeds
   ... used to know one of the guys
   ... we can hopefully get something scheduled
   ... getting someone to review
   ... can negotiate the timing
   ... also W3C Web Security IG
   ... questions/comments?

   (none)

Issues and PRs

* PR 104

   McCool: would open a new PR
   ... working->master 2018.06.25
   ... update, prior to Bundang plugfest
   ... can merge this?

   (no objections)

   McCool: merges PR 104

   [27]PR 104 merged

     [27] https://github.com/w3c/wot-security/pull/104

* Issue 102

   McCool: (adds comments to issue 102)

   [28]issue 102

     [28] https://github.com/w3c/wot-security/issues/102

   McCool: should cover both security and privacy

* issue 100

   [29]issue 100

     [29] https://github.com/w3c/wot-security/issues/100

   McCool: authorize users
   ... then mitigate privacy issues
   ... associate new things
   ... comments?

   Elena: no

* issue 98

   [30]issue 98

     [30] https://github.com/w3c/wot-security/issues/98

   McCool: custom login page
   ... you have to put parameters
   ... we need to do something about this
   ... one of the issues
   ... associate semantic meanings
   ... need to be able to associate common variables
   ... URL template kind of assume the same
   ... annoying assumption

   [[ parameters with fixed names that the system "knows" mean
   certain things. But then you run into the problem of what to do
   it those names don't match what is needed in the query
   parameter (eg if the "special name" in the TD is "password" but
   the API needs the query parameter "pw"... I have to look to see
   if there are URI templates that let you separately specify the
   name and the value, as I mentioned in the meeting.

   ]]

* issue 97

   McCool: suspended issue

   [31]issue 97

     [31] https://github.com/w3c/wot-security/issues/97

   McCool: would put a label
   ... (adds a new label of "SUSPENDED")
   ... will leave open but suspend action on it unless we see an
   actual use case
   ... marked as "SUSPENDED" which means "won't fix unless someone
   comes up with a use case that needs it"

* issue 94

   [32]issue 84

     [32] https://github.com/w3c/wot-security/issues/84

   McCool: potentially superseded by security by IIC

* issue 81

   [33]issue 81

     [33] https://github.com/w3c/wot-security/issues/81

   McCool: think this is resolved but we should wait until after
   the Bundang plugfest
   ... and implementation feedback from Matthias
   ... one issue is dealing with both protocol-aware proxies
   (e.g., HTTP Proxy) and transparent (application-level) proxies
   ... may require different strategies

* issue 80

   [34]issue 80

     [34] https://github.com/w3c/wot-security/issues/80

   McCool: a little bit old

* issue 77

   [35]issue 77

     [35] https://github.com/w3c/wot-security/issues/77

   McCool: Matthias suggested we merge this issue with issue 80
   ... need to leave it open until we talk with Matthias again

* issue 76

   [36]issue 76

     [36] https://github.com/w3c/wot-security/issues/76

   McCool: maybe we can close this?
   ... will leave interledger out in this version
   ... not clear interledger in particular will also be
   standardized in time
   ... maybe next version

   Kaz: do we want to add some specific label for that purpose?

   McCool: (adds "DEFERED" label)

* issue 75

   [37]issue 75

     [37] https://github.com/w3c/wot-security/issues/75

   McCool: suspended
   ... (adds "SUSPENDED" label)

* issue 72

   [38]issue

     [38] https://github.com/w3c/wot-security/issues/72

   McCool: documentation thing

* issue 71

   [39]issue 71

     [39] https://github.com/w3c/wot-security/issues/71

   McCool: (responds to @jasonnovak on the GH issue 71)

* issue 70

   [40]issue 70

     [40] https://github.com/w3c/wot-security/issues/70

   McCool: immutable hardware identifies
   ... there was some discussion about this
   ... unique identifier by hash would be easier to clarify the
   dependency
   ... have to have update mechanism
   ... things can identify who get access, etc.
   ... another counter proposal by linked data community
   ... would keep this issue open at the moment
   ... bunch of stuff to look at
   ... maybe next time we should talk about issue 67
   ... any questions? concerns?

   (none)

   McCool: we should discuss privacy mitigation
   ... and may discuss proposals by the main call on Wednesday
   ... will move to adjourn the call

   [adjourned]

Summary of Action Items

   [ONGOING] ACTION: mccool to write a short proposal on what
   security tools to use for the next plugfest
   [ONGOING] ACTION: mccool to talk with IIC Security TF and W3C
   Web Security IG about testing/validation timeline
   [ONGOING] ACTION: mccool to work on issue 70 (Require Not
   Exposing Immutable Hardware Identifiers?)
   [ONGOING] ACTION: mjkoster/elena to review examples in the
   security spec
   [ONGOING] ACTION: mccool to look into URI templates (RFC6570)
   for issue 98

Summary of Resolutions

   [End of minutes]
     __________________________________________________________


    Minutes formatted by David Booth's [41]scribe.perl version
    1.152 ([42]CVS log)
    $Date: 2018/06/27 12:39:51 $

     [41] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
     [42] http://dev.w3.org/cvsweb/2002/scribe/
Received on Tuesday, 31 July 2018 06:04:14 UTC