[PlugFest] minutes - 30 May 2018

available at:
  https://www.w3.org/2018/05/30-wot-pf-minutes.html

also as text below.

Thanks a lot for taking these minutes, Michael McCool!

Kazuyuki

---

   [1]W3C

      [1] http://www.w3.org/

                               - DRAFT -

                              WoT PlugFest

30 May 2018

   [2]Agenda

      [2] https://www.w3.org/WoT/IG/wiki/PlugFest_WebConf#Agenda_30.5.2018

Attendees

   Present
          Kaz_Ashimura, Matthias_Kovatsch, Michael_Koster,
          Michel_McCool, Kunihiko_Toumura, Michael_Lagally,
          Taki_Kamiya, Tomoaki_Mizushima

   Regrets

   Chair
          Koster

   Scribe
          McCool, kaz

Contents

     * [3]Topics
     * [4]Summary of Action Items
     * [5]Summary of Resolutions
     __________________________________________________________

   <kaz> scribenick: McCool

   Koster: made some basic organizational slides...
   ... look at what we did in Prague, what we want to develop,
   develop plan

   <kaz> [6]Koster's slides

      [6] https://github.com/mjkoster/wot-protocol-binding/blob/master/plugfest-korea-initial-planning.pdf

   McCool: have proposal for security, working on something for
   testing
   ... target ecosystems, target verticals

   Kaz: would be good to have integrated use cases or scenarios
   ... in order to motivate WoT

   McCool: this is also why I suggested target verticals. Read
   "target markets"

   Lagally: we might want to make a list of our current target
   verticals

   Koster: will make list of verticals and ecosystems
   ... under general category of "development topics"
   ... back to Prague: want to carry forward our successes
   ... still need to work on semantics, events
   ... also had good results with proxy, want to keep developing
   ... and need to continue with security and accessibility

   McCool: we need semantic applications as well...

   Koster: that is new development area
   ... new development areas: simplified TD, extended actions,
   notifications via websockets and webhooks, FoI, recipes,
   proxy/w/TDir, security, testing
   ... for semantics, iotschema.org is working on features of
   interest (FoI)
   ... would like to see some examples
   ... recipes are good start
   ... but other approaches; generally, looking for a set of
   things
   ... then want to operate on or orchestrate
   ... proxies on TDirs
   ... questions in the proxy pattern, i.e. local and remote TDirs
   ... essentially have TD extensions, applications, and security
   and testing

   Kaz: matsukura-san wanted to understand how to use node-wot as
   an application servient

   McCool: right now we don't have very good "application"
   examples for node-wot
   ... need to show how to use it for proxies as well
   ... right now I have a transparent proxy, but a proxy based on
   node-wot that actually translated hrefs in forms (for example)
   would be useful

   Koster: definitely want to make it easier to go through
   gateways, use proxies

   McCool: I think we also need to demonstrate architectural
   configurations that include multiple TDirs and proxies, can
   traverse NATs, etc. etc.

   Koster: infrastructure via common patterns
   ... maybe time for federated directories

   McCool: in theory SPARQL as used in the implementation of TDirs
   can handle federation...

   <kaz> scribenick: kaz

   Koster: strawman idea for goals

   McCool: will show slides
   ... checked in

   <McCool>
   [7]https://github.com/w3c/wot/blob/master/plugfest/2018-bundang
   /Security-Bundang-PlugFest-Preparation.pptx

      [7] https://github.com/w3c/wot/blob/master/plugfest/2018-bundang/Security-Bundang-PlugFest-Preparation.pptx

   McCool: slides above
   ... basically
   ... defining goals
   ... [Scope]
   ... [Charter Review]
   ... [Goals]
   ... demonstrate Things supporting appropriate security
   mechanisms
   ... modest goals
   ... straightforward authentication
   ... everybody can do
   ... achieve the goals using appropriate proxies
   ... authentication and confidentiality
   ... two proposals
   ... [Proposed Plugfest Security Requirements: Authentication]
   ... HTTP Basic Auth
   ... HTTP Digest Auth
   ... Bearer tokens
   ... also having more than one
   ... metadata indicated within TD
   ... need to have more variety
   ... exposed thing must request/require authentication
   ... implementations consuming things must be able to provide
   the corresponding credentials
   ... username/password, etc.
   ... 3 basic concrete things
   ... if you can, more than them
   ... [Confidentiality]
   ... support for HTTPS
   ... implementations should allow self-signed certificates
   ... do support proxy
   ... current implementation has to run on external cloud server
   ... use TLS
   ... would add OAuth

   Koster: what the assertions go into this?
   ... public key pretty much uses domain name
   ... we should think about what the assertions go into

   McCool: think about IDs for that?
   ... I'm this thing and TD is...
   ... add note:
   ...
   ... but can we put some other information in the cert we can
   validate?
   ... ex. the id contained in the TD
   ... but spoofable...
   ... ]]
   ... [Thing Directory Security]
   ... for instance, using the Intel proxy, the current ThingWeb
   Thing Directory can be set up to use HTTPS+Digest Auth
   ... Thing Directory APIs should provide authentication and
   confidentiality
   ... HTTPS+Digest Auth so far
   ... should be OK
   ... [Tools]
   ... node-wot supports basic auth
   ... and bearer tokens
   ... digest in progress
   ... transparent proxy service that provides basic and digest
   auth
   ... [Conclusion]
   ... we should look into secure devices
   ... 2 more plugfests before CR
   ... should start secure systems
   ... basic security
   ... DTLS, ACLs, OAuth, etc.
   ... the other issues
   ... key distribution: FIDO/Oauth, Kerberos, Preshared keys
   ... certificates: what information can we include in a
   self-signed cert to make it validatible

   Koster: we have PGP, etc.

   McCool: if we look at...
   ... adds some more points
   ... reviews the "Charter" slide as well
   ... adds:
   ... Object security (See charter! required!)
   ... COSE
   ... also access control
   ... ACL

   Koster: also a question
   ... adapting ecosystem
   ... what WoT security in general would do
   ... what's the best practice
   ... e.g., node-wot can have object security
   ... access control added, etc.

   McCool: we had discussion within the security tf
   ... adds a slide including:
   ... Security TF Tasks
   ... recommended security practices for WoT
   ... we should have recommended/not-recommended practices
   ... just because we can describe it doesn't mean it is good
   ... brownfield (poor) security issue
   ... testing
   ... interoperability
   ... would like to have TD testing mechanism
   ... e.g., TD playground
   ... as an automated process

   Koster: Thing Directory would refuse if the TD is not valid

   McCool: adds topics to testing section
   ... penetration testing
   ... have only HTTP and ask basic authentication, etc.
   ... we can do something like that
   ... have stuff running

   Koster: actual pragmatic security

   McCool: getting out of time, so stop here

   Koster: ok
   ... we now have this plugfest as a weekly call
   ... any more questions/comments?

   (none)

   Koster: anything else for plugfest planning?

   (none)

   [adjourned]

Summary of Action Items

Summary of Resolutions

   [End of minutes]
     __________________________________________________________


    Minutes formatted by David Booth's [8]scribe.perl version
    1.152 ([9]CVS log)
    $Date: 2018/06/04 07:03:07 $

      [8] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
      [9] http://dev.w3.org/cvsweb/2002/scribe/

Received on Monday, 4 June 2018 07:06:39 UTC