- From: Kazuyuki Ashimura <ashimura@w3.org>
- Date: Mon, 4 Jun 2018 16:05:26 +0900
- To: Public Web of Things IG <public-wot-ig@w3.org>, public-wot-wg@w3.org
available at: https://www.w3.org/2018/05/30-wot-pf-minutes.html also as text below. Thanks a lot for taking these minutes, Michael McCool! Kazuyuki --- [1]W3C [1] http://www.w3.org/ - DRAFT - WoT PlugFest 30 May 2018 [2]Agenda [2] https://www.w3.org/WoT/IG/wiki/PlugFest_WebConf#Agenda_30.5.2018 Attendees Present Kaz_Ashimura, Matthias_Kovatsch, Michael_Koster, Michel_McCool, Kunihiko_Toumura, Michael_Lagally, Taki_Kamiya, Tomoaki_Mizushima Regrets Chair Koster Scribe McCool, kaz Contents * [3]Topics * [4]Summary of Action Items * [5]Summary of Resolutions __________________________________________________________ <kaz> scribenick: McCool Koster: made some basic organizational slides... ... look at what we did in Prague, what we want to develop, develop plan <kaz> [6]Koster's slides [6] https://github.com/mjkoster/wot-protocol-binding/blob/master/plugfest-korea-initial-planning.pdf McCool: have proposal for security, working on something for testing ... target ecosystems, target verticals Kaz: would be good to have integrated use cases or scenarios ... in order to motivate WoT McCool: this is also why I suggested target verticals. Read "target markets" Lagally: we might want to make a list of our current target verticals Koster: will make list of verticals and ecosystems ... under general category of "development topics" ... back to Prague: want to carry forward our successes ... still need to work on semantics, events ... also had good results with proxy, want to keep developing ... and need to continue with security and accessibility McCool: we need semantic applications as well... Koster: that is new development area ... new development areas: simplified TD, extended actions, notifications via websockets and webhooks, FoI, recipes, proxy/w/TDir, security, testing ... for semantics, iotschema.org is working on features of interest (FoI) ... would like to see some examples ... recipes are good start ... but other approaches; generally, looking for a set of things ... then want to operate on or orchestrate ... proxies on TDirs ... questions in the proxy pattern, i.e. local and remote TDirs ... essentially have TD extensions, applications, and security and testing Kaz: matsukura-san wanted to understand how to use node-wot as an application servient McCool: right now we don't have very good "application" examples for node-wot ... need to show how to use it for proxies as well ... right now I have a transparent proxy, but a proxy based on node-wot that actually translated hrefs in forms (for example) would be useful Koster: definitely want to make it easier to go through gateways, use proxies McCool: I think we also need to demonstrate architectural configurations that include multiple TDirs and proxies, can traverse NATs, etc. etc. Koster: infrastructure via common patterns ... maybe time for federated directories McCool: in theory SPARQL as used in the implementation of TDirs can handle federation... <kaz> scribenick: kaz Koster: strawman idea for goals McCool: will show slides ... checked in <McCool> [7]https://github.com/w3c/wot/blob/master/plugfest/2018-bundang /Security-Bundang-PlugFest-Preparation.pptx [7] https://github.com/w3c/wot/blob/master/plugfest/2018-bundang/Security-Bundang-PlugFest-Preparation.pptx McCool: slides above ... basically ... defining goals ... [Scope] ... [Charter Review] ... [Goals] ... demonstrate Things supporting appropriate security mechanisms ... modest goals ... straightforward authentication ... everybody can do ... achieve the goals using appropriate proxies ... authentication and confidentiality ... two proposals ... [Proposed Plugfest Security Requirements: Authentication] ... HTTP Basic Auth ... HTTP Digest Auth ... Bearer tokens ... also having more than one ... metadata indicated within TD ... need to have more variety ... exposed thing must request/require authentication ... implementations consuming things must be able to provide the corresponding credentials ... username/password, etc. ... 3 basic concrete things ... if you can, more than them ... [Confidentiality] ... support for HTTPS ... implementations should allow self-signed certificates ... do support proxy ... current implementation has to run on external cloud server ... use TLS ... would add OAuth Koster: what the assertions go into this? ... public key pretty much uses domain name ... we should think about what the assertions go into McCool: think about IDs for that? ... I'm this thing and TD is... ... add note: ... ... but can we put some other information in the cert we can validate? ... ex. the id contained in the TD ... but spoofable... ... ]] ... [Thing Directory Security] ... for instance, using the Intel proxy, the current ThingWeb Thing Directory can be set up to use HTTPS+Digest Auth ... Thing Directory APIs should provide authentication and confidentiality ... HTTPS+Digest Auth so far ... should be OK ... [Tools] ... node-wot supports basic auth ... and bearer tokens ... digest in progress ... transparent proxy service that provides basic and digest auth ... [Conclusion] ... we should look into secure devices ... 2 more plugfests before CR ... should start secure systems ... basic security ... DTLS, ACLs, OAuth, etc. ... the other issues ... key distribution: FIDO/Oauth, Kerberos, Preshared keys ... certificates: what information can we include in a self-signed cert to make it validatible Koster: we have PGP, etc. McCool: if we look at... ... adds some more points ... reviews the "Charter" slide as well ... adds: ... Object security (See charter! required!) ... COSE ... also access control ... ACL Koster: also a question ... adapting ecosystem ... what WoT security in general would do ... what's the best practice ... e.g., node-wot can have object security ... access control added, etc. McCool: we had discussion within the security tf ... adds a slide including: ... Security TF Tasks ... recommended security practices for WoT ... we should have recommended/not-recommended practices ... just because we can describe it doesn't mean it is good ... brownfield (poor) security issue ... testing ... interoperability ... would like to have TD testing mechanism ... e.g., TD playground ... as an automated process Koster: Thing Directory would refuse if the TD is not valid McCool: adds topics to testing section ... penetration testing ... have only HTTP and ask basic authentication, etc. ... we can do something like that ... have stuff running Koster: actual pragmatic security McCool: getting out of time, so stop here Koster: ok ... we now have this plugfest as a weekly call ... any more questions/comments? (none) Koster: anything else for plugfest planning? (none) [adjourned] Summary of Action Items Summary of Resolutions [End of minutes] __________________________________________________________ Minutes formatted by David Booth's [8]scribe.perl version 1.152 ([9]CVS log) $Date: 2018/06/04 07:03:07 $ [8] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm [9] http://dev.w3.org/cvsweb/2002/scribe/
Received on Monday, 4 June 2018 07:06:39 UTC