W3C home > Mailing lists > Public > public-wot-wg@w3.org > June 2018

[wot-security] minutes - 28 May 2018

From: Kazuyuki Ashimura <ashimura@w3.org>
Date: Tue, 5 Jun 2018 17:45:18 +0900
Message-ID: <CAJ8iq9Ve+0rwT+thHA_2uy2J6deMh-ahx6tDfi2P4tqrRQZvcg@mail.gmail.com>
To: Public Web of Things IG <public-wot-ig@w3.org>, public-wot-wg@w3.org
available at:

also as text below.

Thanks a lot for taking these minutes, Soumya!




      [1] http://www.w3.org/

                               - DRAFT -

                              WoT Security

28 May 2018


      [2] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Agenda


          Kaz_Ashimura, Michael_McCool, Elena_Reshetova,
          Soumya_Kanti_Datta, Michael_Koster, Tomoaki_Mizushima,





     * [3]Topics
         1. [4]TPAC schedule
         2. [5]Agenda
         3. [6]Prev minutes
         4. [7]Review PRs
         5. [8]PlugFest prep
     * [9]Summary of Action Items
     * [10]Summary of Resolutions

TPAC schedule

   some discussion on the upcoming TPAC 2018 schedule
   ... Elena mentions she has conclict with the Linux Security
   Summit during the TPAC week and can't join TPAC this time

   <kaz> [11]Linux Security Summit Europe - Oct 25-26 in
   Edinburgh, UK

     [11] https://infosec-conferences.com/events-in-2018/linux-security-summit-europe/

   <kaz> scribenick: Soumya


   McCool: shows the agenda

   <kaz> [12]prev minutes

     [12] https://www.w3.org/2018/05/21-wot-sec-minutes.html

   <McCool> agenda:

     [13] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#May_28.2C_2018

Prev minutes

   McCool: review of previous minutes
   ... reviews current actions
   ... accepts minutes

   no other comments

Review PRs

   McCool: no open PR expect one old one
   ... websockets are out of scope for TD right now

   <kaz> [14]PRs

     [14] https://github.com/w3c/wot-security/pulls

   McCool: merged several items to master branch

PlugFest prep

   McCool: separate testing and plugfest prep meeting
   ... for testing, we need to think on security testing,
   ... looked at some tools
   ... e.g. npm audit
   ... action - testing and validation for security
   ... plugfest prep - we will have a plugfest meeting this week,
   mj koster will run it

   Koster: matsukura-san may also chair that meeting

   McCool: how to include more security and testing aspects in

   Koster: figure out what do we mean by security - starting point
   ... common security practice

   McCool: using self-sign certificate for https, secured storage
   ... nodejs proxy for security
   ... how to distribute that

   Koster/McCool: discussion on proxy

   Elena: knows the process to make codes open source

   McCool: I just have to follow the internal Intel processes

   <not sure if it is correct spelling>

   McCool: having https is useful
   ... basic auth should be used in addition to https
   ... do at least basic auth, digest, bearer tokens
   ... https could be possible through proxy

   Koster: supports the idea

   McCool: action - write a short proposal on what security tools
   to use in next plugfest
   ... action - write a proxy service
   ... service would work on a web API

   <kaz> ACTION: mccool to write a short proposal on what security
   tools to use for the next plugfest

   McCool: for next f2f - discussion on security related agenda
   ... plugfest security review is secondary priority
   ... discuss something on privacy, any missing aspects
   ... provide a recommendation on best practice efforts for ppl
   implementing w3c systems
   ... this could be another discussion
   ... looking at ongoing issues

   <kaz> [15]issue 98

     [15] https://github.com/w3c/wot-security/issues/98

   McCool: issue 97, including a password in TLS
   ... is it used in place of basic auth?

   Elena: could look into it

   McCool: Intel building management systems use form based

   Koster: we can also figure our exemplery protocols for WoT

   <kaz> [16]issue 97

     [16] https://github.com/w3c/wot-security/issues/97

   McCool: adds an issue for security recommendations for
   'native-wot' systems

   <kaz> [17]issue 102

     [17] https://github.com/w3c/wot-security/issues/102

   McCool: discussing issue 85, it is to be closed. we don't have
   a separate version system. security systems have a stable

   <kaz> [18]issue 85

     [18] https://github.com/w3c/wot-security/issues/85

   McCool: no objection heard
   ... writes conclusion in the issue and closes it.

   <kaz> McCool: changes the label for #73 to "DOCUMENTATION"

   McCool: discussing issue 72, it is a privacy risk

   <kaz> [19]issue 73

     [19] https://github.com/w3c/wot-security/issues/73

   <kaz> McCool: qop parameter for digest authentication

   <kaz> [20]issue 96

     [20] https://github.com/w3c/wot-security/issues/96

   <kaz> [21]digest access authentication (Wikipedia)

     [21] https://en.m.wikipedia.org/wiki/Digest_access_authentication



   <kaz> [adjourned]

Summary of Action Items

   [ONGOING] ACTION: mccool to talk with security guys about
   testing/validation timeline
   [ONGOING] ACTION: mccool to work on issue 70 (Require Not
   Exposing Immutable Hardware Identifiers?)
   [ONGOING] ACTION: mjkoster/elena to review examples in the
   security spec

   [NEW] ACTION: mccool to write a short proposal on what security
   tools to use for the next plugfest

Summary of Resolutions

   [End of minutes]

    Minutes formatted by David Booth's [22]scribe.perl version
    1.152 ([23]CVS log)
    $Date: 2018/06/05 08:42:19 $

     [22] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
     [23] http://dev.w3.org/cvsweb/2002/scribe/
Received on Tuesday, 5 June 2018 08:46:46 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:27:51 UTC