[wot-security] minutes - 28 May 2018

available at:
  https://www.w3.org/2018/05/28-wot-sec-minutes.html

also as text below.

Thanks a lot for taking these minutes, Soumya!

Kazuyuki

---

   [1]W3C

      [1] http://www.w3.org/

                               - DRAFT -

                              WoT Security

28 May 2018

   [2]Agenda

      [2] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Agenda

Attendees

   Present
          Kaz_Ashimura, Michael_McCool, Elena_Reshetova,
          Soumya_Kanti_Datta, Michael_Koster, Tomoaki_Mizushima,
          Kazuaki_Nimura

   Regrets

   Chair
          McCool

   Scribe
          Soumya

Contents

     * [3]Topics
         1. [4]TPAC schedule
         2. [5]Agenda
         3. [6]Prev minutes
         4. [7]Review PRs
         5. [8]PlugFest prep
     * [9]Summary of Action Items
     * [10]Summary of Resolutions
     __________________________________________________________

TPAC schedule

   some discussion on the upcoming TPAC 2018 schedule
   ... Elena mentions she has conclict with the Linux Security
   Summit during the TPAC week and can't join TPAC this time

   <kaz> [11]Linux Security Summit Europe - Oct 25-26 in
   Edinburgh, UK

     [11] https://infosec-conferences.com/events-in-2018/linux-security-summit-europe/

   <kaz> scribenick: Soumya

Agenda

   McCool: shows the agenda

   <kaz> [12]prev minutes

     [12] https://www.w3.org/2018/05/21-wot-sec-minutes.html

   <McCool> agenda:
   [13]https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#May_28.2
   C_2018

     [13] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#May_28.2C_2018

Prev minutes

   McCool: review of previous minutes
   ... reviews current actions
   ... accepts minutes

   no other comments

Review PRs

   McCool: no open PR expect one old one
   ... websockets are out of scope for TD right now

   <kaz> [14]PRs

     [14] https://github.com/w3c/wot-security/pulls

   McCool: merged several items to master branch

PlugFest prep

   McCool: separate testing and plugfest prep meeting
   ... for testing, we need to think on security testing,
   validation
   ... looked at some tools
   ... e.g. npm audit
   ... action - testing and validation for security
   ... plugfest prep - we will have a plugfest meeting this week,
   mj koster will run it

   Koster: matsukura-san may also chair that meeting

   McCool: how to include more security and testing aspects in
   plugfest?

   Koster: figure out what do we mean by security - starting point
   ... common security practice

   McCool: using self-sign certificate for https, secured storage
   ... nodejs proxy for security
   ... how to distribute that

   Koster/McCool: discussion on proxy

   Elena: knows the process to make codes open source

   McCool: I just have to follow the internal Intel processes

   <not sure if it is correct spelling>

   McCool: having https is useful
   ... basic auth should be used in addition to https
   ... do at least basic auth, digest, bearer tokens
   ... https could be possible through proxy

   Koster: supports the idea

   McCool: action - write a short proposal on what security tools
   to use in next plugfest
   ... action - write a proxy service
   ... service would work on a web API

   <kaz> ACTION: mccool to write a short proposal on what security
   tools to use for the next plugfest

   McCool: for next f2f - discussion on security related agenda
   ... plugfest security review is secondary priority
   ... discuss something on privacy, any missing aspects
   ... provide a recommendation on best practice efforts for ppl
   implementing w3c systems
   ... this could be another discussion
   ... looking at ongoing issues

   <kaz> [15]issue 98

     [15] https://github.com/w3c/wot-security/issues/98

   McCool: issue 97, including a password in TLS
   ... is it used in place of basic auth?

   Elena: could look into it

   McCool: Intel building management systems use form based
   authentication

   Koster: we can also figure our exemplery protocols for WoT

   <kaz> [16]issue 97

     [16] https://github.com/w3c/wot-security/issues/97

   McCool: adds an issue for security recommendations for
   'native-wot' systems

   <kaz> [17]issue 102

     [17] https://github.com/w3c/wot-security/issues/102

   McCool: discussing issue 85, it is to be closed. we don't have
   a separate version system. security systems have a stable
   implementation.

   <kaz> [18]issue 85

     [18] https://github.com/w3c/wot-security/issues/85

   McCool: no objection heard
   ... writes conclusion in the issue and closes it.

   <kaz> McCool: changes the label for #73 to "DOCUMENTATION"

   McCool: discussing issue 72, it is a privacy risk

   <kaz> [19]issue 73

     [19] https://github.com/w3c/wot-security/issues/73

   <kaz> McCool: qop parameter for digest authentication

   <kaz> [20]issue 96

     [20] https://github.com/w3c/wot-security/issues/96

   <kaz> [21]digest access authentication (Wikipedia)

     [21] https://en.m.wikipedia.org/wiki/Digest_access_authentication

   AOB?

   none

   <kaz> [adjourned]

Summary of Action Items

   [ONGOING] ACTION: mccool to talk with security guys about
   testing/validation timeline
   [ONGOING] ACTION: mccool to work on issue 70 (Require Not
   Exposing Immutable Hardware Identifiers?)
   [ONGOING] ACTION: mjkoster/elena to review examples in the
   security spec

   [NEW] ACTION: mccool to write a short proposal on what security
   tools to use for the next plugfest

Summary of Resolutions

   [End of minutes]
     __________________________________________________________


    Minutes formatted by David Booth's [22]scribe.perl version
    1.152 ([23]CVS log)
    $Date: 2018/06/05 08:42:19 $

     [22] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
     [23] http://dev.w3.org/cvsweb/2002/scribe/

Received on Tuesday, 5 June 2018 08:46:46 UTC