W3C home > Mailing lists > Public > public-wot-wg@w3.org > June 2018

[wot-security] minutes - 11 June 2018

From: Kazuyuki Ashimura <ashimura@w3.org>
Date: Mon, 18 Jun 2018 22:07:46 +0900
Message-ID: <CAJ8iq9WiAXP3z3xzyL+-BWmMW6NQckdcYHrfGP=CjrRctzbYww@mail.gmail.com>
To: Public Web of Things IG <public-wot-ig@w3.org>, public-wot-wg@w3.org
available at:
  https://www.w3.org/2018/06/11-wot-sec-minutes.html

also as text below.

Thanks a lot for taking these minutes, Michael Koster!

Kazuyuki

---

   [1]W3C

      [1] http://www.w3.org/

                               - DRAFT -

                              WoT Security

11 Jun 2018

   [2]Agenda

      [2] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#June_11.2C_2018

Attendees

   Present
          Michael_McCool, Elena_Reshetova, Kaz_Ashimura,
          Kazuaki_Nimura, Michael_Koster, Tomoaki_Mizushima,
          Barry_Leiba

   Regrets

   Chair
          McCool

   Scribe
          kaz, mjkoster

Contents

     * [3]Topics
         1. [4]Privacy
         2. [5]Previous minutes
         3. [6]Privacy threat mitigation
         4. [7]PlugFest
         5. [8]F2F agenda for Bundang
         6. [9]Issues and PR review
     * [10]Summary of Action Items
     * [11]Summary of Resolutions
     __________________________________________________________

   <kaz> scribenick: kaz

Privacy

   McCool: has some chat with Elena about PR 103

   -> [12]https://github.com/w3c/wot-security/pull/103 PR 103
   (Privacy mitigation)

     [12] https://github.com/w3c/wot-security/pull/103

Previous minutes

   -> [13]https://www.w3.org/2018/06/04-wot-sec-minutes.html
   previous minutes

     [13] https://www.w3.org/2018/06/04-wot-sec-minutes.html

   McCool: security metadata PR for TD (PR #144) has been merged
   ... ready for plugfest

   Kaz: there were the following actions to be included

   <scribe> ACTION: [ONGOING] mccool to talk with security guys
   about testing/validation timeline

   <scribe> ACTION: [ONGOING] mccool to work on issue 70 (Require
   Not Exposing Immutable Hardware Identifiers?)

   <scribe> ACTION: [ONGOING] mjkoster/elena to review examples in
   the security spec

   <scribe> ACTION: [ONGOING] mccool to write a short proposal on
   what security tools to use for the next plugfest

   McCool: put those actions in the previous minutes

   Kaz: ok
   ... will add another action for PR144 from the previous call
   (which is done for today)

   McCool: ok

   (minutes accepted with those changes)

Privacy threat mitigation

   McCool: kind of discussed at the beginning of this call

   <scribe> scribenick: mjkoster

   McCool: any comments?

   Elena: what is ID?

   <kaz> [14]TD draft

     [14] https://w3c.github.io/wot-thing-description/#thing

   McCool: it is a uuid which will not collide with other UUID
   instances
   ... there is an RFC on UUID we should cite
   ... we can't exclude unique identifiers so we need to protect
   them from tracking
   ... the TD itself can also be tracked
   ... so there are 2 options; protect the entire TD and allow the
   ID to be mutable

   Elena: would it be regenerated on boot? will the ID change on a
   device

   McCool: there are different ways to get a UUID, like timestamp,
   domain name, random, etc.
   ... there may not be a DNS identifier on a constrained device,
   so would need to use a UUID
   ... maybe the ID would be randomized on reboot
   ... but there may also be a permanent ID
   ... what are the recommendations?

   <kaz> Koster: OCF uses UUID-based permanent ID

   <kaz> McCool: any particular citation?

   <McCool> [15]https://tools.ietf.org/html/rfc4122

     [15] https://tools.ietf.org/html/rfc4122

   <kaz> ... RFC 4122 fine for citing?

   Koster: OCF has a permanent ID and session-oriented ID

   <McCool>
   [16]https://www.itu.int/ITU-T/studygroups/com17/oid/X.667-E.pdf
   (mm refers to an ITU-T standard as well)

     [16] https://www.itu.int/ITU-T/studygroups/com17/oid/X.667-E.pdf

   Koster: a session is == the onboard tenure of a device before
   the ID changes and it needs re-something

   McCool: can we get references?

   Elena: an onboard session may last for a long time, like a year

   McCool: if it can be protected, it may not be a problem
   ... there may be a risk, but there is a mitigation in being
   able to change the ID

   Elena: it may be difficult to change all of the identifiers

   McCool: periodic refresh may be able to be automated

   <McCool> [17]https://w3c.github.io/wot-thing-description/#thing

     [17] https://w3c.github.io/wot-thing-description/#thing

   <McCool> btw unique ids are *mandatory* for TDs

   Elena: please look for the references

   McCool: other points to the discussion on privacy?
   ... google iot privacy recommendations

PlugFest

   McCool: plugfest preparation document for security
   ... recommending TLS + one form of auth from a choice of
   [bearer token, basic, digest]
   ... also want to do TD validation with security checks and
   warnings
   ... still to do pen testing investigation
   ... google pentesting
   ... also pen test
   ... any other thoughts or discussion on plugfest?
   ... one way to require security is to require an online version
   which is forced to also require security
   ... this will also facilitate the online continuous testing

F2F agenda for Bundang

   McCool: security metadata
   ... combined session with scription
   ... security validation and testing
   ... the discussion needs to evolve to a presentation to start
   discussion
   ... best known practices for security, but it would rapidly
   become obsolete

   <kaz> [18]Bundang f2f wiki

     [18] https://www.w3.org/WoT/IG/wiki/F2F_meeting,_30_June-5_July_2018,_Bundang,_Korea

   Koster: but it would be good to drive things forward as there
   has not been much movement in IoT security to date

   McCool: we need to be able to change the document over time,
   maybe an IG document

   Kaz: WG note should be fine to produce

   McCool: we may need to update it forever

   Kaz: how to maintain security spec is being discussed
   ... there are many possibilities
   ... maybe a security group to address
   ... we need to figure out extension vocabularies

Issues and PR review

   McCool: issue #101

   <scribe> ... closed

   <kaz> [19]issue 101

     [19] https://github.com/w3c/wot-security/issues/101

   McCool: issue #98 form based auth

   <kaz> [20]issue 98

     [20] https://github.com/w3c/wot-security/issues/98

   McCool: need URI templates for this to work in order to pass
   query parameters

   Koster: is it just a binding template?

   McCool: also need another scheme "form" that authorizes at a
   URL with a template

   Koster: need to figure out the design pattern

   McCool: maybe a form as part of a security binding
   ... maybe we would need an action to define how to authorize
   ... making notes in issue #98

   Koster: maybe iotschema vocabulary for security and login type
   concepts

   McCool: issue #96 closed
   ... issue #81 and #77 done but maybe not ready yet, will review
   again
   ... done and wrapup for today
   ... trying to finish TD validation and move on this week
   ... aob?

   Kaz: testing call?

   McCool: didn't reschedule formally yet

   Kaz: Ege has asked about the call

   McCool: cancel the testing call today and do the combined call
   this week
   ... adjourn

Summary of Action Items

   [ONGOING] ACTION: mccool to write a short proposal on what
   security tools to use for the next plugfest
   [ONGOING] ACTION: mccool to talk with security guys about
   testing/validation timeline
   [ONGOING] ACTION: mccool to work on issue 70 (Require Not
   Exposing Immutable Hardware Identifiers?)
   [ONGOING] ACTION: mjkoster/elena to review examples in the
   security spec

   [DONE] ACTION: mccool to finish TD PR 144 (Security metadata)
   and merge it

Summary of Resolutions

   [End of minutes]
     __________________________________________________________


    Minutes formatted by David Booth's [21]scribe.perl version
    1.147 ([22]CVS log)
    $Date: 2018/06/18 12:42:52 $

     [21] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
     [22] http://dev.w3.org/cvsweb/2002/scribe/
Received on Monday, 18 June 2018 13:09:01 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:27:51 UTC