- From: Kazuyuki Ashimura <ashimura@w3.org>
- Date: Tue, 22 May 2018 08:09:57 +0900
- To: Public Web of Things IG <public-wot-ig@w3.org>, public-wot-wg@w3.org
available at: https://www.w3.org/2018/04/30-wot-sec-minutes.html also as text below. Thanks a lot for taking these minutes, Michael Koster! Kazuyuki --- [1]W3C [1] http://www.w3.org/ - DRAFT - WoT Security 30 Apr 2018 Attendees Present Kaz_Ashimura, Elena_Reshetova, Michael_Koster, Michael_McCool, Zoltan_Kis, Kazuaki_Nimura, Barry_Leiba, Tomoaki_Mizushima Regrets Chair McCool Scribe mjkoster Contents * [2]Topics 1. [3]Prev minutes 2. [4]Life cycle transition 3. [5]Review PRs o [6]PR 90 o [7]PR 91 o [8]PR #92 4. [9]Issue #78 5. [10]Actions from today's call * [11]Summary of Action Items * [12]Summary of Resolutions __________________________________________________________ <kaz> scribenick: mjkoster Prev minutes <kaz> [13]prev minutes [13] https://www.w3.org/2018/04/23-wot-sec-minutes.html <kaz> (several typos: s/tak/talk/; s/pare/pair/;) <kaz> leftover actions: <kaz> ACTION: [ONGOING] elena to work on issue 68 (Thing Provider Data Specification) and issue 69 (Passive Observers Risk) <kaz> ACTION: [ONGOING] mccool to work on issue 70 (Require Not Exposing Immutable Hardware Identifiers?) <kaz> ACTION: [ONGOING] elena/koster to work on terminology <kaz> ACTION: [ONGOING] mccool to talk with security guys about testing/validation timeline McCool: accept the minutes <kaz> (other than the typos and the leftover actions) McCool: any objections? <kaz> (none) Life cycle transition Zoltan: we need a mechanism by which the consumed thing application gets notified when the exposed thing is destroyed McCool: can a management thing have en event? Zoltan: it needs to tell which object is signalled ... simpler to have the object signal itself McCool: so, a set of standard events Zoltan: how does OCF work? ... can observe the /oic/res McCool: standard APIs for components in the architecture ... network API for runtime using a management thing Zoltan: how does the script get the signal? McCool: change of state signal would also cover the unexpected loss of a thing ... not sure what the security implications would be (discussion on TD life cycle management interface) McCool: seems incomplete without a TD state change mechanism exposed Zoltan: we can implement this with TD monitoring ... will create an issue Review PRs McCool: PR 90, 91, and 92 * PR #90 Elena: start with PR #90 ... 3 issues addressed in this PR ... clarification on what is meant by System User Data ... clarified what is meant by System Provider Data <kaz> [14]PR 90 [14] https://github.com/w3c/wot-security/pull/90 <kaz> [15]changed files [15] https://github.com/w3c/wot-security/pull/90/files Elena: clarified the attack model and including Thing Directory ... question: is Thing Directory out of scope? McCool: Thing Directory could be addressed in the security recommendations Elena: it is difficult to define the threat model to the same detail not knowing the protocol ... maybe we can make some general recommendations McCool: we could explain this in the document Elena: yes, we can clarify the scope McCool: can we create an issue to address Thing Directory security? Elena: we need to add gateway security as out of scope also since we don't cover end to end security McCool: in a similar way we could make general recommendations ... we can cite external references like IIC ... capture this in the PR comments ... PR #90 * PR #91 McCool: next PR #91 on Security Metadata <kaz> [16]pr 91 [16] https://github.com/w3c/wot-security/pull/91 McCool: starting with a simple example ... leading to more complex examples <kaz> [17]Security Metadata proposal [17] https://github.com/mmccool/wot-security/blob/3589a1e0e2c6c75aa004c83e9e0e8509bf16c0da/wot-security-metadata.md McCool: ready to merge PR 91 * PR #92 <kaz> [18]PR 92 [18] https://github.com/w3c/wot-security/pull/92 McCool: Tunnel Configuration <kaz> [19]changes [19] https://github.com/w3c/wot-security/pull/92/files McCool: changes to break up long text lines ... not ready to merge; adding a section on shadows mjk: what about using the term "caching proxy" Issue #78 <kaz> [20]issue 78 [20] https://github.com/w3c/wot-security/issues/78 McCool: management API that uses cookies for a use case ... out of time now, any other business? Actions from today's call McCool: tunneling+shadow ... elena's PR <kaz> ACTION: mccool to work on tunneling/shadow for the security metadata proposal McCool: zoltan create scripting issue for TD life cycle in scripting API ... review examples in the security spec (mjk, elena) <kaz> ACTION: mccool to work on PR 90 <kaz> ACTION: zkis to create scripting issue for TD life cycle in scripting api McCool: adjourn <kaz> ACTION: mjkoster/elena to review examples in the security spec Summary of Action Items [ONGOING] ACTION: elena to work on issue 68 (Thing Provider Data Specification) and issue 69 (Passive Observers Risk) [ONGOING] ACTION: elena/koster to work on terminology [ONGOING] ACTION: mccool to work on issue 70 (Require Not Exposing Immutable Hardware Identifiers?) [ONGOING] ACTION: mccool to talk with security guys about testing/validation timeline [NEW] ACTION: mccool to work on tunneling/shadow for the security metadata proposal [NEW] ACTION: mccool to work on PR 90 [NEW] ACTION: zkis to create scripting issue for TD life cycle in scripting api [NEW] ACTION: mjkoster/elena to review examples in the security spec Summary of Resolutions [End of minutes] __________________________________________________________ Minutes formatted by David Booth's [21]scribe.perl version 1.152 ([22]CVS log) $Date: 2018/04/30 14:25:34 $ [21] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm [22] http://dev.w3.org/cvsweb/2002/scribe/
Received on Monday, 21 May 2018 23:11:04 UTC