[wot-security] minutes - 21 May 2018

available at:
  https://www.w3.org/2018/05/21-wot-sec-minutes.html

also as text below.

Thanks,

Kazuyuki

---

   [1]W3C

      [1] http://www.w3.org/

                               - DRAFT -

                              WoT Security

21 May 2018

Attendees

   Present
          Kaz_Ashimura, Elena_Reshetova, Michael_McCool,
          Michael_Koster, Barry_Leiba, Tomoaki_Mizushima,
          Zoltan_Kis, Kazuaki_Nimura

   Regrets

   Chair
          McCool

   Scribe
          kaz

Contents

     * [2]Topics
         1. [3]Agenda
         2. [4]Reviewing prev minutes
         3. [5]Review PRs
         4. [6]Plugfest
         5. [7]Issue review
     * [8]Summary of Action Items
     * [9]Summary of Resolutions
     __________________________________________________________

Agenda

   McCool: testing vs plugfest?
   ... doodle for both
   ... maybe we can use the editor's call slot for this week?
   ... and doodle for the next week
   ... this week plugfest slot for testing discussion
   ... and next week for plugfest as well based on the doodle
   results

   [10]Agenda

     [10] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Agenda

   McCool: btw, any addition to the agenda?
   ... plugfest on Oct 20-21
   ... TPAC on Oct 22-26

   [11]TPAC page

     [11] https://www.w3.org/2018/10/TPAC/schedule.html

   McCool: should be added to the WoT wiki as well

   Elena: Lyon should be fine

   Kaz: the f2f meeting will be held on Oct 25-26

Reviewing prev minutes

   [12]Apr 30

     [12] https://www.w3.org/2018/04/30-wot-sec-minutes.html

   [13]May 7

     [13] https://www.w3.org/2018/05/07-wot-sec-minutes.html

   [14]May 14

     [14] https://www.w3.org/2018/05/14-wot-sec-minutes.html

   McCool: skimming the minutes
   ... ok with this
   ... any objections?

   (none)

   McCool: accept Apr 30 minutes
   ... next one, May 7
   ... a couple of PRs
   ... any comments/corrections?

   (none)

   McCool: accepted - May 7 minutes
   ... next May 14
   ... privacy considerations
   ... this week as well
   ... no actions captured

   Kaz: can copy the remaining ones here

   McCool: privacy section still pending



   <scribe> ACTION: [ONGOING] elena to work on issue 68 (Thing
   Provider Data Specification) and issue 69 (Passive Observers
   Risk)

   <scribe> ACTION: [ONGOING] elena/koster to work on terminology

   <scribe> ACTION: [ONGOING] mccool to work on issue 70 (Require
   Not Exposing Immutable Hardware Identifiers?)

   <scribe> ACTION: [ONGOING] mccool to talk with security guys
   about testing/validation timeline

   <scribe> ACTION: [ONGOING] mccool to work on tunneling/shadow
   for the security metadata proposal

   <scribe> ACTION: [ONGOING] mccool to work on PR 90

   <scribe> ACTION: [ONGOING] zkis to create scripting issue for
   TD life cycle in scripting api

   <scribe> ACTION: [ONGOING] mjkoster/elena to review examples in
   the security spec

   ]]

   Kaz: which action items are done?

   McCool: ongoing last week and we can close then this week
   ... let's copy them asis and talk about the status today

   Kaz: ok

   McCool: except that, the minutes are accepted - May 14

Review PRs

   [15]PRs

     [15] https://github.com/w3c/wot-security/pulls

   McCool: would close #92 first

   [16]PR 92

     [16] https://github.com/w3c/wot-security/pull/92

   McCool: added a diagram
   ... and caching algorithm

   Elena: cache combined with security

   McCool: could address it
   ... question of how to interpret it

   Elena: encryption
   ... good to mention both encryption and authentication

   McCool: encryption, authentication and integrity of
   confidentiality?
   ... (goes to his repo)
   ... referring to a new figure with caching proxy
   ... have to check if the link is ok

   Elena: problem with another link too

   McCool: (fixed the links)

   Elena: need clarification to [[The cache can either be combined
   with the security endpoint proxy or can be instantiated as a
   separate service or "middleware layer".]]

   McCool: (add explanation)
   ... will remove "middleware layer"
   ... (add comment about the changes)
   ... let's accept the PR now
   ... we can add fixes later
   ... next thing to do is...
   ... PR 94

   [17]PR 94

     [17] https://github.com/w3c/wot-security/pull/94

   Elena: don't see mitigation yet

   McCool: why don't we add some text for mitigation then?
   ... (create an issue)
   ... add mitigations to privacy section
   ... we can discuss mitigation separately
   ... to follow up on PR 94
   ... (as issue #99)

   Elena: link to my repo?

   [18]Elena's repo

     [18] https://github.com/ereshetova/wot-security/blob/working/index.html

   McCool: possibly a separate subsection for mitigation
   ... now any objections to accept PR 94?

   (none)

   McCool: will merge it then
   ... (add a note)
   ... privacy threats now listed
   ... next PR 95
   ... (shows "working" branch)

   [19]working branch

     [19] https://github.com/w3c/wot-security/blob/working/index.html

   McCool: Elena, did you merge the change with the working
   branch?

   Elena: yes

   [20]rawgit version

     [20] https://rawgit.com/w3c/wot-security/working/index.html

   McCool: any objections to merge PR 95?

   (none)

   McCool: will merge this
   ... (and merged PR #95)
   ... (and then check the master branch)

Plugfest

   McCool: would more things to happen for the next plugfest
   ... some issues with security metadata
   ... and created GH issues for them
   ... security and privacy sections
   ... (add items to the Bundang f2f wiki)

   [21]f2f wiki

     [21] https://www.w3.org/WoT/IG/wiki/F2F_meeting,_30_June-5_July_2018,_Bundang,_Korea#Plenary_and_Breakouts

   McCool: Review security metadata
   ... security testing/validation plan
   ... plugfest security recap
   ... anything else we should add?

   (none at the moment)

   McCool: regarding plugfest...
   ... Michael, is it ok if I add something like this...
   ... goal, objection, etc.

   Koster: this is high-level description
   ... so would make sense

   McCool: (adds topics)
   ... testing
   ... security implementations and interop testing

   Koster: application scenarios
   ... proxy configurations

   McCool: (adds them)
   ... 5 items should suffice at the moment
   ... and then
   ... (goes back to "Plenary and Breakouts")
   ... (and add some points to "WoT Testing")
   ... let's go back to issue reviews

Issue review

   [22]security issues

     [22] https://github.com/w3c/wot-security/issues

   McCool: issue 98 on form-based authentication schemes on digest
   authentication

   [23]https://github.com/w3c/wot-security/issues/96

     [23] https://github.com/w3c/wot-security/issues/96

   McCool: issue 98

   [24]https://github.com/w3c/wot-security/issues/98

     [24] https://github.com/w3c/wot-security/issues/98

   McCool: issue 97 on TLS-SRP authentication scheme/

   [25]https://github.com/w3c/wot-security/issues/97

     [25] https://github.com/w3c/wot-security/issues/97

   McCool: issue 93 on Thing end of life signaling

   [26]https://github.com/w3c/wot-security/issues/93

     [26] https://github.com/w3c/wot-security/issues/93

   McCool: security implication change?
   ... broader issue on accessing security metadata in TD?
   ... (shows section 5.1.1 of wot security draft)

   [27]5.1.1 Secure Delivery and Storage of Thing Description

     [27] https://rawgit.com/w3c/wot-security/working/index.html#secure-delivery-and-storage-of-thing-description

   McCool: (create an issue on "Discuss Security Implications of
   TD Change and Deletion Notification" as Issue 100)

   Koster: makes sense

   McCool: (adds link to issue #114 of wot-scripting-api)
   ... this issue supersedes original issue 93
   ... (and add "superseded by issue 100" to issue 93)
   ... now we have more general issue
   ... another issue for today
   ... issue 83
   ... would close this

   [28]https://github.com/w3c/wot-security/issues/83

     [28] https://github.com/w3c/wot-security/issues/83

   McCool: any comments?

   (none)

   McCool: (and closed issue 83)
   ... next issue 78

   [29]https://github.com/w3c/wot-security/issues/78

     [29] https://github.com/w3c/wot-security/issues/78

   McCool: does WoT use cookies?
   ... think yes
   ... (add notes)

   Koster: share them between clients?

   McCool: could be a token or actual data

   Koster: use them for session keys?

   McCool: related to the issue #98
   ... would close issue 78

   Koster: ok

   McCool: please give comments to the other issues

   [adjourned]

Summary of Action Items

   [DONE] ACTION: elena to work on issue 68 (Thing Provider Data
   Specification) and issue 69 (Passive Observers Risk)
   [DONE] ACTION: elena/koster to work on terminology
   [ONGOING] ACTION: mccool to talk with security guys about
   testing/validation timeline
   [ONGOING] ACTION: mccool to work on issue 70 (Require Not
   Exposing Immutable Hardware Identifiers?)
   [DONE] ACTION: mccool to work on tunneling/shadow for the
   security metadata proposal
   [DONE] ACTION: mccool to work on PR 90
   [DONE] ACTION: zkis to create scripting issue for TD life cycle
   in scripting api
   [ONGOING] ACTION: mjkoster/elena to review examples in the
   security spec

Summary of Resolutions

   [End of minutes]
     __________________________________________________________


    Minutes formatted by David Booth's [30]scribe.perl version
    1.152 ([31]CVS log)
    $Date: 2018/05/22 11:21:55 $

     [30] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
     [31] http://dev.w3.org/cvsweb/2002/scribe/

Received on Wednesday, 30 May 2018 01:29:04 UTC