- From: Kazuyuki Ashimura <ashimura@w3.org>
- Date: Wed, 30 May 2018 10:27:56 +0900
- To: Public Web of Things IG <public-wot-ig@w3.org>, public-wot-wg@w3.org
available at: https://www.w3.org/2018/05/21-wot-sec-minutes.html also as text below. Thanks, Kazuyuki --- [1]W3C [1] http://www.w3.org/ - DRAFT - WoT Security 21 May 2018 Attendees Present Kaz_Ashimura, Elena_Reshetova, Michael_McCool, Michael_Koster, Barry_Leiba, Tomoaki_Mizushima, Zoltan_Kis, Kazuaki_Nimura Regrets Chair McCool Scribe kaz Contents * [2]Topics 1. [3]Agenda 2. [4]Reviewing prev minutes 3. [5]Review PRs 4. [6]Plugfest 5. [7]Issue review * [8]Summary of Action Items * [9]Summary of Resolutions __________________________________________________________ Agenda McCool: testing vs plugfest? ... doodle for both ... maybe we can use the editor's call slot for this week? ... and doodle for the next week ... this week plugfest slot for testing discussion ... and next week for plugfest as well based on the doodle results [10]Agenda [10] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Agenda McCool: btw, any addition to the agenda? ... plugfest on Oct 20-21 ... TPAC on Oct 22-26 [11]TPAC page [11] https://www.w3.org/2018/10/TPAC/schedule.html McCool: should be added to the WoT wiki as well Elena: Lyon should be fine Kaz: the f2f meeting will be held on Oct 25-26 Reviewing prev minutes [12]Apr 30 [12] https://www.w3.org/2018/04/30-wot-sec-minutes.html [13]May 7 [13] https://www.w3.org/2018/05/07-wot-sec-minutes.html [14]May 14 [14] https://www.w3.org/2018/05/14-wot-sec-minutes.html McCool: skimming the minutes ... ok with this ... any objections? (none) McCool: accept Apr 30 minutes ... next one, May 7 ... a couple of PRs ... any comments/corrections? (none) McCool: accepted - May 7 minutes ... next May 14 ... privacy considerations ... this week as well ... no actions captured Kaz: can copy the remaining ones here McCool: privacy section still pending <scribe> ACTION: [ONGOING] elena to work on issue 68 (Thing Provider Data Specification) and issue 69 (Passive Observers Risk) <scribe> ACTION: [ONGOING] elena/koster to work on terminology <scribe> ACTION: [ONGOING] mccool to work on issue 70 (Require Not Exposing Immutable Hardware Identifiers?) <scribe> ACTION: [ONGOING] mccool to talk with security guys about testing/validation timeline <scribe> ACTION: [ONGOING] mccool to work on tunneling/shadow for the security metadata proposal <scribe> ACTION: [ONGOING] mccool to work on PR 90 <scribe> ACTION: [ONGOING] zkis to create scripting issue for TD life cycle in scripting api <scribe> ACTION: [ONGOING] mjkoster/elena to review examples in the security spec ]] Kaz: which action items are done? McCool: ongoing last week and we can close then this week ... let's copy them asis and talk about the status today Kaz: ok McCool: except that, the minutes are accepted - May 14 Review PRs [15]PRs [15] https://github.com/w3c/wot-security/pulls McCool: would close #92 first [16]PR 92 [16] https://github.com/w3c/wot-security/pull/92 McCool: added a diagram ... and caching algorithm Elena: cache combined with security McCool: could address it ... question of how to interpret it Elena: encryption ... good to mention both encryption and authentication McCool: encryption, authentication and integrity of confidentiality? ... (goes to his repo) ... referring to a new figure with caching proxy ... have to check if the link is ok Elena: problem with another link too McCool: (fixed the links) Elena: need clarification to [[The cache can either be combined with the security endpoint proxy or can be instantiated as a separate service or "middleware layer".]] McCool: (add explanation) ... will remove "middleware layer" ... (add comment about the changes) ... let's accept the PR now ... we can add fixes later ... next thing to do is... ... PR 94 [17]PR 94 [17] https://github.com/w3c/wot-security/pull/94 Elena: don't see mitigation yet McCool: why don't we add some text for mitigation then? ... (create an issue) ... add mitigations to privacy section ... we can discuss mitigation separately ... to follow up on PR 94 ... (as issue #99) Elena: link to my repo? [18]Elena's repo [18] https://github.com/ereshetova/wot-security/blob/working/index.html McCool: possibly a separate subsection for mitigation ... now any objections to accept PR 94? (none) McCool: will merge it then ... (add a note) ... privacy threats now listed ... next PR 95 ... (shows "working" branch) [19]working branch [19] https://github.com/w3c/wot-security/blob/working/index.html McCool: Elena, did you merge the change with the working branch? Elena: yes [20]rawgit version [20] https://rawgit.com/w3c/wot-security/working/index.html McCool: any objections to merge PR 95? (none) McCool: will merge this ... (and merged PR #95) ... (and then check the master branch) Plugfest McCool: would more things to happen for the next plugfest ... some issues with security metadata ... and created GH issues for them ... security and privacy sections ... (add items to the Bundang f2f wiki) [21]f2f wiki [21] https://www.w3.org/WoT/IG/wiki/F2F_meeting,_30_June-5_July_2018,_Bundang,_Korea#Plenary_and_Breakouts McCool: Review security metadata ... security testing/validation plan ... plugfest security recap ... anything else we should add? (none at the moment) McCool: regarding plugfest... ... Michael, is it ok if I add something like this... ... goal, objection, etc. Koster: this is high-level description ... so would make sense McCool: (adds topics) ... testing ... security implementations and interop testing Koster: application scenarios ... proxy configurations McCool: (adds them) ... 5 items should suffice at the moment ... and then ... (goes back to "Plenary and Breakouts") ... (and add some points to "WoT Testing") ... let's go back to issue reviews Issue review [22]security issues [22] https://github.com/w3c/wot-security/issues McCool: issue 98 on form-based authentication schemes on digest authentication [23]https://github.com/w3c/wot-security/issues/96 [23] https://github.com/w3c/wot-security/issues/96 McCool: issue 98 [24]https://github.com/w3c/wot-security/issues/98 [24] https://github.com/w3c/wot-security/issues/98 McCool: issue 97 on TLS-SRP authentication scheme/ [25]https://github.com/w3c/wot-security/issues/97 [25] https://github.com/w3c/wot-security/issues/97 McCool: issue 93 on Thing end of life signaling [26]https://github.com/w3c/wot-security/issues/93 [26] https://github.com/w3c/wot-security/issues/93 McCool: security implication change? ... broader issue on accessing security metadata in TD? ... (shows section 5.1.1 of wot security draft) [27]5.1.1 Secure Delivery and Storage of Thing Description [27] https://rawgit.com/w3c/wot-security/working/index.html#secure-delivery-and-storage-of-thing-description McCool: (create an issue on "Discuss Security Implications of TD Change and Deletion Notification" as Issue 100) Koster: makes sense McCool: (adds link to issue #114 of wot-scripting-api) ... this issue supersedes original issue 93 ... (and add "superseded by issue 100" to issue 93) ... now we have more general issue ... another issue for today ... issue 83 ... would close this [28]https://github.com/w3c/wot-security/issues/83 [28] https://github.com/w3c/wot-security/issues/83 McCool: any comments? (none) McCool: (and closed issue 83) ... next issue 78 [29]https://github.com/w3c/wot-security/issues/78 [29] https://github.com/w3c/wot-security/issues/78 McCool: does WoT use cookies? ... think yes ... (add notes) Koster: share them between clients? McCool: could be a token or actual data Koster: use them for session keys? McCool: related to the issue #98 ... would close issue 78 Koster: ok McCool: please give comments to the other issues [adjourned] Summary of Action Items [DONE] ACTION: elena to work on issue 68 (Thing Provider Data Specification) and issue 69 (Passive Observers Risk) [DONE] ACTION: elena/koster to work on terminology [ONGOING] ACTION: mccool to talk with security guys about testing/validation timeline [ONGOING] ACTION: mccool to work on issue 70 (Require Not Exposing Immutable Hardware Identifiers?) [DONE] ACTION: mccool to work on tunneling/shadow for the security metadata proposal [DONE] ACTION: mccool to work on PR 90 [DONE] ACTION: zkis to create scripting issue for TD life cycle in scripting api [ONGOING] ACTION: mjkoster/elena to review examples in the security spec Summary of Resolutions [End of minutes] __________________________________________________________ Minutes formatted by David Booth's [30]scribe.perl version 1.152 ([31]CVS log) $Date: 2018/05/22 11:21:55 $ [30] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm [31] http://dev.w3.org/cvsweb/2002/scribe/
Received on Wednesday, 30 May 2018 01:29:04 UTC