- From: Kazuyuki Ashimura <ashimura@w3.org>
- Date: Tue, 4 Sep 2018 11:53:32 +0900
- To: Public Web of Things IG <public-wot-ig@w3.org>, public-wot-wg@w3.org
available at:
https://www.w3.org/2018/08/27-wot-sec-minutes.html
also as text below.
Thanks,
Kazuyuki
---
[1]W3C
[1] http://www.w3.org/
- DRAFT -
WoT Security
27 Aug 2018
Attendees
Present
Kaz_Ashimura, Michael_McCool, Kazuaki_Nimura,
Ryo_Kajiwara, Xiaoru_Li, Michael_Lagally,
Tomoaki_Mizushima
Regrets
Elena, Barry
Chair
McCool
Scribe
kaz
Contents
* [2]Topics
1. [3]Prev minutes
2. [4]W3C Permissions workshop update
3. [5]English clean up
4. [6]Best practices
5. [7]Remaining issues
6. [8]Agenda for next week
* [9]Summary of Action Items
* [10]Summary of Resolutions
__________________________________________________________
<McCool>
[11]https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Aug_27.2
C_2018
[11] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Aug_27.2C_2018
Prev minutes
McCool: will review the whole minutes next week due to small
participation today
... check actions
... last one done
... 2nd last keep
<McCool> keep the following action items:
<McCool> mccool to talk with IIC Security TF and W3C Web
Security IG
<McCool> create a PR to clarify the immutability of the "id"
property in Thing Description
McCool: will do that
<McCool> mccool to look into URI templates (RFC6570) for issue
98
McCool: ongoing
<McCool> Barry to suggest DTLS testing plan applicable for
CoAP/MQTT
McCool: ongoing
<McCool> mcCool to write PR on TD spec for security definition
McCool: still to do
<McCool> everyone to generate set of best practices
McCool: ongoing
... let's create action list based on the above
... Xiaoru has joined the group
... additional security meeting during TPAC on Monday
Kaz: have conflict on Monday for the M&E IG
McCool: please send an email to me and Elena
... maybe we can do that during breakfast or weekend
Kaz: ok
(some more attendees join)
McCool: some more attendees have just joined this call and
we've got quorum, so let's review the previous minutes
... (goes through the minutes)
... actions again
... mccool to look into URI templates (RFC6570) for issue 98
... we can discuss the issue later
... would propose to accept the minutes
Ryo: typo?
... TDLS to be DTLS?
McCool: right
... with that change, can we accept the minutes?
(no objection)
W3C Permissions workshop update
Ryo: sent the position paper on the GitHub repo
[12]proposed position paper
[12] https://github.com/mmccool/w3c-permissions-2018
Ryo: got notification
... accepted for the workshop
... so will participate in the workshop
McCool: need to generate some slide deck?
Ryo: not sure
... it will be held in one month
[13]permissions workshop cfp
[13] https://www.w3.org/Privacy/permissions-ws-2018/cfp.html
sep 26-27
McCool: let's think about the slide deck for that
Ryo: will let you know about the time schedule and requirements
McCool: ok
English clean up
[14]PR 112
[14] https://github.com/w3c/wot-security/pull/112
McCool: Elena says she will clean up figures
... also 2 empty sections
... simply commented out them
... best practices for non-wot devices
[15]non-wot endpoints
[15] https://github.com/w3c/wot-security/pull/112/commits/baa2c2a39876a5feb18d4d7ba6a8000f41c1b6a4
McCool: bunch of small changes
... commented out here (<!-- Don't think these are
necessary...)
... 2 empty sections here
... Elena is happy to merge this PR
... merging it with mmccool:master (from mccool:polish)
<McCool>
[16]https://rawgit.com/mmccool/wot-security/polish/index.html
[16] https://rawgit.com/mmccool/wot-security/polish/index.html
McCool: next week we aim to publish the official version
... finding any small issues
... we should be prepared and make decision
... would merge this agains the master
... any objection to merge this now?
Kaz: against w3c/wot-security/master ?
McCool: right
... any objections?
(none)
[merged PR 112]
Best practices
McCool: want to hear your input where to go
... created an MD file
[17]Security Best Practices
[17] https://github.com/w3c/wot-security/blob/master/wot-security-best-practices.md
McCool: will elaborate this later on
... should be specific about transport, authentication, access
control, ...
... if you have any specific best practices, we can create some
notes here
... limited scope on best practices on security configuration
... questions?
<Xiaoru> Does the MQTTS mean MQTT + TLS 1.3?
Kaz: maybe "MQTTS (CoAP + TLS 1.3)" is typo, isn't it?
<Xiaoru> yes
McCool: ah, ok
... would like to flesh this out during the week
Remaining issues
[18]https://github.com/w3c/wot-security/issues/109
[18] https://github.com/w3c/wot-security/issues/109
McCool: updated PR 198
... this issue can be closed?
(no objections)
McCool: closed issue 109
[19]issue 102
[19] https://github.com/w3c/wot-security/issues/102
McCool: let's change the name of this issue
... to "Security Best Practices for WoT Systems"
McCool: generate MD file
... please give your comments
[20]best practices doc
[20] https://github.com/w3c/wot-security/blob/master/wot-security-best-practices.md
[21]issue 98
[21] https://github.com/w3c/wot-security/issues/98
McCool: we can close this
... question of URI thing
... will close this since once we have URI templates we can use
"in = query" to represent authentication information in query
parameters
... like a form would do
... for various schemes
... but we should definitely use this as a test case for
combining URI templates with security
[22]issue 81
[22] https://github.com/w3c/wot-security/issues/81
McCool: kind of confused with reverse-proxy and forward-proxy
... client side vs server side
... reverse-proxy is often transparent
... my question is
... would propose to close this issue
... considering it's done
Nimura: are we just thinking about network configuration?
... or security?
McCool: caching or NAT traversal
... not specific for proxy
... authentication on proxy for endpoint
... you can give endpoint security information separately
... we should test it at plugfest
... the original goal of this issue was that we needed to add
some metadata
... and it's done
... and now we need to test it
... and then let me know if any problem
... make sense?
Kaz: in that case, we need to add one check point explicitly to
the online plugfest planning document. right?
McCool: right
... will make the update and then close this issue
[23]issue 80
[23] https://github.com/w3c/wot-security/issues/80
McCool: next issue similar approach
... metadata already exists
... will update the plugfest planning document and then close
this issue
[24]issue 77
[24] https://github.com/w3c/wot-security/issues/77
McCool: similar approach
... will update the plugfest planning document and then close
the issue
[25]issue 76
[25] https://github.com/w3c/wot-security/issues/76
McCool: leave this out in this version draft
[26]issue 72
[26] https://github.com/w3c/wot-security/issues/72
McCool: we did add fingerprinting risks
... privacy risks
... immutable hardware
... role of consent
... will create a PR for issue 70
... any objections to close these 3 issues?
(no objections)
McCool: 72 closed
[27]https://github.com/w3c/wot-security/issues/71
[27] https://github.com/w3c/wot-security/issues/71
McCool: did add a new section
... but still pretty empty
... should keep it open
[28]https://github.com/w3c/wot-security/issues/67
[28] https://github.com/w3c/wot-security/issues/67
McCool: 67 closed
[29]issue 61
[29] https://github.com/w3c/wot-security/issues/61
McCool: Wendy suggests integrity protection
... but the security Note itself is not normative
McCool: will create a PR to put a normatie SHOULD statement for
confidentiality of TD distribution in the TD spec draft
<scribe> ACTION: McCool to create a PR to put a normative
SHOULD statement for confidentiality of TD distribution in the
Thing Description document.
Agenda for next week
McCool: will update the best practice document
... give your comments
... final review for the security draft
... (updates the agenda for Sep. 3)
... issue and PR review
... review of last minutes
... anything else?
(none)
[adjourned]
Summary of Action Items
[DONE] ACTION: mccool to edit the W3C permissions document
[DONE] ACTION: McCool to clean up Security and Privacy
Considerations documents for final update to master by next
week
[DONE] ACTION: mjkoster/elena to review examples in the
security spec
[ONGOING] ACTION: mccool to talk with IIC Security TF and W3C
Web Security IG about testing/validation timeline (first item
tbd; second item done)
[ONGOING] ACTION: mccool to look into URI templates (RFC6570)
for issue 98
[ONGOING] ACTION: mcCool to write PR on TD spec for security
definition
[ONGOING] ACTION: Barry to suggest DTLS testing plan applicable
for CoAP/MQTT
[ONGOING] ACTION: everyone to generate set of best practices
for draft by next week
[ONGOING] ACTION: create a PR to clarify the immutability of
the "id" property in Thing Description
[ONGOING] ACTION: mccool to work on issue 70 (Require Not
Exposing Immutable Hardware Identifiers?) - same as the above
action?
[NEW] ACTION: McCool to create a PR to put a normative SHOULD
statement for confidentiality of TD distribution in the Thing
Description document.
[NEW] ACTION: McCool to update plugfest planning docs to
include security scheme configurations to test from best
practices.
Summary of Resolutions
[End of minutes]
__________________________________________________________
Minutes formatted by David Booth's [30]scribe.perl version
1.152 ([31]CVS log)
$Date: 2018/09/04 02:32:34 $
[30] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
[31] http://dev.w3.org/cvsweb/2002/scribe/
Received on Tuesday, 4 September 2018 02:54:42 UTC