W3C home > Mailing lists > Public > public-wot-wg@w3.org > September 2018

Re: [wot-security] minutes - 3 September 2018

From: Mike Paciello <mpaciello@paciellogroup.com>
Date: Wed, 12 Sep 2018 08:03:26 -0400
To: Kazuyuki Ashimura <ashimura@w3.org>, Public Web of Things IG <public-wot-ig@w3.org>, <public-wot-wg@w3.org>
Message-ID: <059C37E1-7305-472D-8706-00583EEE9253@paciellogroup.com>
Hi all -

Would it be too much to ask to be removed from this IOT listserv? I have previously requested this but have been unsuccessful. Other TPG staff are now following the IOT efforts.

Thank you,

Mike

Mike Paciello
phone: 603.889.7734 | mobile: 603.566.7713
Email: mpaciello@paciellogroup.com
 
This message is intended to be confidential and may be legally privileged. It is intended solely for the addressee. If you are not the intended recipient, please delete this message from your system and notify us immediately. Any disclosure, copying, distribution or action taken or omitted to be taken by an unintended recipient in reliance on this message is prohibited and may be unlawful.
 

´╗┐On 9/12/18, 7:50 AM, "Kazuyuki Ashimura" <ashimura@w3.org> wrote:

    available at:
      https://www.w3.org/2018/09/03-wot-sec-minutes.html
    
    also as text below.
    
    Thanks a lot for taking these minutes, Nimura-san!
    
    Kazuyuki
    
    ---
    
       [1]W3C
    
          [1] http://www.w3.org/
    
                                   - DRAFT -
    
                                  WoT Security
    
    03 Sep 2018
    
       [2]Agenda
    
          [2] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Sept_3.2C_2018
    
    Attendees
    
       Present
              Kaz_Ashimura, Michael_McCool, Elena_Reshetova,
              Kazuaki_Nimura, Xiaoru_Li, Michael_Koster,
              Tomoaki_Mizushima
    
       Regrets
    
       Chair
              McCool
    
       Scribe
              nimura
    
    Contents
    
         * [3]Topics
             1. [4]Agenda
             2. [5]Previous minutes
             3. [6]Final review of updated Security and Privacy
                Considerations
             4. [7]TD Security and Privacy Considerations
         * [8]Summary of Action Items
         * [9]Summary of Resolutions
         __________________________________________________________
    
       <kaz> scribenick: nimura
    
    Agenda
    
       <McCool>
       [10]https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Sept_3.2
       C_2018
    
         [10] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Sept_3.2C_2018
    
       todays topics: "TD security and Privacy Consideration" and
       "Best practice document review".
    
    Previous minutes
    
       [11]Previous minutes
    
         [11] https://www.w3.org/2018/08/27-wot-sec-minutes.html
    
       review of minutes from last meeting.
    
       <McCool> mccool: moved action items to
       [12]https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Actions
    
         [12] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Actions
    
       allocated responsible persons to each action items.
    
       <kaz> [ Kaz will add "McCool to update plugfest planning docs
       to include security scheme configurations to test from best
       practices" as an additional action to the prev minutes ]
    
       accepted.
    
    Final review of updated Security and Privacy Considerations
    
       [13]PR 116
    
         [13] https://github.com/w3c/wot-security/pull/116
    
       PR #116: Fixed the figures in section 7.
    
       get rid of the commas in the figure.
    
       <kaz> [14]updated figure
    
         [14] https://github.com/w3c/wot-security/blob/master/images/scripts-security-1.png
    
       MM to create PR for scripting API security consideration
       section to include normative statements.
    
       no objection to merge the figure after changing the comma part.
    
       that's can be PR.
    
       ZK mentions he'll make some more changes on Scripting API.
    
       We can do one more PR for it and review it in main call.
    
       we'll have review/discussion on the Scripting API draft during
       the main call on Wednesday, Sep. 5.
    
       Those are not related security and privacy.
    
       we will have the version for publication on this Thursday.
    
    TD Security and Privacy Considerations
    
       <McCool>
       [15]https://rawgit.com/w3c/wot-thing-description/0aa72308cdb8e0
       743a503ebdd98ddeff78d77995/index.html
    
         [15] https://rawgit.com/w3c/wot-thing-description/0aa72308cdb8e0743a503ebdd98ddeff78d77995/index.html
    
       There several issues in TD:
    
       normative "SHOULD" statement.
    
       Keep on discussing in the current TD.
    
       Added some references in the TD doc.
    
       that defines various normative descriptions.
    
       security and privacy is not standard but do want to follow this
       guideline.
    
       Kaz mentions that there are several possibilities:
    
       1. would suggest we simply add an "Editor's Note" for that
    
       2. if we want to make the guideline document an additional
       normative deliverable, we need to wait until the new charter
       period
    
       3. or if the guideline is simply a separate section of the
       current security Note, we can publish it as an additional Note
    
       4. or possibly included in the existing normative deliverables,
       e.g., TD
    
       write informative document and reflect in the next charter as
       normative document.
    
       <inserted> McCool will add an Editor's note about that idea as
       the starting point
    
       only thing about security that has recommendations.
    
       ID: Thing should not be fixed in hardware.
    
       update allows only reinitialized the thing.
    
       Is there any feed back from TD group?
    
       access to TD: only authorized use should access the thing.
    
       this part sounds security depends on security.
    
       pre-authenticate user before distribute TD.
    
       Thing directory would provide the capability.
    
       signing TD capability can be introduced.
    
       protecting authentication credential as well.
    
       MUST: need to have user consent for users data.
    
       "user consent" vary depends on places.
    
       "a thing must satisfy all legal requirements" would be the
       reasonable description.
    
       de-capitalized the MUST.
    
       Kaz wonders if we want to mention GDPR
    
       <inserted> note that GDPR is just one of the example
       policies/regulations here
    
       TD PR #207 is about consent.
    
       swap "on" and "off" actions is the example of problem of
       tampering.
    
       <kaz> mm: (summarizes)
       ... Security PR116 for the upcoming publication if possible
       ... TD PR207 long-term point for the next publication
    
       [16]Security PR 116
    
         [16] https://github.com/w3c/wot-security/pull/116
    
       [17]TD PR 207
    
         [17] https://github.com/w3c/wot-thing-description/pull/207
    
       <kaz> [adjourned]
    
    Summary of Action Items
    
       See [18]the Action wiki.
    
         [18] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Actions
    
    Summary of Resolutions
    
       [End of minutes]
         __________________________________________________________
    
    
        Minutes formatted by David Booth's [19]scribe.perl version
        1.152 ([20]CVS log)
        $Date: 2018/09/12 11:48:58 $
    
         [19] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
         [20] http://dev.w3.org/cvsweb/2002/scribe/
    
    
Received on Wednesday, 12 September 2018 12:03:55 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 12 September 2018 12:03:55 UTC