W3C home > Mailing lists > Public > public-wot-wg@w3.org > January 2019

[wot-security] minutes - 17 December 2018

From: Kazuyuki Ashimura <ashimura@w3.org>
Date: Mon, 21 Jan 2019 21:49:29 +0900
Message-ID: <CAJ8iq9USdx9sEb8uA6L2atz4oei5eU4CAKSbsY_YRRsEm6njmQ@mail.gmail.com>
To: Public Web of Things IG <public-wot-ig@w3.org>, public-wot-wg@w3.org
available at:
  https://www.w3.org/2018/12/17-wot-sec-minutes.html

also as text below.

Thanks,

Kazuyuki

---

   [1]W3C

      [1] http://www.w3.org/

                               - DRAFT -

                              WoT-Security

17 Dec 2018

Attendees

   Present
          Kaz_Ashimura, Michael_McCool, Elena_Reshetova,
          Tomoaki_Mizushima, Zoltan_Kis

   Regrets

   Chair
          McCool

   Scribe
          kaz

Contents

     * [2]Topics
         1. [3]Review of minutes from previous meetings
         2. [4]Publication status
         3. [5]TestFest
         4. [6]External review
         5. [7]Security&Privacy considerations for Scripting API
         6. [8]Remaining issues
         7. [9]Next meeting
     * [10]Summary of Action Items
     * [11]Summary of Resolutions
     __________________________________________________________

   <McCool> [12]https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf

     [12] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf

   <McCool> [13]https://www.w3.org/2018/12/03-wot-sec-minutes.html

     [13] https://www.w3.org/2018/12/03-wot-sec-minutes.html

   <scribe> scribenick: kaz

Review of minutes from previous meetings

   [14]prev minutes

     [14] https://www.w3.org/2018/12/03-wot-sec-minutes.html

   McCool: (goes through the prev minutes)
   ... any objections?

   (none)

   McCool: accepted

   Kaz: will fix the style later and then send them out

Publication status

   McCool: security and privacy consideration published on Dec 3

   [15]security draft (published version)

     [15] https://www.w3.org/TR/2018/NOTE-wot-security-20181203/

   McCool: unfortunately, new security/privacy considerations not
   included in the published TD spec

   Elena: PR for the architecture draft

   <elena> [16]https://github.com/w3c/wot-architecture/pull/63

     [16] https://github.com/w3c/wot-architecture/pull/63

   McCool: runtime considerations

   <elena> [17]https://github.com/w3c/wot-scripting-api/pull/155

     [17] https://github.com/w3c/wot-scripting-api/pull/155

   McCool: rutime considerations to be taken out form the
   scripting api draft
   ... we should discuss the status/progress with the architecture
   editors
   ... 2 more items here
   ... documentation planning and implementation report
   ... what we should do
   ... create a repo and prepare for a skeleton
   ... wot-security-best-practices and wot-security-testing-plan
   ... focus of security testing plan
   ... kind of involving document
   ... normal penetration testing
   ... more a living academic document
   ... the work we did on threat modeling
   ... something we need to push to the next level

   Elena: anyone from W3C for penetration testing?

   McCool: W3C folks are not really in charge of testing

   Elena: somebody supposed to do something

   McCool: library expectation
   ... checking implementation has poor input validation, etc.
   ... we should create an appropriate repo
   ... and the next step is to create a skeleton
   ... we should cover the outline
   ... can do that during the Christmas vacation
   ... we can send out an email to get a final confirmation
   ... updating Notes is not difficult

   Kaz: the only question is just that the expected URL shortname
   is unique
   ... the proposed names are ok
   ... I can create GitHub repos after getting groups'
   confirmation

   McCool: ok
   ... let's confirm that during the main call this Wed

TestFest

   McCool: we had TestFest

   [18]Test result

     [18] https://cdn.staticaly.com/gh/mmccool/wot-thing-description/updated-test-results/testing/report.html

   McCool: implementation description here within the pink area
   ... but not yet for SmartThings or Siemens
   ... main thing is identifying the gap
   ... to improve the tests
   ... the result table has Pass/Fail/Not-impl
   ... still need to work on pink assertions
   ... not well-represented
   ... eventing, etc., to be taken care
   ... links also left out
   ... assuming people will work on that shortly
   ... easier to fix
   ... rest of the stuff
   ... security mostly
   ... td-security-binding, td-security-no-extras
   ... required security schemes
   ... only myself reported these features
   ... but shouldn't be hard to achieve, e.g., using node-wot
   ... the rest of these
   ... scopes and bunch of stuff
   ... more aggressive to get implementations
   ... some of them pretty easy
   ... easy to add default value
   ... need to flesh out them
   ... in terms of schemes
   ... easy to expose each scheme
   ... which implementations did which?
   ... regarding security: nosc, basic, cert, digest, bearer, pop,
   psk, public, oauth2, apikey
   ... any comments?

   (some discussion with Elena)

   McCool: everyone uses same library for TLS
   ... what is independent code-base?
   ... still waiting for node-wot result and smartthings result
   ... will update on Wednesday for reporting at the main call

External review

   <McCool>
   [19]https://github.com/w3c/wot-thing-description/pull/314

     [19] https://github.com/w3c/wot-thing-description/pull/314

   McCool: we're getting 6-month extension for the WG
   ... can be as far out as March 2019
   ... before we're entering into CR/PR
   ... who will do this?
   ... mizushima-san, any idea?

   mizu: no, not at the moment

   McCool: W3C official review for security?

   Kaz: can ask security groups and TAG

   McCool: would like to ask Valerie Fenwick from Intel (Web
   Application Security WG) for help
   ... (checks actions)
   ... convirm final decision on the main call on Dec 19
   ... will talk to the W3C WEb Security IG about formal security
   validation
   ... btw, decide whether to make Kaz an editor for the security
   note?
   ... can do an email vote

Security&Privacy considerations for Scripting API

   [20]PR 155

     [20] https://github.com/w3c/wot-scripting-api/pull/155

   McCool: waiting for architecture merge

Remaining issues

   [21]issue 102

     [21] https://github.com/w3c/wot-security/issues/102

   McCool: confirm one more time in the main call

   [22]TD issue 300

     [22] https://github.com/w3c/wot-thing-description/issues/300


   "security": {
     "type": "array",
     "items": {
       "oneOf":
         { "type": "string" },
         { "$ref": "#/definitions/securityScheme" }
       ]
     }
   }
   ]]

   McCool: discussion on Friday?

Next meeting

   McCool: Dec 24/31 no meetings
   ... next meeting will be Jan 7

   [adjourned]

Summary of Action Items

   See [23]the Action wiki.

     [23] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Actions

Summary of Resolutions

   [End of minutes]
     __________________________________________________________


    Minutes manually created (not a transcript), formatted by
    David Booth's [24]scribe.perl version 1.154 ([25]CVS log)
    $Date: 2019/01/14 13:13:09 $

     [24] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
     [25] http://dev.w3.org/cvsweb/2002/scribe/
Received on Monday, 21 January 2019 12:50:30 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:27:52 UTC