W3C home > Mailing lists > Public > public-wot-wg@w3.org > July 2019

[wot-security] minutes - 1 July 2019

From: Kazuyuki Ashimura <ashimura@w3.org>
Date: Mon, 29 Jul 2019 21:19:28 +0900
Message-ID: <CAJ8iq9Wynpcy3PzQSgfW9f933koDruvcrm=hiqenJCzK1Rmwsw@mail.gmail.com>
To: Public Web of Things IG <public-wot-ig@w3.org>, public-wot-wg@w3.org
available at:
  https://www.w3.org/2019/07/01-wot-sec-minutes.html

also as text below.

Thanks,

Kazuyuki

---

   [1]W3C

      [1] http://www.w3.org/

                               - DRAFT -

                              WoT-Security

01 Jul 2019

Attendees

   Present
          Michael_McCool, Kaz_Ashimura, Elena_Reshetova,
          Tomoaki_Mizushima

   Regrets

   Chair
          McCool

   Scribe
          kaz

Contents

     * [2]Topics
         1. [3]TAG and PING
         2. [4]Remaining PR
         3. [5]Remaining Issues
         4. [6]TAG comments
         5. [7]PING minutes
         6. [8]Previous minutes
         7. [9]Publication
     * [10]Summary of Action Items
     * [11]Summary of Resolutions
     __________________________________________________________

TAG and PING

   [12]Agenda

     [12] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Agenda

   [13]June-20 PING minutes

     [13] https://www.w3.org/Privacy/IG/summaries/PING-minutes-20190620

   McCool: we need to identify what to do
   ... some feedback from David Baron so far
   ... but that's not an official TAG review yet
   ... I re-read the comments and also the Architecture draft
   ... but think there is some misunderstanding and confusion
   ... need some clarification

   Kaz: maybe we can create an issue on our repo?
   ... anyway, I'll talk with PLH about the next steps today

Remaining PR

   [14]PR 133

     [14] https://github.com/w3c/wot-security/pull/133

   Elena: fix SVG diagrams directly?

   McCool: yes, please do so
   ... using Inkscape, etc.
   ... should we merge this PR itself?
   ... using PowerPoint is OK but using some free software would
   be better

   Kaz: would agree :)

   McCool: let's merge this for now but if we have time, let's
   convert the diagrams to SVG

   (no objections)

   McCool: (merges PR 133)

Remaining Issues

   [15]Issue 132

     [15] https://github.com/w3c/wot-security/issues/132

   McCool: close Issue 132

   [16]Issue 130

     [16] https://github.com/w3c/wot-security/issues/130

   McCool: close Issue 130

   [17]Issue 129

     [17] https://github.com/w3c/wot-security/issues/129

   McCool: skims the WoT Architecture at:
   [18]https://w3c.github.io/wot-architecture/
   ... can close Issue 129
   ... (and close Issue 129)

     [18] https://w3c.github.io/wot-architecture/

   [19]Issue 126

     [19] https://github.com/w3c/wot-security/issues/126

   McCool: done?

   Elena: yes

   McCool: (close Issue 126)

   [20]Issue 125

     [20] https://github.com/w3c/wot-security/issues/125

   McCool: should review terminology separately later

   [21]Issue 123

     [21] https://github.com/w3c/wot-security/issues/123

   Elena: general term is "intermidiary"

   McCool: probably still open
   ... let's leave it
   ... simplest resolution is removing the extra definitions of
   security and privacy within the Architecture document
   ... (creates a new issue)

   [22]Issue 134

     [22] https://github.com/w3c/wot-security/issues/134

TAG comments

   [23]David's comment

     [23] https://github.com/w3ctag/design-reviews/issues/355#issuecomment-505228840

   McCool: (looking at the following block)



   Also a few thoughts on the security and privacy considerations
   which I've reviewed somewhat quickly:

   * The idea that thing descriptions shouldn't carry identifying
   information seems over-optimistic to me. It seems like (at
   least from the perspective of smart home use cases) thing
   descriptions are likely to have a significant amount of
   sensitive and identifiable information (although it might not
   be initially obvious how the information is sensitive), and
   systems need to be designed appropriately.

   * The opening sentences of the section on software update
   (before the "Mitigation:") appear to suggest that avoiding
   having a software update system at all would be the best
   mitigation. While it's absolutely true that designing a secure
   software update system must be done carefully, experience has
   shown that having prompt software update to mitigate security
   vulnerabilities is essential for internet-connected devices,
   and (see The evergreen Web finding)

   essential for the progress of the Web.

   ]]

   McCool: we can create an issue on our repo

   [24]Issue 135

     [24] https://github.com/w3c/wot-security/issues/135

   Kaz: note that the TAG guys are looking at the old version we
   provided in March
   ... so we can mention the latest version is available on GitHub
   at: [25]https://w3c.github.io/wot-architecture/

     [25] https://w3c.github.io/wot-architecture/

   McCool: some changes
   ... anyway, we need clarification for the first comment
   ... regarding the second comment, maybe we can add some
   clarification on our side

   Elena: when/how to respond?

   McCool: we're still waiting for the official conclusion from
   TAG

PING minutes

   [26]PING minutes

     [26] https://www.w3.org/Privacy/IG/summaries/PING-minutes-20190620

   McCool: we can read through this

   (and read through the PING minutes)

   McCool: (and creates an issue on wot-security repo)

   [27]Issue 136

     [27] https://github.com/w3c/wot-security/issues/136

Previous minutes

   McCool: let's review the previous minutes next time

Publication

   McCool: publication of the Note?

   Kaz: we can check the document using the Checkers and publish
   it using Echidna once it's ready for publication

   McCool: ok
   ... think the terminology issue 123 is blocking
   ... we should try to address this asas we can push out an
   update

   Kaz: +1

   McCool: might be fixed already, and may want to use
   "intermediary" to be consistent with the Architecture doc

   [adjourned]

Summary of Action Items

Summary of Resolutions

   [End of minutes]
     __________________________________________________________


    Minutes manually created (not a transcript), formatted by
    David Booth's [28]scribe.perl version 1.154 ([29]CVS log)
    $Date: 2019/07/29 12:15:04 $

     [28] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
     [29] http://dev.w3.org/cvsweb/2002/scribe/
Received on Monday, 29 July 2019 12:20:30 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:27:53 UTC