- From: Kazuyuki Ashimura <ashimura@w3.org>
- Date: Mon, 29 Jul 2019 21:19:28 +0900
- To: Public Web of Things IG <public-wot-ig@w3.org>, public-wot-wg@w3.org
available at:
https://www.w3.org/2019/07/01-wot-sec-minutes.html
also as text below.
Thanks,
Kazuyuki
---
[1]W3C
[1] http://www.w3.org/
- DRAFT -
WoT-Security
01 Jul 2019
Attendees
Present
Michael_McCool, Kaz_Ashimura, Elena_Reshetova,
Tomoaki_Mizushima
Regrets
Chair
McCool
Scribe
kaz
Contents
* [2]Topics
1. [3]TAG and PING
2. [4]Remaining PR
3. [5]Remaining Issues
4. [6]TAG comments
5. [7]PING minutes
6. [8]Previous minutes
7. [9]Publication
* [10]Summary of Action Items
* [11]Summary of Resolutions
__________________________________________________________
TAG and PING
[12]Agenda
[12] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Agenda
[13]June-20 PING minutes
[13] https://www.w3.org/Privacy/IG/summaries/PING-minutes-20190620
McCool: we need to identify what to do
... some feedback from David Baron so far
... but that's not an official TAG review yet
... I re-read the comments and also the Architecture draft
... but think there is some misunderstanding and confusion
... need some clarification
Kaz: maybe we can create an issue on our repo?
... anyway, I'll talk with PLH about the next steps today
Remaining PR
[14]PR 133
[14] https://github.com/w3c/wot-security/pull/133
Elena: fix SVG diagrams directly?
McCool: yes, please do so
... using Inkscape, etc.
... should we merge this PR itself?
... using PowerPoint is OK but using some free software would
be better
Kaz: would agree :)
McCool: let's merge this for now but if we have time, let's
convert the diagrams to SVG
(no objections)
McCool: (merges PR 133)
Remaining Issues
[15]Issue 132
[15] https://github.com/w3c/wot-security/issues/132
McCool: close Issue 132
[16]Issue 130
[16] https://github.com/w3c/wot-security/issues/130
McCool: close Issue 130
[17]Issue 129
[17] https://github.com/w3c/wot-security/issues/129
McCool: skims the WoT Architecture at:
[18]https://w3c.github.io/wot-architecture/
... can close Issue 129
... (and close Issue 129)
[18] https://w3c.github.io/wot-architecture/
[19]Issue 126
[19] https://github.com/w3c/wot-security/issues/126
McCool: done?
Elena: yes
McCool: (close Issue 126)
[20]Issue 125
[20] https://github.com/w3c/wot-security/issues/125
McCool: should review terminology separately later
[21]Issue 123
[21] https://github.com/w3c/wot-security/issues/123
Elena: general term is "intermidiary"
McCool: probably still open
... let's leave it
... simplest resolution is removing the extra definitions of
security and privacy within the Architecture document
... (creates a new issue)
[22]Issue 134
[22] https://github.com/w3c/wot-security/issues/134
TAG comments
[23]David's comment
[23] https://github.com/w3ctag/design-reviews/issues/355#issuecomment-505228840
McCool: (looking at the following block)
Also a few thoughts on the security and privacy considerations
which I've reviewed somewhat quickly:
* The idea that thing descriptions shouldn't carry identifying
information seems over-optimistic to me. It seems like (at
least from the perspective of smart home use cases) thing
descriptions are likely to have a significant amount of
sensitive and identifiable information (although it might not
be initially obvious how the information is sensitive), and
systems need to be designed appropriately.
* The opening sentences of the section on software update
(before the "Mitigation:") appear to suggest that avoiding
having a software update system at all would be the best
mitigation. While it's absolutely true that designing a secure
software update system must be done carefully, experience has
shown that having prompt software update to mitigate security
vulnerabilities is essential for internet-connected devices,
and (see The evergreen Web finding)
essential for the progress of the Web.
]]
McCool: we can create an issue on our repo
[24]Issue 135
[24] https://github.com/w3c/wot-security/issues/135
Kaz: note that the TAG guys are looking at the old version we
provided in March
... so we can mention the latest version is available on GitHub
at: [25]https://w3c.github.io/wot-architecture/
[25] https://w3c.github.io/wot-architecture/
McCool: some changes
... anyway, we need clarification for the first comment
... regarding the second comment, maybe we can add some
clarification on our side
Elena: when/how to respond?
McCool: we're still waiting for the official conclusion from
TAG
PING minutes
[26]PING minutes
[26] https://www.w3.org/Privacy/IG/summaries/PING-minutes-20190620
McCool: we can read through this
(and read through the PING minutes)
McCool: (and creates an issue on wot-security repo)
[27]Issue 136
[27] https://github.com/w3c/wot-security/issues/136
Previous minutes
McCool: let's review the previous minutes next time
Publication
McCool: publication of the Note?
Kaz: we can check the document using the Checkers and publish
it using Echidna once it's ready for publication
McCool: ok
... think the terminology issue 123 is blocking
... we should try to address this asas we can push out an
update
Kaz: +1
McCool: might be fixed already, and may want to use
"intermediary" to be consistent with the Architecture doc
[adjourned]
Summary of Action Items
Summary of Resolutions
[End of minutes]
__________________________________________________________
Minutes manually created (not a transcript), formatted by
David Booth's [28]scribe.perl version 1.154 ([29]CVS log)
$Date: 2019/07/29 12:15:04 $
[28] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
[29] http://dev.w3.org/cvsweb/2002/scribe/
Received on Monday, 29 July 2019 12:20:30 UTC