[wot-security] minutes - 14 October 2019 from Kazuyuki Ashimura on 2019-11-05 (public-wot-wg@w3.org from November 2019)

From: Kazuyuki Ashimura <ashimura@w3.org>
Date: Tue, 5 Nov 2019 23:44:37 +0900
To: Public Web of Things IG <public-wot-ig@w3.org>, public-wot-wg@w3.org
Message-ID: <CAJ8iq9WLK6S+FqhMQ+RXyjT238-2tCaUhjQkgd4QZL3gMPNPUw@mail.gmail.com>
available at:
  https://www.w3.org/2019/10/14-wot-sec-minutes.html

also as text below.

Thanks,

Kazuyuki

---
   [1]W3C

      [1] http://www.w3.org/

                               - DRAFT -

                              WoT Security

14 Oct 2019

Attendees

   Present
          Kaz_Ashimura, Elena_Reshetova, Michael_McCool,
          Tomoaki_Mizushima

   Regrets

   Chair
          McCool

   Scribe
          kaz

Contents

     * [2]Topics
         1. [3]Agenda
         2. [4]Better slot?
         3. [5]Purpose
         4. [6]Privacy considerations
         5. [7]Prev minutes
     * [8]Summary of Action Items
     * [9]Summary of Resolutions
     __________________________________________________________

Agenda

   McCool: sent an email to you about the potential agenda

   1. Time for the call. It would be good to find a call Taki can
   join, and also Oliver Pfaff from Siemens. One option: use the
   time on Thursday I allocated for working on the Charter. I
   think this is late enough so it's not a problem for Taki but
   may be too late for Oliver and Elena...

   2. Purpose. We need to have something specific to work on. Do
   we keep refining the guidelines or work on something new, like
   Privacy mitigations?

   3. People have limited bandwidth for meetings. Should we put
   the security call on standby while working on something else
   (eg Discovery) then reactivate it later?

   McCool: we've been working on guidelines
   ... we definitely need some more work
   ... privacy mitigation, etc.
   ... but we need to work on management APIs, etc., before that
   considerations

Better slot?

   McCool: also need to see better slot for new participants
   ... so we should discuss moving the time
   ... also wondering if we should stop our security work and work
   on discovery, etc., first

   Elena: need another doodle to pick a better slot for new
   participants?

   McCool: later slot would be better for Taki
   ... 2 questions: another day? or late evening?

   Elena: later slot would be OK but maybe problematic for
   Japanese guys

   McCool: for me that would be OK, e.g., 11pm on Thursday

   Elena: let's extend the candidate slots

   McCool: we have several constraints
   ... e.g., earlier slot than 5am PDT would not be good for Taki
   ... wondering about Elena's availability on Monday

   Elena: have to leave 3pm EEST

   McCool: we had to wait for the marketing call settled
   ... but it's fixed now

   Kaz: Thursday, 10pm JST, 9am EDT, 4pm EEST

   McCool: let's set up another doodle for security

   Elena: can do any time Friday

   McCool: what about late evening on Thursday?

   Elena: overlapping meeting

   McCool: 8pm-midnight including Friday

   <scribe> ACTION: kaz to create a new doodle for security

Purpose

   McCool: having a call slot for discovery/security
   ... so security+privacy+discovery would be the theme
   ... or having a separate call?

   Elena: we can improve the current security/privacy document,
   but what would be the time span?

   McCool: there are people interested in discovery topic
   ... maybe partial overlap with security/privacy
   ... we need separate calls if we have different people
   ... possibly could have both calls alternatively,
   security->discovery->security...
   ... what do you think, Kaz?

   Kaz: would hear from the potential participants

   McCool: right
   ... note that initially we might need dedicated discussion for
   the discovery topic

Privacy considerations

   McCool: we're at the middle of our transition
   ... changes for id from TD
   ... cryptgraphically unique might be OK, though
   ... (explains the summary of the discussion with PING)
   ... the question was not having concrete mechanism for
   mitigation of privacy risks

   <McCool>
   [10]https://github.com/w3c/wot/blob/master/proposals/privacy.md

     [10] https://github.com/w3c/wot/blob/master/proposals/privacy.md

   McCool: the conclusion was making "id" optional and also remove
   "unique" from it's description
   ... my remaining concern (for the future) is the distribution
   mechanism for TDs

   Elena: what is the purpose of "title"?
   ... arbitrary string?

   McCool: yes
   ... but people might put information about location, name, etc.
   ... "title" is the only mandatory field if we make "id"
   optional
   ... so personally think would be better to make "title" as well
   optional
   ... the other point is about Data Schemas
   ... not really clear
   ... same problem with URI Templates
   ... these are my first thoughts
   ... some suggestions for privacy mitigations

   Elena: will take a look
   ... would be better to have a concrete reference implementation
   for that purpose?

Prev minutes

   [11]Sep-9 minutes

     [11] https://www.w3.org/2019/09/09-wot-sec-minutes.html

   McCool: we should take a look at the current updated definition
   within the Architecture document
   ... (skims the minutes themselves)
   ... any comments?
   ... objections to accept them?

   (none)

   McCool: so accepted

   [adjourned]

Summary of Action Items

   [NEW] ACTION: kaz to create a new doodle for security

Summary of Resolutions

   [End of minutes]
     __________________________________________________________


    Minutes manually created (not a transcript), formatted by
    David Booth's [12]scribe.perl version 1.154 ([13]CVS log)
    $Date: 2019/10/15 07:30:50 $

     [12] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
     [13] http://dev.w3.org/cvsweb/2002/scribe/
Received on Tuesday, 5 November 2019 14:45:20 UTC