- From: Kazuyuki Ashimura <ashimura@w3.org>
- Date: Wed, 29 Apr 2020 17:18:49 +0900
- To: public-wot-ig@w3.org, public-wot-wg@w3.org
available at: https://www.w3.org/2020/04/20-wot-sec-minutes.html also as text below. Thanks, Kazuyuki --- [1]W3C [1] http://www.w3.org/ - DRAFT - WoT-Security 20 Apr 2020 [2]Agenda [2] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#20_Apr_2020 Attendees Present Kaz_Ashimura, Michael_McCool, Clerley_Silveira, David_Ezell, Oliver_Pfaff, Tomoaki_Mizushima Regrets Elena_Reshetova Chair McCool Scribe kaz Contents * [3]Topics 1. [4]Welcome Clerley from Conexxus 2. [5]Review minutes 3. [6]PRs 4. [7]Issues 5. [8]Thing authentication 6. [9]Use cases and requirements * [10]Summary of Action Items * [11]Summary of Resolutions __________________________________________________________ <scribe> scribenick: kaz Welcome Clerley from Conexxus David: specifically working on apis Clerley: tx! McCool: we're capturing use cases now ... very useful to have you to get requirements ... we have a number of TFs ... this one is working on security/privacy guidelines ... also components for the other TF's work ... also we have another TF on discovery which is related to security (discovery call in 1h 45m :) McCool: we have the WoT main call on Wednesday Clerley: trying to understand how the group is working McCool: if you have a question, you can raise your hand by "q+" command on IRC ... but we just have 5 people or so for this security call, so feel free to jump in as well ... generally we rotate for the scribe roll Review minutes McCool: (explains how we take minutes, etc.) ... we review the previous minutes and make decision whether to publish them or not [12]Apr-6 minutes [12] https://www.w3.org/2020/04/06-wot-sec-minutes.html McCool: typo for "Issues and PRs" ... objections for publishing the minutes? (none) McCool: approved PRs McCool: Oliver, any updates? Oliver: no, sorry McCool: ok ... we'll wait for Oliver's new changes Oliver: there was something unclear McCool: you're now editing the target file, index.html ... OK with merging the PR Oliver: if you can create the old PR 164, I can create a new one McCool: ok ... please do so Oliver: will do <scribe> ACTION: Oliver to generate a new PR for end-to-end security Issues McCool: would like to look into Issues here [13]Issues [13] https://github.com/w3c/wot-security/issues Oliver: please assign me if my review is needed McCool: we want to have a section about end-to-end security within the guidelines document [14]Issue 144 [14] https://github.com/w3c/wot-security/issues/144 McCool: we should open this issue 144 itself ... and then should ask some of the other participants to join the discussion, e.g., Elena Oliver: ok McCool: (adds comments on the issue) ... first draft has been done ... but there are some pending wording changes requested ... and it needs further review ... so we'll leave this issue open ... and I'll re-assign Oliver to do the requested edits ... then will also assign Elena to do a review [15]McCool's comments [15] https://github.com/w3c/wot-security/issues/144#issuecomment-616520209 Thing authentication <McCool> [16]https://github.com/w3c/wot-security/issues/148 [16] https://github.com/w3c/wot-security/issues/148 McCool: new issue on thing authentication ... created an issue on architecture repo [17]wot-architecture issue 429 [17] https://github.com/w3c/wot-architecture/issues/429 McCool: related to the lifecycle discussion Oliver: lifecycle is one aspect ... and authentication is another ... would have clear picture for onboarding ... if we could get good response from another expert (within Siemens), could close it sooner ... need clear expectation for the mechanism McCool: basically, in certain situation authentication expects validation ... (adds comments to issue 148) ... key is lifecycle discussion and definition of states/actors where authentication plays a role ... this is a relevant issue... [18]wot-architecture issue 476 [18] https://github.com/w3c/wot-architecture/issues/476 McCool: what to do next? Oliver: leave this issue open and clarify those points McCool: (adds comments to issue 148 again) ... ok ... let's leave this issue open ... when the above issue is resolved review it to enure that authentication is properly addressed [19]McCool's updated comments [19] https://github.com/w3c/wot-security/issues/148#issuecomment-616525692 McCool: (and adds comments to Architecture issue 476 as well) [20]wot-architecture issue 476 [20] https://github.com/w3c/wot-architecture/issues/476 [21]McCool's comments for wot-architecture issue 476 [21] https://github.com/w3c/wot-architecture/issues/476#issuecomment-616526890 Use cases and requirements McCool: since we have Clerley and David here, would talk about use cases and requirements ... e.g., for the Singapore ones ... review all the use cases on the wot-architecture repo [22]Use case on public health monitoring [22] https://github.com/w3c/wot-architecture/pull/468 McCool: based on the discussion with Singapore govtech ... bunch of cameras in the public spaces ... face recognition is not necessary ... but would see if people have fever ... identify them but not necessarily with names [23]proposed use case description [23] https://github.com/mmccool/wot-architecture/blob/gt-use-cases/USE-CASES/smartcity-health-monitoring.md McCool: what do you think? ... may be additional requirements from the retail viewpoints ... target of advertisement, etc. ... two issues here, I think ... identifying people ... and opt-in ... many requirements for security as well Clerley: absolutely McCool: for example, OAuth came up ... to manage access rights ... we have this issue tracker here ... David did create an issue ... for retail use case David: wanted to point out there are 3 different topics ... how to make sure people able to hack it ... and caching security scenario ... then access to services ... all playing in retail ... do you agree? McCool: yeah ... would like to have security/privacy consideration section for each use case ... you need to protect cached data ... proposing here is generate that section ... that's something we should do ... (creates a new issue) ... add "security and privacy considerations" section to all the use cases ... should add that to the requirements template too [24]Requirements template [24] https://github.com/w3c/wot-architecture/blob/master/REQUIREMENTS/requirements-template.md McCool: for example, for the retail use cases David: let's talk about the details later (need to leave for another meeting) [25]new issue 168 [25] https://github.com/w3c/wot-security/issues/168 [adjourned] Summary of Action Items [NEW] ACTION: Oliver to generate a new PR for end-to-end security Summary of Resolutions [End of minutes] __________________________________________________________ Minutes manually created (not a transcript), formatted by David Booth's [26]scribe.perl version 1.154 ([27]CVS log) $Date: 2020/04/26 13:27:22 $ [26] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm [27] http://dev.w3.org/cvsweb/2002/scribe/
Received on Wednesday, 29 April 2020 08:18:36 UTC