- From: Kazuyuki Ashimura <ashimura@w3.org>
- Date: Wed, 29 Apr 2020 17:18:49 +0900
- To: public-wot-ig@w3.org, public-wot-wg@w3.org
available at:
https://www.w3.org/2020/04/20-wot-sec-minutes.html
also as text below.
Thanks,
Kazuyuki
---
[1]W3C
[1] http://www.w3.org/
- DRAFT -
WoT-Security
20 Apr 2020
[2]Agenda
[2] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#20_Apr_2020
Attendees
Present
Kaz_Ashimura, Michael_McCool, Clerley_Silveira,
David_Ezell, Oliver_Pfaff, Tomoaki_Mizushima
Regrets
Elena_Reshetova
Chair
McCool
Scribe
kaz
Contents
* [3]Topics
1. [4]Welcome Clerley from Conexxus
2. [5]Review minutes
3. [6]PRs
4. [7]Issues
5. [8]Thing authentication
6. [9]Use cases and requirements
* [10]Summary of Action Items
* [11]Summary of Resolutions
__________________________________________________________
<scribe> scribenick: kaz
Welcome Clerley from Conexxus
David: specifically working on apis
Clerley: tx!
McCool: we're capturing use cases now
... very useful to have you to get requirements
... we have a number of TFs
... this one is working on security/privacy guidelines
... also components for the other TF's work
... also we have another TF on discovery which is related to
security
(discovery call in 1h 45m :)
McCool: we have the WoT main call on Wednesday
Clerley: trying to understand how the group is working
McCool: if you have a question, you can raise your hand by "q+"
command on IRC
... but we just have 5 people or so for this security call, so
feel free to jump in as well
... generally we rotate for the scribe roll
Review minutes
McCool: (explains how we take minutes, etc.)
... we review the previous minutes and make decision whether to
publish them or not
[12]Apr-6 minutes
[12] https://www.w3.org/2020/04/06-wot-sec-minutes.html
McCool: typo for "Issues and PRs"
... objections for publishing the minutes?
(none)
McCool: approved
PRs
McCool: Oliver, any updates?
Oliver: no, sorry
McCool: ok
... we'll wait for Oliver's new changes
Oliver: there was something unclear
McCool: you're now editing the target file, index.html
... OK with merging the PR
Oliver: if you can create the old PR 164, I can create a new
one
McCool: ok
... please do so
Oliver: will do
<scribe> ACTION: Oliver to generate a new PR for end-to-end
security
Issues
McCool: would like to look into Issues here
[13]Issues
[13] https://github.com/w3c/wot-security/issues
Oliver: please assign me if my review is needed
McCool: we want to have a section about end-to-end security
within the guidelines document
[14]Issue 144
[14] https://github.com/w3c/wot-security/issues/144
McCool: we should open this issue 144 itself
... and then should ask some of the other participants to join
the discussion, e.g., Elena
Oliver: ok
McCool: (adds comments on the issue)
... first draft has been done
... but there are some pending wording changes requested
... and it needs further review
... so we'll leave this issue open
... and I'll re-assign Oliver to do the requested edits
... then will also assign Elena to do a review
[15]McCool's comments
[15] https://github.com/w3c/wot-security/issues/144#issuecomment-616520209
Thing authentication
<McCool> [16]https://github.com/w3c/wot-security/issues/148
[16] https://github.com/w3c/wot-security/issues/148
McCool: new issue on thing authentication
... created an issue on architecture repo
[17]wot-architecture issue 429
[17] https://github.com/w3c/wot-architecture/issues/429
McCool: related to the lifecycle discussion
Oliver: lifecycle is one aspect
... and authentication is another
... would have clear picture for onboarding
... if we could get good response from another expert (within
Siemens), could close it sooner
... need clear expectation for the mechanism
McCool: basically, in certain situation authentication expects
validation
... (adds comments to issue 148)
... key is lifecycle discussion and definition of states/actors
where authentication plays a role
... this is a relevant issue...
[18]wot-architecture issue 476
[18] https://github.com/w3c/wot-architecture/issues/476
McCool: what to do next?
Oliver: leave this issue open and clarify those points
McCool: (adds comments to issue 148 again)
... ok
... let's leave this issue open
... when the above issue is resolved review it to enure that
authentication is properly addressed
[19]McCool's updated comments
[19] https://github.com/w3c/wot-security/issues/148#issuecomment-616525692
McCool: (and adds comments to Architecture issue 476 as well)
[20]wot-architecture issue 476
[20] https://github.com/w3c/wot-architecture/issues/476
[21]McCool's comments for wot-architecture issue 476
[21] https://github.com/w3c/wot-architecture/issues/476#issuecomment-616526890
Use cases and requirements
McCool: since we have Clerley and David here, would talk about
use cases and requirements
... e.g., for the Singapore ones
... review all the use cases on the wot-architecture repo
[22]Use case on public health monitoring
[22] https://github.com/w3c/wot-architecture/pull/468
McCool: based on the discussion with Singapore govtech
... bunch of cameras in the public spaces
... face recognition is not necessary
... but would see if people have fever
... identify them but not necessarily with names
[23]proposed use case description
[23] https://github.com/mmccool/wot-architecture/blob/gt-use-cases/USE-CASES/smartcity-health-monitoring.md
McCool: what do you think?
... may be additional requirements from the retail viewpoints
... target of advertisement, etc.
... two issues here, I think
... identifying people
... and opt-in
... many requirements for security as well
Clerley: absolutely
McCool: for example, OAuth came up
... to manage access rights
... we have this issue tracker here
... David did create an issue
... for retail use case
David: wanted to point out there are 3 different topics
... how to make sure people able to hack it
... and caching security scenario
... then access to services
... all playing in retail
... do you agree?
McCool: yeah
... would like to have security/privacy consideration section
for each use case
... you need to protect cached data
... proposing here is generate that section
... that's something we should do
... (creates a new issue)
... add "security and privacy considerations" section to all
the use cases
... should add that to the requirements template too
[24]Requirements template
[24] https://github.com/w3c/wot-architecture/blob/master/REQUIREMENTS/requirements-template.md
McCool: for example, for the retail use cases
David: let's talk about the details later (need to leave for
another meeting)
[25]new issue 168
[25] https://github.com/w3c/wot-security/issues/168
[adjourned]
Summary of Action Items
[NEW] ACTION: Oliver to generate a new PR for end-to-end
security
Summary of Resolutions
[End of minutes]
__________________________________________________________
Minutes manually created (not a transcript), formatted by
David Booth's [26]scribe.perl version 1.154 ([27]CVS log)
$Date: 2020/04/26 13:27:22 $
[26] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
[27] http://dev.w3.org/cvsweb/2002/scribe/
Received on Wednesday, 29 April 2020 08:18:36 UTC