[wot-security] minutes - 20 April 2020

available at:
  https://www.w3.org/2020/04/20-wot-sec-minutes.html

also as text below.

Thanks,

Kazuyuki

---
   [1]W3C

      [1] http://www.w3.org/

                               - DRAFT -

                              WoT-Security

20 Apr 2020

   [2]Agenda

      [2] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#20_Apr_2020

Attendees

   Present
          Kaz_Ashimura, Michael_McCool, Clerley_Silveira,
          David_Ezell, Oliver_Pfaff, Tomoaki_Mizushima

   Regrets
          Elena_Reshetova

   Chair
          McCool

   Scribe
          kaz

Contents

     * [3]Topics
         1. [4]Welcome Clerley from Conexxus
         2. [5]Review minutes
         3. [6]PRs
         4. [7]Issues
         5. [8]Thing authentication
         6. [9]Use cases and requirements
     * [10]Summary of Action Items
     * [11]Summary of Resolutions
     __________________________________________________________

   <scribe> scribenick: kaz

Welcome Clerley from Conexxus

   David: specifically working on apis

   Clerley: tx!

   McCool: we're capturing use cases now
   ... very useful to have you to get requirements
   ... we have a number of TFs
   ... this one is working on security/privacy guidelines
   ... also components for the other TF's work
   ... also we have another TF on discovery which is related to
   security

   (discovery call in 1h 45m :)

   McCool: we have the WoT main call on Wednesday

   Clerley: trying to understand how the group is working

   McCool: if you have a question, you can raise your hand by "q+"
   command on IRC
   ... but we just have 5 people or so for this security call, so
   feel free to jump in as well
   ... generally we rotate for the scribe roll

Review minutes

   McCool: (explains how we take minutes, etc.)
   ... we review the previous minutes and make decision whether to
   publish them or not

   [12]Apr-6 minutes

     [12] https://www.w3.org/2020/04/06-wot-sec-minutes.html

   McCool: typo for "Issues and PRs"
   ... objections for publishing the minutes?

   (none)

   McCool: approved

PRs

   McCool: Oliver, any updates?

   Oliver: no, sorry

   McCool: ok
   ... we'll wait for Oliver's new changes

   Oliver: there was something unclear

   McCool: you're now editing the target file, index.html
   ... OK with merging the PR

   Oliver: if you can create the old PR 164, I can create a new
   one

   McCool: ok
   ... please do so

   Oliver: will do

   <scribe> ACTION: Oliver to generate a new PR for end-to-end
   security

Issues

   McCool: would like to look into Issues here

   [13]Issues

     [13] https://github.com/w3c/wot-security/issues

   Oliver: please assign me if my review is needed

   McCool: we want to have a section about end-to-end security
   within the guidelines document

   [14]Issue 144

     [14] https://github.com/w3c/wot-security/issues/144

   McCool: we should open this issue 144 itself
   ... and then should ask some of the other participants to join
   the discussion, e.g., Elena

   Oliver: ok

   McCool: (adds comments on the issue)
   ... first draft has been done
   ... but there are some pending wording changes requested
   ... and it needs further review
   ... so we'll leave this issue open
   ... and I'll re-assign Oliver to do the requested edits
   ... then will also assign Elena to do a review

   [15]McCool's comments

     [15] https://github.com/w3c/wot-security/issues/144#issuecomment-616520209

Thing authentication

   <McCool> [16]https://github.com/w3c/wot-security/issues/148

     [16] https://github.com/w3c/wot-security/issues/148

   McCool: new issue on thing authentication
   ... created an issue on architecture repo

   [17]wot-architecture issue 429

     [17] https://github.com/w3c/wot-architecture/issues/429

   McCool: related to the lifecycle discussion

   Oliver: lifecycle is one aspect
   ... and authentication is another
   ... would have clear picture for onboarding
   ... if we could get good response from another expert (within
   Siemens), could close it sooner
   ... need clear expectation for the mechanism

   McCool: basically, in certain situation authentication expects
   validation
   ... (adds comments to issue 148)
   ... key is lifecycle discussion and definition of states/actors
   where authentication plays a role
   ... this is a relevant issue...

   [18]wot-architecture issue 476

     [18] https://github.com/w3c/wot-architecture/issues/476

   McCool: what to do next?

   Oliver: leave this issue open and clarify those points

   McCool: (adds comments to issue 148 again)
   ... ok
   ... let's leave this issue open
   ... when the above issue is resolved review it to enure that
   authentication is properly addressed

   [19]McCool's updated comments

     [19] https://github.com/w3c/wot-security/issues/148#issuecomment-616525692

   McCool: (and adds comments to Architecture issue 476 as well)

   [20]wot-architecture issue 476

     [20] https://github.com/w3c/wot-architecture/issues/476

   [21]McCool's comments for wot-architecture issue 476

     [21] https://github.com/w3c/wot-architecture/issues/476#issuecomment-616526890

Use cases and requirements

   McCool: since we have Clerley and David here, would talk about
   use cases and requirements
   ... e.g., for the Singapore ones
   ... review all the use cases on the wot-architecture repo

   [22]Use case on public health monitoring

     [22] https://github.com/w3c/wot-architecture/pull/468

   McCool: based on the discussion with Singapore govtech
   ... bunch of cameras in the public spaces
   ... face recognition is not necessary
   ... but would see if people have fever
   ... identify them but not necessarily with names

   [23]proposed use case description

     [23] https://github.com/mmccool/wot-architecture/blob/gt-use-cases/USE-CASES/smartcity-health-monitoring.md

   McCool: what do you think?
   ... may be additional requirements from the retail viewpoints
   ... target of advertisement, etc.
   ... two issues here, I think
   ... identifying people
   ... and opt-in
   ... many requirements for security as well

   Clerley: absolutely

   McCool: for example, OAuth came up
   ... to manage access rights
   ... we have this issue tracker here
   ... David did create an issue
   ... for retail use case

   David: wanted to point out there are 3 different topics
   ... how to make sure people able to hack it
   ... and caching security scenario
   ... then access to services
   ... all playing in retail
   ... do you agree?

   McCool: yeah
   ... would like to have security/privacy consideration section
   for each use case
   ... you need to protect cached data
   ... proposing here is generate that section
   ... that's something we should do
   ... (creates a new issue)
   ... add "security and privacy considerations" section to all
   the use cases
   ... should add that to the requirements template too

   [24]Requirements template

     [24] https://github.com/w3c/wot-architecture/blob/master/REQUIREMENTS/requirements-template.md

   McCool: for example, for the retail use cases

   David: let's talk about the details later (need to leave for
   another meeting)

   [25]new issue 168

     [25] https://github.com/w3c/wot-security/issues/168

   [adjourned]

Summary of Action Items

   [NEW] ACTION: Oliver to generate a new PR for end-to-end
   security

Summary of Resolutions

   [End of minutes]
     __________________________________________________________


    Minutes manually created (not a transcript), formatted by
    David Booth's [26]scribe.perl version 1.154 ([27]CVS log)
    $Date: 2020/04/26 13:27:22 $

     [26] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
     [27] http://dev.w3.org/cvsweb/2002/scribe/

Received on Wednesday, 29 April 2020 08:18:36 UTC