- From: Kazuyuki Ashimura <ashimura@w3.org>
- Date: Tue, 07 Jul 2020 20:28:37 +0900
- To: public-wot-ig@w3.org, public-wot-wg@w3.org
available at:
https://www.w3.org/2020/06/01-wot-sec-minutes.html
also as text below.
Thanks,
Kazuyuki
---
[1]W3C
[1] http://www.w3.org/
- DRAFT -
WoT Security
01 Jun 2020
[2]Agenda
[2] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Agenda
Attendees
Present
Kaz_Ashimura, Cristiano_Aguzzi, Michael_McCool,
Tomoaki_Mizushima, David_Ezell, Elena_Reshetova,
Zoltan_Kis
Regrets
Chair
McCool
Scribe
kaz
Contents
* [3]Topics
1. [4]Prev minutes
2. [5]OAuth2 Use case
3. [6]Conexxus security and privacy threat model
4. [7]F2F prep
* [8]Summary of Action Items
* [9]Summary of Resolutions
__________________________________________________________
Prev minutes
[10]May 25
[10] https://www.w3.org/2020/05/25-wot-sec-minutes.html
McCool: any objections?
(none)
McCool: approved
OAuth2 Use case
[11]OAuth2 use case
[11] https://github.com/w3c/wot-architecture/blob/master/USE-CASES/oauth.md
McCool: Cristiano should once remove the current PR 515
... and create a new one after his joining the WG a an IE
[12]PR 515
[12] https://github.com/w3c/wot-architecture/pull/515
[13]Changes
[13] https://github.com/w3c/wot-architecture/pull/515/files
McCool: cloud provider might be involved in this use case
... so far there is a list of stakeholders to be chosen, though
Cristiano: remove "operator" from "directory service operator"
McCool: should keep the name given it's included in the
candidate list
... regarding the motivation section, we need to see the spec
again
Cristiano: ok
McCool: but this is a good starting point
... expected devices should include a token server
Cristiano: wondering who the "resource owner" is
McCool: wondering about the names here
... resource owner
... should it be a "resource server"?
... let's keep this asis at the moment and continue the review
Cristiano: code flow section
... (starting with line 112)
McCool: we should be careful about the wording
... possible delegation to a third party
... I can do another review path and give comments
Cristiano: great
McCool: you can close this PR 515 itself and submit a new one
with your account as an Invited Expert
... (and closed PR 515)
Zoltan: btw, wondering about the status of Cristiano's IE
status
Cristiano: submitted an application and has just been approved
Conexxus security and privacy threat model
[14]Issue 170
[14] https://github.com/w3c/wot-security/issues/170
David: no public resource so far
... but can clarify the points
McCool: we can mail them to provide summary
... to ask for clarification
David: sure
McCool: about threat model and implementation recommendations
... let's extract our main points
David: can we go through the requirements?
McCool: sure
David: (gives some background about Conexxus; like Conexxus is
creating interfaces)
... there are two design documents
McCool: (looking for the document)
David: (shares his screen for the document)
... there is data confidentiality and data encryption within
the data protection section
McCool: would be useful to have questions about the design
review
David: questions about confidentiality and encryption
... and then data integrity
... this came from the payment network
... there is a question about 2-factor or multi-factor
authentication
McCool: OAuth allows multi-factor authentication. right?
David: right
... and then here is a "Compliance" section here
McCool: a possible addition is government regulation compliance
David: right
McCool: this is great
... having a design document and a check list is good
... wondering about if it's kind of Web-oriented
... we should have an IoT-oriented one
... the next step should be distributing the resource to the
group
... the concept of a check list is great
... to be included in the best practices document
David: will send the resource to you
McCool: and I can share it with part of the group as the
starting point
F2F prep
[15]June meeting wiki
[15] https://www.w3.org/WoT/IG/wiki/F2F_meeting_2020_2nd
McCool: we need to talk about when/how
... don't have done concrete agenda items yet
[16]F2F topics
[16] https://www.w3.org/WoT/IG/wiki/F2F_meeting_2020_2nd#Topics_.28Tentative.29
McCool: Best practice topics should be included
... need to work on presentations
... note that June 11 is holiday in Europe
... this is my initial list of topics to be discussed next week
... do we have any topics which need input here?
... (adds Best practices under "Gather input")
... next week will be the last security call before the
PlugFest/F2F
... but next Monday, there will be the T2TRG workshop at 8-11am
EDT
... so we need to cancel the Security call next week as well
... (updates the Agenda section of the Security wiki)
... cancel the all on June 8 and June 15
... and then will have a Security session during the F2F on
June 22
... anyway, please watch Cristiano's new PR and review it
... anything else?
(none)
[adjourned]
Summary of Action Items
Summary of Resolutions
[End of minutes]
__________________________________________________________
Minutes manually created (not a transcript), formatted by
David Booth's [17]scribe.perl version ([18]CVS log)
$Date: 2020/06/08 01:40:47 $
[17] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
[18] http://dev.w3.org/cvsweb/2002/scribe/
Received on Tuesday, 7 July 2020 11:27:29 UTC