[wot-security] minutes - 18 May 2020

available at:
  https://www.w3.org/2020/05/18-wot-sec-minutes.html

also as text below.

Thanks a lot for taking the miutes, David!

Kazuyuki

---
   [1]W3C

      [1] http://www.w3.org/

                               - DRAFT -

                              WoT Security

18 May 2020

   [2]Agenda

      [2] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#18_May_2020

Attendees

   Present
          Kaz_Ashimura, Clerley_Silveira, Michael_McCool,
          Oliver_Pfaff, David_Ezell, Tomoaki_Mizushima,
          Elena_Reshetova, Zoltan_Kis

   Regrets

   Chair
          McCool

   Scribe
          David

Contents

     * [3]Topics
         1. [4]Approve minutes from 11 May
         2. [5]PR #172
         3. [6]June F2F planning
         4. [7]Conexxus Merge
     * [8]Summary of Action Items
     * [9]Summary of Resolutions
     __________________________________________________________

   <kaz> scribenick: dezell

Approve minutes from 11 May

   <kaz> [10]May-11 minutes

     [10] https://www.w3.org/2020/05/11-wot-sec-minutes.html

   McCool: (creates a new issue for OAuth2 flow)

   <kaz> [typo fixed]

   <McCool> [11]https://github.com/w3c/wot-security/issues/173 -
   insert in May 11 minutes

     [11] https://github.com/w3c/wot-security/issues/173

   <kaz> ACTION: kaz to add a link to issue 173 on OAuth2 to the
   May-11 minutes

   RESOLUTION: accept minutes for 11 May - but add link to issue
   #173.

PR #172

   McCool: closing PR #171 without merging.

   <McCool>
   [12]https://pr-preview.s3.amazonaws.com/w3c/wot-security/172/41
   66672...OliverPfaff:39d8e12.html

     [12] https://pr-preview.s3.amazonaws.com/w3c/wot-security/172/4166672...OliverPfaff:39d8e12.html

   Review section 7.

   Focus on section 7.4 end-to-end security.

   <McCool>
   [13]https://pr-preview.s3.amazonaws.com/OliverPfaff/wot-securit
   y/pull/172.html

     [13] https://pr-preview.s3.amazonaws.com/OliverPfaff/wot-security/pull/172.html

   Oliver: people tend to think that end-to-end security is
   absolute.
   ... it's not a fixed thing. You need to know assets, how
   they're used, and what technologies you use to protect them.
   ... so "end-to-end" might be different things to different
   people.
   ... examples in this section call on classical security
   practices - CMS, TLS, IPSec, MACsec

   McCool: we should really add references to each of these
   technologies.
   ... also, the technologies are used at different levels of the
   stack.
   ... we need some indication of what that level is for each.

   Oliver: Second part addresses the data itself.
   ... if you have to do your own security scheme at the data
   level, classical offerings are second best.

   McCool: we've been looking at signing TDs, and maybe using
   DIDs.
   ... we should look at using JWS for signing.

   Oliver: for signing objects, the first plan is to use JSON
   specific encrypted/signed data.
   ... there has to be a good reason for expressing an "alien"
   syntax.

   McCool: in "discovery" we were talking about directory
   structures, and I think we created an issue somewhere, maybe in
   "security," #166.

   <McCool> [14]https://github.com/w3c/wot-security/issues/166

     [14] https://github.com/w3c/wot-security/issues/166

   McCool: (reference 7.4 in the Security document)
   ... if we have some LD proofs, getting the TD from the
   directory should leave proof that it hasn't been tampered.

   Clerley: a big part is a mechanism for protecting the keys.
   Should we give specific consideration to keys.
   ... My experience is that this is a hard problem.

   McCool: let's hold that and create a new topic.
   ... I think this comment should be linked to directories.

   Oliver: XML Signature had 3 ways of expressing signatures.
   ... JWS is less complex. Enveloped is not supported directly.
   ... detatched, enveloping, and enveloped.

   (end digression into "signing")

   McCool: any objections to merging #174?

   (hearing none...)

   (Note: merge shows everything changed - must try to remedy
   offline.)

   McCool: so Clerley asked if key protection should be in scope.
   ... question is "what is standardizable."

   Clerley: not so much management, but protection.

   Elena: you'll have to use OS provided means to do the
   protection, so it's hard to predict.

   McCool: some systems do a good job of strong key protections,
   where you'll never handle the keys.

   Clerley: are there assumptions that only known OSs will be
   used?

   McCool: we have security and privacy guidelines.
   ... we don't force certain things.
   ... we could say "you should" in certain cases.
   ... we also have best practices.
   ... this last is "if you were building a device today, do
   this."

   <McCool>
   [15]https://github.com/w3c/wot-security-best-practices/blob/mas
   ter/index.html

     [15] https://github.com/w3c/wot-security-best-practices/blob/master/index.html

   McCool: recommend you review best practices and add
   suggestions.

   Clerley: OK.

   David: important to tell people what to worry about, even if we
   don't give a prescription.

   McCool: agreed. Making Clerley and assignee for this issue.
   ... issue #170.

   <McCool> [16]https://github.com/w3c/wot-security/issues/170

     [16] https://github.com/w3c/wot-security/issues/170

   McCool: we can make informative recommendations.

June F2F planning

   McCool: we need to come up with a short list of topics.
   ... part of the meeting should be driven by issues.

   (adding topics to Wiki)

   Kaz: we will have some presentations tomorrow at the AC
   meeting, and it might be a good opportunity.

   McCool: I'm trying to figure out how to have a constructive
   discussion.
   ... next meeting let's add 4 slides for this topic.

Conexxus Merge

   McCool: we should discuss further in the architecture call.

   Adjourned.

Summary of Action Items

   [NEW] ACTION: kaz to add a link to issue 173 on OAuth2 to the
   May-11 minutes

Summary of Resolutions

    1. [17]accept minutes for 11 May - but add link to issue #173.
       - [DONE]

   [End of minutes]
     __________________________________________________________


    Minutes manually created (not a transcript), formatted by
    David Booth's [18]scribe.perl version 1.154 ([19]CVS log)
    $Date: 2020/05/28 13:40:11 $

     [18] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
     [19] http://dev.w3.org/cvsweb/2002/scribe/

Received on Thursday, 28 May 2020 13:43:37 UTC