- From: Kazuyuki Ashimura <ashimura@w3.org>
- Date: Mon, 21 Sep 2020 18:36:15 +0900
- To: public-wot-ig@w3.org, public-wot-wg@w3.org
available at:
https://www.w3.org/2020/09/07-wot-sec-minutes.html
also as text below.
Thanks a lot for taking the minutes, Cristiano!
Kazuyuki
---
[1]W3C
[1] http://www.w3.org/
- DRAFT -
WoT Security
07 Sep 2020
[2]Agenda
[2] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#7_September_2020
Attendees
Present
Kaz_Ashimura, Michael_McCool, Elena_Reshetova,
Cristiano_Aguzzi, Tomoaki_Mizushima
Regrets
Chair
McCool
Scribe
cris
Contents
* [3]Topics
1. [4]Previous minutes
2. [5]TD security PRs
3. [6]Lifecycle review
4. [7]Directory security
5. [8]Clean up issues
* [9]Summary of Action Items
* [10]Summary of Resolutions
__________________________________________________________
<kaz> scribenick: cris
Previous minutes
<kaz> [11]Aug-31
[11] https://www.w3.org/2020/08/31-wot-sec-minutes.html
McCool: by the way it is labor day in the U.S.
... by looking into the minutes it is not clear what Cristiano
is agreeing to .. please kaz could you fix this?
... aside from that issue I am ok with the minutes
Kaz: Ok the plan you mentioned has been added
McCool: any other comments? should we make this public?
... ok published.
TD security PRs
<inserted> [12]wot-thing-description PR945
[12] https://github.com/w3c/wot-thing-description/pull/945
<inserted> [13]wot-thing-description PR944
[13] https://github.com/w3c/wot-thing-description/pull/944
McCool: TD group provided some feedback on the PR about
security
... the main concern was about the fact that we still does not
have an implementation of the proposed changes in the PR
... however we do not really define new functionalities in the
PR. Infact both of them propose feature that can be easily
translated back to the old TD model
... like inline definition can be prepocessed back to a
securityDefinition
... anyway the two PRs right now are still on hold... we still
have to implement a pre-processor to test them
Elena: do we have existing use cases for combination schema?
McCool: yes we have an example in the TD document (Example 11).
There a proxy is described using a TD
... on the other hand, example 15 shows the problem of
redundancy for multiple or security schemas. This is solved by
the combination scheme (see Example 16)
... it is an improved syntax for "and" and "or" security
constraints
Elena: it looks good. Also the inline feature is fine.
McCool: we need implementation, for example node-wot still does
not support "and" combination (even the old version with the
array is not supported)
Lifecycle review
<kaz> [14]Issue 169
[14] https://github.com/w3c/wot-security/issues/169
McCool: Oliver was confused about roles and entities. I
suggested to add the word "role" at the end of some terms to
make it clearer
... if have any comments please use the issue comment section.
Directory security
McCool: we still have to really discuss in depth the issue
... for example what should it be the default method?
... any other topics to add to the agenda for today? otherwise
I'd rather try to close some open issues
... ok
Clean up issues
<kaz> [15]Issue 169
[15] https://github.com/w3c/wot-security/issues/169
McCool: I'd propose to close #169 since we already did the
review
Elena: we probably need a new issue to track additional review
work on the lifecycle
McCool: I suggest to do additional reviews when the Arch
document goes to CR
... ok closed
<kaz> [16]Issue 173
[16] https://github.com/w3c/wot-security/issues/173
McCool: #173 we already completed the task described there. So
I'm closing it
... any objection?
... ok closed.
<kaz> [17]Issue 177
[17] https://github.com/w3c/wot-security/issues/177
McCool: #177 still has some open points
Cristiano: I think the review is done. We may open a new issue
to track the left points
McCool: yes, let's create an issue in the use-case repository
... I'll assign cristiano to this new issue
<McCool> [18]https://github.com/w3c/wot-usecases/issues/49
[18] https://github.com/w3c/wot-usecases/issues/49
McCool: ok now let's close #177
... closed.
<kaz> [19]Issue 170
[19] https://github.com/w3c/wot-security/issues/170
Elena: I am not sure how to update the Threat Model.
McCool: I think we can discuss this in a issue
Elena: if we decide that the modification is trivial I can just
add two lines there however if we plan to create a new section
it is better to have a discussion
McCool: I think a new issue is the best place to decide this.
... I'm creating a new one in the wot-security repository
<kaz> [20]New Issue 183
[20] https://github.com/w3c/wot-security/issues/183
McCool: Elena any other issue that we should add here?
Elena: not really
<kaz> [21]Issue 170 on Conexxus security and privacy threat
model
[21] https://github.com/w3c/wot-security/issues/170
McCool: I added a Consider closing label to #170
... we still have open points and issues to create
... EdgeX have their own internal system for authentication.
<kaz> [22]Issue 180 on EdgeX
[22] https://github.com/w3c/wot-security/issues/180
McCool: I'd prefer to see a more extensible support
... so I'll the issue open to track the discussion
... I think that a solution for #168 is to create an issue for
each use case that still miss security/privacy section.
<kaz> [23]Issue 168 - security and privacy considerations for
all the use cases (or requirements)
[23] https://github.com/w3c/wot-security/issues/168
<kaz> [24]Issue 166 - integrity protection
[24] https://github.com/w3c/wot-security/issues/166
McCool: any final things?
... Ok let's close the meeting
<kaz> [adjourned]
Summary of Action Items
Summary of Resolutions
[End of minutes]
__________________________________________________________
Minutes manually created (not a transcript), formatted by
David Booth's [25]scribe.perl version ([26]CVS log)
$Date: 2020/09/09 01:29:37 $
[25] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
[26] http://dev.w3.org/cvsweb/2002/scribe/
Received on Monday, 21 September 2020 09:36:19 UTC