[wot-security] minutes - 8 March 2021 from Kazuyuki Ashimura on 2021-04-26 (public-wot-wg@w3.org from April 2021)

From: Kazuyuki Ashimura <ashimura@w3.org>
Date: Mon, 26 Apr 2021 20:17:38 +0900
To: public-wot-ig@w3.org, public-wot-wg@w3.org
Message-ID: <87im49pa5p.wl-ashimura@w3.org>
available at:
  https://www.w3.org/2021/03/08-wot-sec-minutes.html

also as text below.

Thanks a lot for taking the minutes, Elena!

Kazuyuki

---
   [1]W3C

      [1] https://www.w3.org/

                              WoT Security

08 March 2021

   [2]Agenda. [3]IRC log.

      [2] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#8_March_2021
      [3] https://www.w3.org/2021/03/08-wot-sec-irc

Attendees

   Present
          Cristiano_Aguzzi, Elena_Reshetova Oliver_Pfaff,
          Kaz_Ashimura, Michael_McCool, Philipp_Blum,
          Tomoaki_Mizushima

   Regrets
          -

   Chair
          McCool

   Scribe
          elena

Contents

    1. [4]meeting minutes from the last call
    2. [5]cancellations
    3. [6]agenda for F2F
    4. [7]S&P consideration note update
    5. [8]issues
         1. [9]issue 197
         2. [10]issue 166
         3. [11]issue 196
         4. [12]issue 194
    6. [13]other ongoing activities

Meeting minutes

  meeting minutes from the last call

   <kaz> [14]Feb-22

     [14] https://www.w3.org/2021/02/22-wot-sec-minutes.html

   McCool: meeting minutes approved

  cancellations

   McCool: next week we have a F2F, so maybe we should skip the
   security calls on mon march 15 and march 22

   McCool: next security call is on March 29, but a short one to
   capture F2F outcomes

  agenda for F2F

   <kaz> [15]March vF2F agenda

     [15] https://www.w3.org/WoT/IG/wiki/F2F_meeting,_March_2021#Agenda

   McCool: currently F2F agenda looks very full and does not have
   a security session. Does anyone thinks that we should have a
   security discussion or it is ok not to have it this time?

   general consensus is that there has not been enough security
   changes that would require a separate security session

   McCool: instead people should join existing sessions that might
   touch upon security issues

  S&P consideration note update

   McCool: changes that should be done in the note update:
   aligning the terminology with arch doc, updating docs,
   lifecycle??

   AR to Elena to check the current status of lifecycle in the
   arch spec and raise any issues before the F2F if needed

   McCool: the default branch for wot-security has been renamed
   from master to main. Please update your forks appropriately

  issues

    issue 197

   [16]https://github.com/w3c/wot-security/issues/197 Issue 197 -
   Promoting an approach where every thing is a server is a
   security nightmare

     [16] https://github.com/w3c/wot-security/issues/197

   McCool enters a comment to point out the existing PR against
   the arch spec

    issue 166

   [17]Issue 166 - Add integrity protection (proof section) to TDs

     [17] https://github.com/w3c/wot-security/issues/166

   McCool reviewed the latest comment on that issue

    issue 196

   [18]Issue 196 - Consider security issues in Discovery

     [18] https://github.com/w3c/wot-security/issues/196

   McCool suggests to review the JSON path draft and puts a
   comment about it in the issue

    issue 194

   [19]Issue 194 - Provide guidance on use of OAuth 2 flows

     [19] https://github.com/w3c/wot-security/issues/194

   McCool: have we ever addressed this?

   Cristiano would try to find the good place to have these
   recommendations added

   McCool it indeed fits the Best Practices document better, but
   is the best practices even published?

   McCool adding a note that we should formally publish the best
   practices document

   McCool creates a new issue under best practices to add oauth2
   recommendations

   [20]https://github.com/w3c/wot-security-best-practices/issues/5

     [20] https://github.com/w3c/wot-security-best-practices/issues/5

   McCool: we should aim to publish the best practices as a note

   adding a note to issue [21]https://github.com/w3c/
   wot-security-best-practices/issues/7

     [21] https://github.com/w3c/wot-security-best-practices/issues/7

  other ongoing activities

   <kaz> [22]wot-thing-description PR 1058 - WIP: Add JSON pointer
   assertion to definition of body sec location

     [22] https://github.com/w3c/wot-thing-description/pull/1058

   McCool puts some comments on this PR

   McCool we will be likely to discuss this in TD call further

   <kaz> [23]MvCool's comment 1 to PR 1058

     [23] https://github.com/w3c/wot-thing-description/pull/1058#issuecomment-792772332

   <kaz> [24]McCool's comment 2 to PR 1058

     [24] https://github.com/w3c/wot-thing-description/pull/1058#issuecomment-792775065

   <kaz> [adjourned]


    Minutes manually created (not a transcript), formatted by
    [25]scribe.perl version 127 (Wed Dec 30 17:39:58 2020 UTC).

     [25] https://w3c.github.io/scribe2/scribedoc.html
Received on Monday, 26 April 2021 11:17:42 UTC