[wot-security] minutes - 24 May 2021 from Kazuyuki Ashimura on 2021-07-12 (public-wot-wg@w3.org from July 2021)

From: Kazuyuki Ashimura <ashimura@w3.org>
Date: Mon, 12 Jul 2021 12:10:45 +0900
To: public-wot-ig@w3.org, public-wot-wg@w3.org
Message-ID: <87pmvo447e.wl-ashimura@w3.org>
available at:
  https://www.w3.org/2021/05/24-wot-sec-minutes.html


also as text below.

Thanks,

Kazuyuki

---
   [1]W3C

      [1] https://www.w3.org/


                             – DRAFT –
                              WoT Security

24 May 2021

   [2]Agenda. [3]IRC log.

      [2] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#24_May_2021

      [3] https://www.w3.org/2021/05/24-wot-sec-irc


Attendees

   Present
          Kaz_Ashimura, Michael_McCool, Philipp_Blum,
          Tomoaki_Mizushima

   Regrets
          -

   Chair
          McCool

   Scribe
          kaz

Contents

    1. [4]Minutes
    2. [5]WoT Security Best Practices

Meeting minutes

  Minutes

   [6]May-17

      [6] https://www.w3.org/2021/05/17-wot-sec-minutes.html


   accepted

  WoT Security Best Practices

   [7]wot-security-best-practices Issue 9 - Publish as a Note

      [7] https://github.com/w3c/wot-security-best-practices/issues/9


   Kaz: we've never published the document as an official group
   Note

   McCool: for the consistency with the GitHub repo's name, we
   should use "wot-security-best-practices" as the shortname

   Philipp: makes sense

   Kaz: right

   [8]McCool adds comments on the Issue 9

      [8] https://github.com/w3c/wot-security-best-practices/issues/9#issuecomment-847003073


   McCool: adds "Call for Resolution to publish update" for
   Security and Privacy within the June vF2F agenda

   [9]Proposed Topics section of the vF2F wiki

      [9] https://www.w3.org/WoT/IG/wiki/F2F_meeting,_June_2021#Proposed_Topics


   [10]another comment on the planning to the Issue 9

     [10] https://github.com/w3c/wot-security-best-practices/issues/9#issuecomment-847006107


   McCool: we need to do some general clean up for the draft

   [11]wot-security-best-practices ED

     [11] https://w3c.github.io/wot-security-best-practices/


   McCool: (creates a new issue on secure transport)

   [12]wot-security-best-practices Issue 13 - Update Security
   Transport

     [12] https://github.com/w3c/wot-security-best-practices/issues/13


   McCool: need to talk with Ben about what best practice makes
   sense here
   … we basically recommend OAuth2 flow
   … (adds some more comments to Issue 5 as well)

   [13]wot-security-best-practices Issue 5 - Recommended OAuth2
   flows

     [13] https://github.com/w3c/wot-security-best-practices/issues/5


   McCool: Section 2.1 of the Best Practices document describes
   the OAuth2 Flows

   [14]2.1 OAuth2 Flows

     [14] https://w3c.github.io/wot-security-best-practices/#oauth-flows


   McCool: (creates another Issue on TD Signatures)

   [15]wot-security-best-practices Issue 14 - TD Signatures

     [15] https://github.com/w3c/wot-security-best-practices/issues/13


   McCool: in general, the "object security" section is
   troublesome since we have no direct experience implementing a
   system with it
   … so maybe we should just remove this section for now...

   [16]4. Object Security

     [16] https://w3c.github.io/wot-security-best-practices/#object-security


   Kaz: we can leave it as is and add an Editor's Note for the
   publication of the group Note

   McCool: yeah

   Philipp: (also like that idea)

   McCool: regarding the section 7. Summary"
   … currently it's empty

   [17]wot-security-best-practices Issue 15 - Add or Remove
   Summary Section

     [17] https://github.com/w3c/wot-security-best-practices/issues/15


   McCool: and should expand the Acknowledgements section

   [18]wot-security-best-practices Issue 16 - Expand
   Acknowledgements

     [18] https://github.com/w3c/wot-security-best-practices/issues/15


   McCool: we're not ready for publishing the document yet
   … need more improvement
   … (adds some more comments to Issue 5 again)

   [19]McCool's new comments for Issue 5

     [19] https://github.com/w3c/wot-security-best-practices/issues/16


   McCool: Move the current OAuth2 review into an appendix
   … Pull out the pseudo-RFC2119 recommendations into the main
   body and reword as necessary...
   … (and then make the "call for resolution" for security during
   vF2F to "initial call for resolution")

   [20]Security and Privacy topics within the Proposed Topics
   section on the vF2F wiki

     [20] https://www.w3.org/WoT/IG/wiki/F2F_meeting,_June_2021#Proposed_Topics


   McCool: would like to see what the acceptable practices for
   secure transport

   [adjourned]


    Minutes manually created (not a transcript), formatted by
    [21]scribe.perl version 131 (Sat Apr 24 15:23:43 2021 UTC).

     [21] https://w3c.github.io/scribe2/scribedoc.html
Received on Monday, 12 July 2021 03:10:51 UTC