12:02:58 RRSAgent has joined #wot-sp 12:02:58 logging to http://www.w3.org/2016/03/10-wot-sp-irc 12:02:59 dsr has joined #wot-sp 12:03:02 Zakim has joined #wot-sp 12:03:12 rrsagent, set logs public 12:03:24 meeting: Security task force 12:03:34 chair: Oliver 12:03:46 agenda: https://lists.w3.org/Archives/Public/public-wot-ig/2016Mar/0013.html 12:05:16 q+ 12:05:41 Yingying has joined #wot-sp 12:06:34 topic: how to re-energize the security/privacy work 12:06:41 (brain storming) 12:09:01 kaz: TV Control API CG has started their phase 2 work 12:09:07 ... and interested in security/privacy 12:09:22 ... so far they're thinking about collaboration with the Automotive group 12:09:38 ... but collaboration with this WoT-SP would also make sense 12:10:05 oliver: ok. let me know about their opinions, etc. 12:10:18 ... we should be able to respond to them 12:10:21 ack k 12:10:57 ... there is already public information 12:11:07 ... so we can show it to them 12:11:49 present: Kaz, Dave, Oliver, Sebastian, Yingying 12:12:13 Sebastian has joined #wot-sp 12:12:32 topic: Landscape document 12:12:46 present+ Sebastian_Kaebisch 12:12:49 -> http://w3c.github.io/wot/landscape.html Landscape document on GitHub 12:13:18 oliver: share the document on the webex 12:13:37 s/share/sharing/ 12:13:54 ... not updating for awhile 12:14:19 topic: Current practice document 12:14:50 -> http://w3c.github.io/wot/current-practices/wot-practices.html#security-considerations-1 Security consideration for AP from the Current Practice document 12:15:08 oliver: question to Sebastian 12:15:24 sebastian: updating the TD section 12:15:35 ... what kind of security portion should be considered? 12:15:46 ... to get access for resources 12:15:58 ... what kind of security token for server? 12:16:14 ... discussion using email 12:16:20 ... first idea 12:16:35 ... will talk during the TD call next week as well 12:16:51 ... one part is how would the security information be provided? 12:16:58 ... how to interact with services 12:17:08 ... how we can protect TD itself? 12:17:13 s/services/services?/ 12:17:26 ... interesting issues to consider 12:17:41 oliver: the second one is more important 12:17:57 ... it's design work 12:18:04 ... protect TD 12:18:44 ... my recommendation is accessing things should be the priority 12:18:55 ... wrapper for things 12:19:02 ... would suggest prioritize that 12:19:19 ... and could think about other topics later 12:19:32 ... skimming the document 12:19:41 ... explaining the problems 12:19:53 ... not yet have information from the email exchanges 12:20:16 ... showing "Protecting TD Objects" section 12:21:02 ... the second part is more important 12:21:16 ... "Describing prerequistes for accessing things" 12:21:22 ... would be the fundamental work 12:21:28 sebastian: ok. will do. 12:21:42 oliver: 3.2.3 Security Considerations 12:21:50 ... not giving the answer yet 12:22:00 ... need more coverage 12:22:13 ... maybe need to talk with Johannes 12:22:52 sebastian: will do that too. 12:23:36 topic: F2F, Plugfest in Montreal 12:24:06 oliver: we've been taking care of security as well for our plugfest 12:24:14 ... e.g., in Nice 12:24:26 ... would have same features in Montreal as well 12:24:42 ... plan to offer an extension 12:25:02 ... probably could provide something in June 12:25:13 sebastian: in Nice we already had security scenario 12:25:25 ... but security description was not used within the Thing Description 12:25:36 ... we need security description within TF 12:25:39 s/TF/TD/ 12:25:53 ... the point is small change in TD 12:26:01 ... additional features 12:26:07 ... how about that? 12:26:14 oliver: could be done 12:26:14 ... 2 issues 12:26:35 ... we have server-side component 12:26:42 ... don't require to change that part 12:27:05 ... how to document? 12:27:07 ... timing issue 12:27:28 ... the other thing is 12:27:40 ... error response from the server 12:28:00 ... natural approach would be rewrite the description 12:28:11 ... client should understand the security token 12:28:32 ... the second step is putting that into TD 12:28:48 ... but not enough time to do really fundamental things 12:29:05 ... but would be welcome if you try 12:29:37 ... for Montreal, could display security 12:29:55 ... not abstract but concrete Thing Description 12:30:05 s/not/not as/ 12:30:17 sebastian: not involved in the security plugfest so far 12:30:29 ... panasonic made much effort 12:30:35 ... security and communication 12:30:44 ... maybe I should check that beforehand 12:31:42 oliver: light-weight way for prototype in non-normative way 12:32:00 ... prototype object as a part 12:32:20 ... next discussion would be how to create automatic sessions 12:32:41 ... would make a display object 12:32:57 ... logic by a state management engine 12:33:11 ... can be done by the Montreal meeting 12:33:49 ... I can't make my travel for the Montreal meeting... 12:34:28 ... I could prepare for those topics including the state engine 12:34:40 ... and could offer information to TD and AP 12:34:47 sebastian: sounds like a good idea 12:34:57 s/I can't/BTW, I can't/ 12:35:24 oliver: we should try to define 12:35:50 ... that's all from my side for the Montreal meeting 12:35:56 topic: Charter items 12:36:21 -> https://github.com/w3c/wot/blob/master/WG/wot-wg-items.md Charter items 12:37:04 draft charter (viewable in browser) https://w3c.github.io/charter-drafts/wot-wg-2016.html 12:38:16 kaz: Dave has created an HTML version above 12:38:32 oliver: two sections for security 12:39:00 ... 1.1 Thing Descriptions 12:39:16 ... the second bullet is on security 12:39:26 ... and 1.2 Scripting APIs 12:39:44 ... the second bullet again is on security 12:40:08 ... where to add security portion? 12:40:21 dsr: we have to define deliverables 12:40:28 ... and put more details 12:40:47 ... mentioned during the AP call yesterday as well 12:41:04 ... need information on prototype implementations 12:41:15 ... also proof-of-concepts 12:41:28 ... to justify the need for this work 12:42:03 ... and convince corporate managers 12:42:33 ... we have architecture document and current practice document 12:43:01 oliver: it would make more sense to extend the best practice document? 12:43:23 ... what should be the starting point? 12:43:57 ... also would be difficult to work for the following weeks due to vacation... 12:44:17 dsr: explains the importance of additional information 12:44:57 oliver: was in contact vendors 12:45:04 s/contact/contact with/ 12:45:58 ... solid foundation than having paper only 12:46:35 ... would go into the best practice document 12:47:02 ... there are technologies there 12:47:43 ... would suggest we update the best practice document 12:47:52 ... elaborate the text 12:48:11 dsr: we have focus on some specific technology 12:48:20 ... not sure in terms of text for the charter 12:48:33 ... we have references 12:48:41 ... on the GitHub site 12:49:01 ... could add links to the architecture/current practice documents 12:49:15 oliver: alright 12:50:29 dsr: there is a bullet point mentioning privacy poicies, access control, etc. 12:50:54 ... linked data vocabulary might be too ambitious for short-term 12:51:14 ... we need to clarify 12:51:25 ... we have to explain that 12:51:32 oliver: alright 12:51:51 ... don't think "trust assertions" are too far away 12:52:16 ... but we need to have components for security 12:52:50 ... we have had some of them during plugfest demos 12:53:24 ... would suggest we continue discussion using emails 12:53:26 dsr: ok 12:53:42 oliver: action item on trust assertions 12:53:55 ... that's all for today from my viewpoint 12:54:04 ... anything else to talk today? 12:54:06 (none) 12:54:21 oliver: a couple of follow ups to do 12:54:30 s/follow /follow-/ 12:54:44 ... next call will be April 7th 12:54:56 ... meaning no call on March 24th 12:55:16 [ adjourned ] 12:55:21 rrsagent, draft minutes 12:55:21 I have made the request to generate http://www.w3.org/2016/03/10-wot-sp-minutes.html kaz 12:58:55 rrsagent, stop