12:04:43 <RRSAgent> RRSAgent has joined #wot-sec
12:04:43 <RRSAgent> logging to http://www.w3.org/2017/06/23-wot-sec-irc
12:04:46 <kaz> Meeting: WoT IG - Security
12:04:52 <kaz> present+ Kaz_Ashimura, Dave_Raggett, Elena_Reshetova, Michael_Koster, Michael_McCool
12:04:57 <dsr> dsr has joined #wot-sec
12:05:06 <McCool> McCool has joined #wot-sec
12:06:05 <kaz> Agenda: https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Agenda
12:06:30 <kaz> scribenick: McCool
12:06:40 <mjkoster> mjkoster has joined #wot-sec
12:07:42 <McCool> privacy questionnaire - placeholder document, Elena tried to fill out, ran into problems
12:07:53 <McCool> for instance: unique identifiers?
12:08:20 <kaz> present+ Oliver_Pfaff
12:08:39 <McCool> however, let's also talk about our agenda
12:08:51 <McCool> threat model: not in its end state
12:09:06 <McCool> how do we get others to review, get closure on it?
12:10:30 <McCool> mccool suggestion: get a representative subset to review it
12:11:08 <kaz> q+
12:12:18 <kaz> [ kaz wonders if Elena's resource is: https://tools.ietf.org/html/rfc6973 ]
12:13:15 <McCool> get internal reviewers through it first, then look at external review
12:13:35 <McCool> there is a w3c security group as well: and they are required to review anyway
12:13:55 <Oliver> Oliver has joined #wot-sec
12:15:01 <McCool> we should plan to have some kind of report out at TPAC in November (our fall F2F)
12:15:10 <kaz> present+ Daniel_Ibaseta
12:15:12 <kaz> -> https://www.w3.org/2017/11/TPAC/schedule.html TPAC page
12:15:38 <McCool> what are our deliverables?
12:16:14 <McCool> threat model; security architecture (high level description of main concepts; levels; requirements; measures)
12:16:50 <kaz> q?
12:19:15 <McCool> at f2f, let's discuss whether we should have an official white paper
12:19:43 <McCool> but, normally don't do that in W3C; we should discuss in chair and main call
12:20:10 <McCool> dsr: it would be a "note", since it is informative
12:21:14 <kaz> s/we should/from W3C process viewpoint, our deliverables are "grope Note", "WD", "Recommendation", etc. we should /
12:21:54 <McCool> McCool: my opinion is that an official document will get more serious reviews
12:22:13 <kaz> https://tools.ietf.org/html/rfc6973
12:22:57 <McCool> section 7: guidelines
12:23:04 <McCool> is the "questionnaire"
12:23:52 <McCool> another major deliverable: recommendations to each TF
12:24:23 <McCool> but... before that, need to study each of the protocols we are supporting, and understand all the related work
12:24:30 <kaz> i|https|kaz: question on the resource for RFC6973. is the following link the right one?|
12:24:32 <McCool> need an organized study
12:25:25 <McCool> McCool: suggest we think about and make our own "questionnaire" for ourselves before we look at each protocol
12:25:32 <McCool> then we know what to look for
12:27:02 <kaz> s/section 7/elena: section 7/
12:27:15 <McCool> for example, for each protocol, we want to know how data is protected, how authorization and identification is handled, how each of the threats we identified is migitigated
12:28:15 <McCool> s/migitigated/mitigated/
12:28:18 <kaz> q?
12:28:20 <kaz> ack k
12:29:47 <McCool> if no more questions... let's go through the privacy questionnaire
12:31:10 <kaz> s/another major/McCool: another major/
12:33:08 <McCool> privacy: unique identifier?
12:34:49 <McCool> TD for F2F is released... we should go through it now.   Should see how these questions.
12:37:04 <dsr> q+
12:37:56 <McCool> Koster: the TD group is willing to look at whether the TD should be a flat file or can be broken up
12:38:15 <McCool> mccool: breaking it up would have advantages for privacy, you would only have to expose a subset
12:39:25 <dsr> q?
12:39:42 <kaz> q+ to mention this point is related to Kajimoto-san's @include idea
12:39:43 <McCool> mcCool: think this can fit into existing structure
12:40:09 <McCool> Koster: we may HAVE to break it up for protocol bindings depending on the serialization
12:40:21 <McCool> eg an XML format using a JSON template or vice-versa
12:40:34 <kaz> +1 to Koster's view
12:41:52 <McCool> mcCool: three categoires: TD metadata; list of interactions; data returned by interactions
12:42:26 <McCool> mostly td; maybe also discovery protocol
12:42:40 <McCool> s/mostly/Elena: mostly/
12:42:54 <McCool> q?
12:44:05 <McCool> Dave: relates to metadata and semantics discussion in TD
12:44:18 <McCool> Dave: rather than focusing on protocol, think about the data
12:44:46 <McCool> Dave: simple JSON model; more sophisticated RDF models, etc.
12:46:46 <McCool> DAve: will be hard to do location in our group, for instance; need to depend on outside standards
12:47:14 <McCool> McCool: we need to discuss in depth, many issues
12:47:30 <McCool> Dave: access control was discussed in IG
12:47:42 <McCool> Dave: for discovery task force
12:47:52 <McCool> Elena: was there documentation for that?
12:48:07 <McCool> Kaz: Discovery TF was stalled... maybe should rebuild
12:49:18 <McCool> McCool: maybe should consider putting basic access controls for TD in scope
12:49:28 <McCool> Dave: we need to look at requirements, consider modularity issue again
12:50:24 <McCool> Koster: need to consider different contexts: local T2T; cloud services, distributed services (edge/fog),
12:50:37 <McCool> McCool: also person-to-thing, person-to-person
12:51:10 <McCool> Koster: want to control what information gets exposed to who, i.e. energy usage to electrictiy company, but not other information
12:51:46 <McCool> Elena: it would be good to get some use cases written down
12:53:57 <McCool> Koster: look at functional relationships rather than surveillance opportunities
13:00:24 <McCool> q?
13:00:41 <dsr> ack dsr
13:01:15 <kaz> ack k
13:01:16 <Zakim> kaz, you wanted to mention this point is related to Kajimoto-san's @include idea
13:02:14 <kaz> s/this point/the discussion on the structure of TD/
13:04:00 <McCool> looking at questionnaire... quick survey, we will have to go into more depth later
13:04:46 <McCool> retention: relates to lifecycle, mechanisms to "clear" devices
13:05:38 <McCool> Koster: user control, control over sharing: granularity matters here
13:06:08 <McCool> Koster: again the modularity and the ability to hide information; probably important to manage safe interactions
13:06:24 <McCool> Koster: can we compartmentalize information?
13:07:57 <McCool> Elena: security section is similar to the threats we have looked at already
13:08:39 <McCool> Elena: stored data is new: privacy implications for what data is stored
13:10:18 <McCool> McCool: an example is that certificates might reveal what companies you have a relationship with
13:12:28 <McCool> adjourn
13:12:58 <kaz> rrsagent, make log public
13:13:03 <kaz> rrsagent, draft minutes
13:13:03 <RRSAgent> I have made the request to generate http://www.w3.org/2017/06/23-wot-sec-minutes.html kaz
13:34:11 <zkis> zkis has joined #wot-sec
14:04:22 <mjkoster> mjkoster has left #wot-sec
15:20:46 <elena> elena has joined #wot-sec
15:22:58 <Zakim> Zakim has left #wot-sec
15:23:52 <zkis> zkis has joined #wot-sec
15:49:32 <dsr> dsr has joined #wot-sec
16:07:32 <zkis> zkis has joined #wot-sec
17:05:50 <dsr> dsr has joined #wot-sec