IRC log of wot-sec on 2017-06-23

Timestamps are in UTC.

12:04:43 [RRSAgent]
RRSAgent has joined #wot-sec
12:04:43 [RRSAgent]
logging to http://www.w3.org/2017/06/23-wot-sec-irc
12:04:46 [kaz]
Meeting: WoT IG - Security
12:04:52 [kaz]
present+ Kaz_Ashimura, Dave_Raggett, Elena_Reshetova, Michael_Koster, Michael_McCool
12:04:57 [dsr]
dsr has joined #wot-sec
12:05:06 [McCool]
McCool has joined #wot-sec
12:06:05 [kaz]
Agenda: https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Agenda
12:06:30 [kaz]
scribenick: McCool
12:06:40 [mjkoster]
mjkoster has joined #wot-sec
12:07:42 [McCool]
privacy questionnaire - placeholder document, Elena tried to fill out, ran into problems
12:07:53 [McCool]
for instance: unique identifiers?
12:08:20 [kaz]
present+ Oliver_Pfaff
12:08:39 [McCool]
however, let's also talk about our agenda
12:08:51 [McCool]
threat model: not in its end state
12:09:06 [McCool]
how do we get others to review, get closure on it?
12:10:30 [McCool]
mccool suggestion: get a representative subset to review it
12:11:08 [kaz]
q+
12:12:18 [kaz]
[ kaz wonders if Elena's resource is: https://tools.ietf.org/html/rfc6973 ]
12:13:15 [McCool]
get internal reviewers through it first, then look at external review
12:13:35 [McCool]
there is a w3c security group as well: and they are required to review anyway
12:13:55 [Oliver]
Oliver has joined #wot-sec
12:15:01 [McCool]
we should plan to have some kind of report out at TPAC in November (our fall F2F)
12:15:10 [kaz]
present+ Daniel_Ibaseta
12:15:12 [kaz]
-> https://www.w3.org/2017/11/TPAC/schedule.html TPAC page
12:15:38 [McCool]
what are our deliverables?
12:16:14 [McCool]
threat model; security architecture (high level description of main concepts; levels; requirements; measures)
12:16:50 [kaz]
q?
12:19:15 [McCool]
at f2f, let's discuss whether we should have an official white paper
12:19:43 [McCool]
but, normally don't do that in W3C; we should discuss in chair and main call
12:20:10 [McCool]
dsr: it would be a "note", since it is informative
12:21:14 [kaz]
s/we should/from W3C process viewpoint, our deliverables are "grope Note", "WD", "Recommendation", etc. we should /
12:21:54 [McCool]
McCool: my opinion is that an official document will get more serious reviews
12:22:13 [kaz]
https://tools.ietf.org/html/rfc6973
12:22:57 [McCool]
section 7: guidelines
12:23:04 [McCool]
is the "questionnaire"
12:23:52 [McCool]
another major deliverable: recommendations to each TF
12:24:23 [McCool]
but... before that, need to study each of the protocols we are supporting, and understand all the related work
12:24:30 [kaz]
i|https|kaz: question on the resource for RFC6973. is the following link the right one?|
12:24:32 [McCool]
need an organized study
12:25:25 [McCool]
McCool: suggest we think about and make our own "questionnaire" for ourselves before we look at each protocol
12:25:32 [McCool]
then we know what to look for
12:27:02 [kaz]
s/section 7/elena: section 7/
12:27:15 [McCool]
for example, for each protocol, we want to know how data is protected, how authorization and identification is handled, how each of the threats we identified is migitigated
12:28:15 [McCool]
s/migitigated/mitigated/
12:28:18 [kaz]
q?
12:28:20 [kaz]
ack k
12:29:47 [McCool]
if no more questions... let's go through the privacy questionnaire
12:31:10 [kaz]
s/another major/McCool: another major/
12:33:08 [McCool]
privacy: unique identifier?
12:34:49 [McCool]
TD for F2F is released... we should go through it now. Should see how these questions.
12:37:04 [dsr]
q+
12:37:56 [McCool]
Koster: the TD group is willing to look at whether the TD should be a flat file or can be broken up
12:38:15 [McCool]
mccool: breaking it up would have advantages for privacy, you would only have to expose a subset
12:39:25 [dsr]
q?
12:39:42 [kaz]
q+ to mention this point is related to Kajimoto-san's @include idea
12:39:43 [McCool]
mcCool: think this can fit into existing structure
12:40:09 [McCool]
Koster: we may HAVE to break it up for protocol bindings depending on the serialization
12:40:21 [McCool]
eg an XML format using a JSON template or vice-versa
12:40:34 [kaz]
+1 to Koster's view
12:41:52 [McCool]
mcCool: three categoires: TD metadata; list of interactions; data returned by interactions
12:42:26 [McCool]
mostly td; maybe also discovery protocol
12:42:40 [McCool]
s/mostly/Elena: mostly/
12:42:54 [McCool]
q?
12:44:05 [McCool]
Dave: relates to metadata and semantics discussion in TD
12:44:18 [McCool]
Dave: rather than focusing on protocol, think about the data
12:44:46 [McCool]
Dave: simple JSON model; more sophisticated RDF models, etc.
12:46:46 [McCool]
DAve: will be hard to do location in our group, for instance; need to depend on outside standards
12:47:14 [McCool]
McCool: we need to discuss in depth, many issues
12:47:30 [McCool]
Dave: access control was discussed in IG
12:47:42 [McCool]
Dave: for discovery task force
12:47:52 [McCool]
Elena: was there documentation for that?
12:48:07 [McCool]
Kaz: Discovery TF was stalled... maybe should rebuild
12:49:18 [McCool]
McCool: maybe should consider putting basic access controls for TD in scope
12:49:28 [McCool]
Dave: we need to look at requirements, consider modularity issue again
12:50:24 [McCool]
Koster: need to consider different contexts: local T2T; cloud services, distributed services (edge/fog),
12:50:37 [McCool]
McCool: also person-to-thing, person-to-person
12:51:10 [McCool]
Koster: want to control what information gets exposed to who, i.e. energy usage to electrictiy company, but not other information
12:51:46 [McCool]
Elena: it would be good to get some use cases written down
12:53:57 [McCool]
Koster: look at functional relationships rather than surveillance opportunities
13:00:24 [McCool]
q?
13:00:41 [dsr]
ack dsr
13:01:15 [kaz]
ack k
13:01:16 [Zakim]
kaz, you wanted to mention this point is related to Kajimoto-san's @include idea
13:02:14 [kaz]
s/this point/the discussion on the structure of TD/
13:04:00 [McCool]
looking at questionnaire... quick survey, we will have to go into more depth later
13:04:46 [McCool]
retention: relates to lifecycle, mechanisms to "clear" devices
13:05:38 [McCool]
Koster: user control, control over sharing: granularity matters here
13:06:08 [McCool]
Koster: again the modularity and the ability to hide information; probably important to manage safe interactions
13:06:24 [McCool]
Koster: can we compartmentalize information?
13:07:57 [McCool]
Elena: security section is similar to the threats we have looked at already
13:08:39 [McCool]
Elena: stored data is new: privacy implications for what data is stored
13:10:18 [McCool]
McCool: an example is that certificates might reveal what companies you have a relationship with
13:12:28 [McCool]
adjourn
13:12:58 [kaz]
rrsagent, make log public
13:13:03 [kaz]
rrsagent, draft minutes
13:13:03 [RRSAgent]
I have made the request to generate http://www.w3.org/2017/06/23-wot-sec-minutes.html kaz
13:34:11 [zkis]
zkis has joined #wot-sec
14:04:22 [mjkoster]
mjkoster has left #wot-sec
15:20:46 [elena]
elena has joined #wot-sec
15:22:58 [Zakim]
Zakim has left #wot-sec
15:23:52 [zkis]
zkis has joined #wot-sec
15:49:32 [dsr]
dsr has joined #wot-sec
16:07:32 [zkis]
zkis has joined #wot-sec
17:05:50 [dsr]
dsr has joined #wot-sec