12:04:14 RRSAgent has joined #wot-sec 12:04:14 logging to http://www.w3.org/2017/08/04-wot-sec-irc 12:05:41 Meeting: WoT IG - Security 12:06:16 present: Kaz_Ashimura, Michael_McCool, Dave_Raggett, Elena_Reshetova, Michael_Koster, Soumya_Kanti_Datta, Tomoaki_Mizushima 12:06:49 discussion on research workshops 12:07:37 papers would be useful for outreach/marketing purposes as well 12:07:42 Agenda: https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Agenda 12:08:24 mm: we're behind from the original schedule 12:08:33 ... need to publish the fpwd by the end of august 12:08:54 ... people expect us for security reviews 12:09:12 ... TD and Architecture 12:09:28 ... let's see what is missing 12:09:42 ... the main goal is the Architecture document 12:09:51 ... and the TD document for the next week 12:10:10 ... pullrequests for security portions 12:10:30 ... first draft deadline at the end of August 12:10:37 ... pending work items with deadlines 12:11:16 ... would see existing descriptions on security 12:11:53 er: how to review the docs? 12:12:05 mm: briefly looked at the docs 12:12:19 ... need to talk with the TD guys 12:12:35 ... technically not ready for review yet... 12:13:02 ... for now review it incrementally 12:13:28 ... would agree the security sections are still very vague 12:14:01 elena has joined #wot-sec 12:14:28 mjkoster has joined #wot-sec 12:15:00 kaz: we should define the minimum security review for the FPWD 12:15:12 ... based on the requirements for the FPWD 12:15:19 mm: correct 12:15:50 ... would open the door sooner than later 12:15:57 ... we can republish the drafts? 12:16:06 kaz: yes, e.g., every a few months 12:16:18 mm: e.g., the second review for TPAC 12:16:43 ... there is no deadline defined yet 12:17:10 ... we should work on TD next week 12:17:50 ... regarding the "Pending Agenda Items" 12:18:12 ... we should generate a prioritized list of IoT systems/protocols 12:18:36 ... also prioritized list of security mechanisms 12:19:07 ... and would like to talk about the results from the Dusseldorf f2f 12:19:19 ... any feedback from the questionnaire? 12:19:27 er: need to wrap up 12:19:31 mm: ok 12:19:42 ... anyway you've got some data 12:19:56 ... let's talk about that next Friday 12:20:01 er: ok 12:20:15 mm: any other outcome from the f2f meeting to discuss? 12:20:36 er: characteristics things? 12:20:51 ... not developed yet 12:21:29 mm: the other thing I thought of... 12:22:42 ... recently read a book named "zero trust"... 12:22:48 ... zone security for devices 12:23:05 s/zero trust/zero-trust/ 12:23:14 s/trust/trust systems/ 12:23:22 ... would talk about that in the future 12:23:43 ... also use case discussions 12:24:04 ... (add those items to the "Future Agenda Items" section of the wiki) 12:24:21 ... and security conferences 12:24:38 ... can write up an RFC, etc. 12:24:48 ... (visits IEEE workshop page) 12:25:25 -> 39https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Agendath IEEE Symposium on Security and Privacy 12:25:32 ... collocated workshops 12:26:01 er: there is another academic workshop on security 12:26:13 mm: that's also doable 12:26:18 ... May might be a bit late 12:26:37 sk: Singapore one? 12:26:47 mm: 2 places 12:26:55 ... IoT conference and Security conference 12:27:12 sk: we can have a panel session 12:27:28 mm: the question is the deadline was June 12:27:37 sk: I am the Chair of the workshop 12:27:46 ... you can submit a proposal 12:28:00 mm: could do both 12:28:46 kaz: ask Soumya for resources 12:28:52 sk: can put that 12:29:22 dsr has joined #wot-sec 12:29:24 Soumya has joined #wot-sec 12:29:32 http://wfiot2018.iot.ieee.org/program/ 12:29:48 sk: one dedicated session on security and privacy 12:29:57 er: one session for one hour? 12:30:03 ... what is the format? 12:30:05 McCool has joined #wot-sec 12:30:11 sk: 2-hour session with Q&A 12:30:26 ... for the workshop, much more presentations + Q&A 12:30:47 Soumya's session in WF-IoT 2018 - http://wfiot2018.iot.ieee.org/sps1-edge-computing-iot/ 12:30:56 naka has joined #wot-sec 12:31:13 sk: could be a nice way 12:31:21 ... "Edge Computing and IoT" 12:31:26 mm: deadline? 12:31:32 sk: Sep. 30 12:31:49 ... we can focus on the IoT part 12:31:59 mm: adding the resource to the wiki 12:32:21 ... we should target on workshop proposals 12:32:32 ... as a possible option 12:32:56 ... IEEE Security and Privacy Symposium is still good choice 12:33:45 ... searched for candidates and have a list on the wiki 12:34:40 -> https://infosec-conferences.com/2018/ list of security conferences 12:35:20 er: academic one vs industry one 12:35:48 mm: we could propose a panel as well 12:36:02 ... we need to review the architecture doc 12:36:13 topic: Architecture document review 12:36:32 -> https://w3c.github.io/wot/architecture/wot-architecture.html WoT Architecture 12:36:54 mm: there is a GitHub repo 12:37:02 ... and HTML rendered version above 12:37:36 ... did a folk for edit 12:37:54 ... we can create pull requests for the security section(s) 12:38:03 ... there 2 sections 12:38:49 ... 3.3 Safety and Security 12:39:12 ... not very good... 12:40:19 ... should be "Security and Privacy" 12:40:51 ... (visits the security repo) 12:41:21 ... (README.md) 12:42:12 ... security means the system should be... 12:42:22 er: pretty hard to define security here... 12:43:33 mm: security means the system should preserve its integrity. 12:43:59 .. privacy means that the system should maintain the confidentiality of personally identifiable information. 12:44:17 s/integrity/integrity even when subject to attack/ 12:45:06 ... in general, security and privacy cannot be guaranteed but the WoT architecture should support best practices. 12:45:09 q+ 12:45:40 q+ to ask about "best practice of what", maybe best practice of secure IoT systems? 12:46:36 mm: security and privacy are especially important in the IoT domain since IoT devices need to operate autonomously and in mny cases have access to both personal data and/or can be in control of safety-critical systems 12:47:43 s|README.md|https://w3c.github.io/wot/architecture/wot-architecture.html| 12:48:13 mm: Definition and Motivation for "Security and Privacy" 12:48:24 ... should we have a mechanism section? 12:49:31 i|Definition|Compared to personal systems, IoT devices are subject to different and in some cases higher risiks. It is also important to protect IoT systems so that they can not be used to launch attacks on other computer systems.| 12:50:00 ... regarding definition, one sentence for security and another for privacy 12:50:11 er: what should be protected? 12:50:26 ... need high-level requirements 12:50:54 mm: (adds "Mechanism" section below the "Motivation" section) 12:52:48 ... generally, the WoT security architecture reflects the goals and mechanisms of the IoT protocols and systems it represents. These system vary in their security requirements and risk tolerance, so security mechanisms will also vary based on these factors. 12:53:14 er: support the underlying mechanisms correctly 12:53:20 mm: correct 12:54:15 er: what security architecture should support do not harm... 12:54:30 ... you have to support what the underlying mechanisms support 12:54:49 ... and also should support best practices if possible 12:55:13 mm: (edits the "Requirements" section) 12:55:24 ... adds: 12:56:00 ... However, the WoT architecture needs to do no harm; it should support security and privacy at least as well as the systems it connects to 12:56:18 ... bridging? 12:56:22 ... scenarios? 12:56:29 ... anyway, this is a good point 12:56:41 er: combination of the best practices 12:56:53 mm: how about this: 12:57:12 ... The functional WoT architecture should privide for best practices in security and privacy. 12:57:17 s/privide/provide/ 12:58:13 q+ to ask about the relationship between "WoT Architecture" and "WoT Security Architecture" 12:58:30 mm: (re-render the updates) 12:58:48 ... and there is another section 12:58:54 ... 4.4 Security and Privacy 13:03:12 -> https://w3c.github.io/wot-architecture/#security-and-privacy-0 13:03:21 mm: updates the text 13:03:50 ... security is a cross-cutting issue that needs to be taken into account in all other aspects of the WoT Architecture. 13:04:02 ... including the Thing Description, 13:04:14 ... the Scripting API, and the Protocol Bindings. 13:04:38 ... The Thing Description and the Scripting API should support both transport and object security using best practices. 13:05:20 ... This should apply to both data produced by the Things' interfaces and to the meta stored in the Thing Description and accessible via the Scripting API. 13:05:51 ... Binding Templates will support the use of appropriate security mechanisms for the protocols they map to in order to satisfy the "do no harm" principle. 13:06:06 mm: would create a pull request 13:08:33 ... have problem with that pull request 13:08:58 kaz: probably you need to get registered with the repository manager as well 13:09:21 q? 13:09:43 ack k 13:09:43 kaz, you wanted to ask about "best practice of what", maybe best practice of secure IoT systems? and to ask about the relationship between "WoT Architecture" and "WoT Security 13:09:46 ... Architecture" 13:10:13 mm: we're out of time 13:10:23 ... you can give the comments on the pull request 13:10:47 ... agree saying "best practice" is vague 13:10:57 ... need to define that 13:11:14 ... have some references to refer to 13:11:51 https://github.com/w3c/wot-architecture/pull/6 13:12:43 q? 13:13:06 [ adjourned ] 13:13:12 rrsagent, make log public 13:13:14 rrsagent, draft minutes 13:13:14 I have made the request to generate http://www.w3.org/2017/08/04-wot-sec-minutes.html kaz 13:13:27 present+ Katsuyoshi_Naka 13:13:28 rrsagent, draft minutes 13:13:28 I have made the request to generate http://www.w3.org/2017/08/04-wot-sec-minutes.html kaz 13:14:24 Chair: McCool 13:16:25 i|discussion on research|topic: Security Conferences/Workshops| 13:16:27 rrsagent, draft minutes 13:16:27 I have made the request to generate http://www.w3.org/2017/08/04-wot-sec-minutes.html kaz 13:44:53 dsr has joined #wot-sec 13:49:00 kaz has joined #wot-sec 15:31:02 Zakim has left #wot-sec