WoT IG - Security

04 Sep 2017


See also: IRC log


Kaz_Ashimrua, Michale_McCool, Tomoaki_Mizushima, Uday_Davuluru, Zoltan_Kis, Elena_Reshetova, Michale_Koster


<kaz> scribenick: uday

Issues and next steps

McCool: Discusses issues and next steps
... starting with the discussion on pull request 349

<kaz> https://github.com/w3c/wot/pull/349 pull request 349 has just been merged

Elena: TD privacy and TD local storage updated
... Security consideration section: goal is to use this to adopt security scenario and build one's own security objects

McCool: might get a conflict issue

<kaz> Kaz: a quick question

<kaz> ... do you want to commit this by Wednesday (=finalizing the whole group review)?

<kaz> Elena: this is not ready for commit and need more discussion

Kaz: can we include this in architecture doc

McCool: no time till the first public draft
... need security repo

Elena: can have a single big document or sub documents

McCool: lengthy document might overshadow topics
... threat model and security consideration can be put into one doc
... privacy is missing in the doc, need to add this

Elena: started to add privacy related threats in threat model itself
... explains privacy with examples

<kaz> McCool: would try a vote. anybody object to have a separate document for "WoT Security and Privacy Consideration"?

McCool: do anyone objects separate deliverable for WoT security considerations

Elena: need to highlight important parts

McCool: agree
... need to separate implementation details
... we should create new doc under WoT repo and have a security repo in parallel

Kaz: can create a separate repo if needed

<kaz> ... "wot-security"?

McCool: wot-security would be a good name

Kaz: need to use repo manager to publish

<kaz> Kaz: as part of the normative WG deliverables? if so we need to use the repository manager as well

<kaz> McCool: should be an informative deliverable, e.g., a WG Note

McCool: normative and informative parts of security

smilar to WoT architecture repo

how do we publish security?

shall we make security as a separate doc instead of merging in architecture doc

<kaz> because the description would become long

McCool: how do people handle this in another groups

Kaz: maybe with separate normative doc

McCool: don't want to ember all security stuff in architecture doc

Kaz: makes sense to start with informative note and decide with the chairs call

McCool: will also create hyperlink between docs

<McCool> McCool: we will aim for a separate security document, "WoT Security and Privacy Considerations"

<McCool> we'll talk to the editors/chairs to confirm this

<McCool> the document will be informative, but published in such a way (note) that we can hyperlink to sections from the other documents

<McCool> ideally, we would have it in its own repo, parallel to the wot-architecture

<McCool> proposed name: wot-security

McCool: security in architecture doc clan up

<kaz> https://w3c.github.io/wot-architecture/#security-considerations

<zkis> https://zolkis.github.io/wot-scripting-api/

ZK: already made a PR, can see on my gitthub page

<kaz> https://w3c.github.io/wot-scripting-api/#security

<kaz> McCool: should read "The security section is under development and will be completed later."

<kaz> ... on the other hand, there is a link to the threat model in the TD draft

<kaz> https://w3c.github.io/wot-thing-description/#threat-model

<kaz> Kaz: do we want to update the Architecture/Scripting API as well with the detailed description?

<kaz> ... or ok to publish them asis?

<kaz> McCool: publishing them with the minimum description now is ok

thanks for the filling kaz

<kaz> ... but would like to remove "More general discussion of overall security of a Thing (for example, best practices for WoT Interface design) can be found in the WoT Architecture document. " from the "7. Security Consideration" section of the TD draft

<kaz> https://w3c.github.io/wot-thing-description/#security-consideration

<kaz> McCool: and also for the architecture document

<kaz> ... the Editor's note at "8. Security Considerations"

<kaz> ... Security and privacy considerations are under development

<kaz> ... and remove "For now, only the sub-section headings are included to indicate the roadmap for the WoT Architecture security considerations."

<kaz> rsagent, make log public

<kaz> https://github.com/w3c/wot-architecture/issues

<kaz> github issues for architecture above

<kaz> McCool: add "Please see work in progress at WoT Security and Privacy."

<kaz> ... linking to: https://github.com/w3c/wot/tree/master/security-privacy

<kaz> ... (creates a pull request on his own repo; and will create a pull request on the main repo)

<kaz> ... next

<kaz> ... Elena, if you can take out an overview on W3C WoT security and privacy

<kaz> ... copy the framework from the WoT Architecture document

McCool: next steps: ER to create new doc under WoT Security and privacy and start general documentation

MM to make sure the draft is clean

<kaz> Elena: regrets for the next call (Sp. 11)

<kaz> McCool: if you can send a link to your repo, I can make a pull request

NDSS workshop

<kaz> McCool: worked on the proposal

McCool: proposal submitted to NDSS

<kaz> McCool: deadlines:

<kaz> ... cfp 25 sep 2017

<kaz> ... now done and in the pipe

<kaz> ... focused on standards

<kaz> ... review of existing standards

<kaz> ... including but not limited to W3C standards

<kaz> ... will be held in February

<kaz> Elena: paper deadline too close?

<kaz> McCool: we should discuss that

<kaz> ... notice to authors: 15 Jan 2018

<kaz> ... not expecting a big paper, just 1-3 pages

<kaz> ... publication-ready papers: 1 Feb. 2018

<kaz> [ adjourned ]

Summary of Action Items

Summary of Resolutions

[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.152 (CVS log)
$Date: 2017/09/04 15:26:27 $