how to re-energize the security/privacy work

(brain storming)

kaz: TV Control API CG has started their phase 2 work
... and interested in security/privacy
... so far they're thinking about collaboration with the Automotive group
... but collaboration with this WoT-SP would also make sense

oliver: ok. let me know about their opinions, etc.
... we should be able to respond to them
... there is already public information
... so we can show it to them

Landscape document

-> http://w3c.github.io/wot/landscape.html Landscape document on GitHub

oliver: sharing the document on the webex
... not updating for awhile

Current practice document

-> http://w3c.github.io/wot/current-practices/wot-practices.html#security-considerations-1 Security consideration for AP from the Current Practice document

oliver: question to Sebastian

sebastian: updating the TD section
... what kind of security portion should be considered?
... to get access for resources
... what kind of security token for server?
... discussion using email
... first idea
... will talk during the TD call next week as well
... one part is how would the security information be provided?
... how to interact with services?
... how we can protect TD itself?
... interesting issues to consider

oliver: the second one is more important
... it's design work
... protect TD
... my recommendation is accessing things should be the priority
... wrapper for things
... would suggest prioritize that
... and could think about other topics later
... skimming the document
... explaining the problems
... not yet have information from the email exchanges
... showing "Protecting TD Objects" section
... the second part is more important
... "Describing prerequistes for accessing things"
... would be the fundamental work

sebastian: ok. will do.

oliver: 3.2.3 Security Considerations
... not giving the answer yet
... need more coverage
... maybe need to talk with Johannes

sebastian: will do that too.

F2F, Plugfest in Montreal

oliver: we've been taking care of security as well for our plugfest
... e.g., in Nice
... would have same features in Montreal as well
... plan to offer an extension
... probably could provide something in June

sebastian: in Nice we already had security scenario
... but security description was not used within the Thing Description
... we need security description within TD
... the point is small change in TD
... additional features
... how about that?

oliver: could be done
... 2 issues
... we have server-side component
... don't require to change that part
... how to document?
... timing issue
... the other thing is
... error response from the server
... natural approach would be rewrite the description
... client should understand the security token
... the second step is putting that into TD
... but not enough time to do really fundamental things
... but would be welcome if you try
... for Montreal, could display security
... not as abstract but concrete Thing Description

sebastian: not involved in the security plugfest so far
... panasonic made much effort
... security and communication
... maybe I should check that beforehand

oliver: light-weight way for prototype in non-normative way
... prototype object as a part
... next discussion would be how to create automatic sessions
... would make a display object
... logic by a state management engine
... can be done by the Montreal meeting
... BTW, I can't make my travel for the Montreal meeting...
... I could prepare for those topics including the state engine
... and could offer information to TD and AP

sebastian: sounds like a good idea

oliver: we should try to define
... that's all from my side for the Montreal meeting

Charter items

-> https://github.com/w3c/wot/blob/master/WG/wot-wg-items.md Charter items

<dsr> draft charter (viewable in browser) https://w3c.github.io/charter-drafts/wot-wg-2016.html

kaz: Dave has created an HTML version above

oliver: two sections for security
... 1.1 Thing Descriptions
... the second bullet is on security
... and 1.2 Scripting APIs
... the second bullet again is on security
... where to add security portion?

dsr: we have to define deliverables
... and put more details
... mentioned during the AP call yesterday as well
... need information on prototype implementations
... also proof-of-concepts
... to justify the need for this work
... and convince corporate managers
... we have architecture document and current practice document

oliver: it would make more sense to extend the best practice document?
... what should be the starting point?
... also would be difficult to work for the following weeks due to vacation...

dsr: explains the importance of additional information

oliver: was in contact with vendors
... solid foundation than having paper only
... would go into the best practice document
... there are technologies there
... would suggest we update the best practice document
... elaborate the text

dsr: we have focus on some specific technology
... not sure in terms of text for the charter
... we have references
... on the GitHub site
... could add links to the architecture/current practice documents

oliver: alright

dsr: there is a bullet point mentioning privacy poicies, access control, etc.
... linked data vocabulary might be too ambitious for short-term
... we need to clarify
... we have to explain that

oliver: alright
... don't think "trust assertions" are too far away
... but we need to have components for security
... we have had some of them during plugfest demos
... would suggest we continue discussion using emails

dsr: ok

oliver: action item on trust assertions
... that's all for today from my viewpoint
... anything else to talk today?

(none)

oliver: a couple of follow-ups to do
... next call will be April 7th
... meaning no call on March 24th

[ adjourned ]