See also: IRC log
discussion on research workshops
papers would be useful for outreach/marketing purposes as well
mccool: we're behind from the
original schedule
... need to publish the fpwd by the end of august
... people expect us for security reviews
... TD and Architecture
... let's see what is missing
... the main goal is the Architecture document
... and the TD document for the next week
... pullrequests for security portions
... first draft deadline at the end of August
... pending work items with deadlines
... would see existing descriptions on security
elena: how to review the docs?
mccool: briefly looked at the
docs
... need to talk with the TD guys
... technically not ready for review yet...
... for now review it incrementally
... would agree the security sections are still very vague
kaz: we should define the minimum
security review for the FPWD
... based on the requirements for the FPWD
mccool: correct
... would open the door sooner than later
... we can republish the drafts?
kaz: yes, e.g., every a few months
mccool: e.g., the second review for
TPAC
... there is no deadline defined yet
... we should work on TD next week
... regarding the "Pending Agenda Items"
... we should generate a prioritized list of IoT
systems/protocols
... also prioritized list of security mechanisms
... and would like to talk about the results from the
Dusseldorf f2f
... any feedback from the questionnaire?
elena: need to wrap up
mccool: ok
... anyway you've got some data
... let's talk about that next Friday
elena: ok
mccool: any other outcome from the f2f meeting to discuss?
elena: characteristics things?
... not developed yet
mccool: the other thing I thought
of...
... recently read a book named "zero-trust systems"...
... zone security for devices
... would talk about that in the future
... also use case discussions
... (add those items to the "Future Agenda Items" section of
the wiki)
... and security conferences
... can write up an RFC, etc.
... (visits IEEE workshop page)
IEEE Symposium on Security and Privacy
scribe: collocated workshops
elena: there is another academic workshop on security
mccool: that's also doable
... May might be a bit late
soumya: Singapore one?
mccool: 2 places
... IoT conference and Security conference
soumya: we can have a panel session
mccool: the question is the deadline was June
soumya: I am the Chair of the
workshop
... you can submit a proposal
mccool: could do both
kaz: ask Soumya for resources
soumya: can put that
<Soumya> http://wfiot2018.iot.ieee.org/program/
soumya: one dedicated session on security and privacy
elena: one session for one
hour?
... what is the format?
soumya: 2-hour session with
Q&A
... for the workshop, much more presentations + Q&A
<Soumya> Soumya's session in WF-IoT 2018 - http://wfiot2018.iot.ieee.org/sps1-edge-computing-iot/
soumya: could be a nice way
... "Edge Computing and IoT"
mccool: deadline?
soumya: Sep. 30
... we can focus on the IoT part
mccool: adding the resource to the
wiki
... we should target on workshop proposals
... as a possible option
... IEEE Security and Privacy Symposium is still good
choice
... searched for candidates and have a list on the wiki
elena: academic one vs industry one
mccool: we could propose a panel as
well
... we need to review the architecture doc
mccool: there is a GitHub repo
... and HTML rendered version above
... did a folk for edit
... we can create pull requests for the security sections
... there 2 sections
... "3.3 Safety and Security" and "4.4 Security and Privacy"
... not very good...
... 3.3 should be "Security and Privacy"
... (opens AssetsThreatModelSecurityObjectives.md)
... security means the system should be...
elena: pretty hard to define security here...
mccool: security means the system
should preserve its integrity even when subject to
attack.
... privacy means that the system should maintain the
confidentiality of personally identifiable information.
... in general, security and privacy cannot be guaranteed but
the WoT architecture should support best practices.
... security and privacy are especially important in the IoT
domain since IoT devices need to operate autonomously and in
mny cases have access to both personal data and/or can be in
control of safety-critical systems
... Compared to
personal systems, IoT devices are subject to different and in
some cases higher risiks. It is also important to protect IoT
systems so that they can not be used to launch attacks on other
computer systems.
mccool: Definition and Motivation for
"Security and Privacy"
... should we have a mechanism section?
... regarding definition, one sentence for security and another
for privacy
elena: what should be
protected?
... need high-level requirements
mccool: (adds "Mechanism" section
below the "Motivation" section)
... generally, the WoT security architecture reflects the goals
and mechanisms of the IoT protocols and systems it represents.
These system vary in their security requirements and risk
tolerance, so security mechanisms will also vary based on these
factors.
elena: support the underlying mechanisms correctly
mccool: correct
elena: what security architecture
should support do not harm...
... you have to support what the underlying mechanisms
support
... and also should support best practices if possible
mccool: (edits the "Requirements"
section)
... adds:
... However, the WoT architecture needs to do no harm; it
should support security and privacy at least as well as the
systems it connects to
... bridging?
... scenarios?
... anyway, this is a good point
elena: combination of the best practices
mccool: how about this:
... The functional WoT architecture should provide for best
practices in security and privacy.
... (re-render the updates)
... and there is another section
... 4.4 Security and Privacy
https://w3c.github.io/wot-architecture/#security-and-privacy-0
mccool: updates the text
... security is a cross-cutting issue that needs to be taken
into account in all other aspects of the WoT
Architecture.
... including the Thing Description,
... the Scripting API, and the Protocol Bindings.
... The Thing Description and the Scripting API should support
both transport and object security using best practices.
... This should apply to both data produced by the Things'
interfaces and to the meta stored in the Thing Description and
accessible via the Scripting API.
... Binding Templates will support the use of appropriate
security mechanisms for the protocols they map to in order to
satisfy the "do no harm" principle.
... would create a pull request
... but have some problem with that pull request
<McCool> https://github.com/w3c/wot-architecture/pull/6
kaz: probably you need to get
registered with the repository manager as well
... and some more questions from me
<Zakim> kaz, you wanted to ask about "best practice of what", maybe best practice of secure IoT systems? and to ask about the relationship between "WoT Architecture" and "WoT Security"
mccool: we're out of time
... you can give the comments on the pull request
... agree saying "best practice" is vague
... need to define that
... have some references to refer to
[ adjourned ]