<kaz> scribenick: mjkoster

WoT Security and Privacy Considerations - document status and issue review

mccool: document progress update
... outstanding PR
... created an action for mccool
... review the changes in the PR

<kaz> Issues

* Issue on "Current practices alignment"

* Issue on "Table formatting and definition highlighting"

* Issue on "Abstract"

* Issue on "Existing best practices"

<kaz> Pull Requests

mccool: ( elena's branch)

elena: recommended practices section
... example security configuration section

mccool: need to add content for specific security practices e.g. scripting API

<kaz> Elena's updates

<kaz> McCool's Working branch

<kaz> mccool: would propose we merge Elena's changes to the above Working branch

mccool: merging elena's PR into the working branch now (no objections)

<kaz> PR 12 has been merged

<kaz> https://rawgit.com/w3c/wot-security/working/index.html is updated now

elena: will work on examples (section 5) next

mccool: created issue for tracking additions to the examples section

Issue on "Examples of security configurations"

mccool: need to add vocabulary definitions
... created issue to track additions to the scenarios section "business/corporate"

Issue on "Business/corporate scenarios"

mccool: added issue to track additions to "industrial/commercial" scenarios

Issue on "Industrial/critical scenarios"

mccool: added issue to track scripting API additions

Issue on "Scripting API"

mccool: issue to track "validation "

Issue on "Security validation"

mccool: discuss whether security provisioning is in scope

Issue on "Provisioning"

elena: we need to make a defined set of assumptions about what is done
... but can't specify how it's done

mccool: OK
... please add comments to the issue
... review the discussion on exposed vs. discoverable things
... are they separate ?

Issue on "Discovery/Expose"

<kaz> discussion during the Scripting call (Member-only)

elena: what is the specific difference?

mccool: different kinds of discovery?

mjkoster: expose means interaction is available, discoverable means TD is available

elena: when would a thing be exposed but not discoverable?

mccool: enumerantes types of discovery
... 4 ways to find a thing
... may already have a TD or know how to make a URL to get the TD
... or maybe there is a scan function

mjkoster: consider the difference in security model between TD and the Interactions

elena: how can we define the exact difference between TD and interaction?

mccool: there are different calls in the scripting API

elena: how does the system get into a state where the interactions are exposed but not discoverable?

mccool: things can't be discoverable but not exposed

mjkoster: it's about different layers of security for exposure vs. discoverability

elena: OK, that is allowed for in the model
... if the proper access control is provided e.g. on actions, then what else do we need to do?

mccool: OK, please continue the discussion in comments and issues
... we need to align the current practices with security mechanisms for the plugfest
... suggest we look at protocol binding priorities

elena: we should build the scenarios and examples based on concrete protocols

mccool: the statement about wot security includes statements about target protocols
... if we can cover security through a good comprehensive set of bindings
... created an issue for tracking

workshop proposal for NDSS

mccool: good response so far
... most accepted
... update on IEEE S&P progress
... AOB?

elena: on holiday next week
... will queue up some material on PR and issues

mccool: would zkis start discussion on the scripting section?

zkis: OK

mccool: adjourn