<scribe> scribenick: kaz
mccool: deadline on Dec 11
... 4 commits after Barry's review
... can walk through the updates
kaz: Elena created a pullrequest about my question
elena: have fixed all the problems you mentioned
-> https://github.com/w3c/wot-security/pulls/57 Kaz's pullrequest
kaz: added the UID (W3C account id) for McCool and Elena
mccool: ok
mccool: merges the change
-> https://github.com/w3c/wot-security/pull/58 Elena's pullrequest on fixing problems Kaz pointed out
mccool: goes through the changes
(fixed broken links at reference)
mccool: merges the fix
kaz: will check the document using
the checker again
... and will work with the webmaster for the publication
mccool: submission 3 and 4
barry: reviewed submission 3
... clarifying the goal of the paper would be helpful
mccool: 30 submissions so far
... 12 of them are expected at the workshop
... we're talking about reviewing the draft spec
... in the context of reviewing a standard
... I myself am one of the organizers, so can't support this paper
itself due to Conflict of Interest
-> https://github.com/mmccool/ndss-wot-sec/blob/master/ndss-wot-sec.pdf PDF version
barry: looks good to me but how about
the others?
... this is a workshop paper, not a conference paper
... explicitly mentioning that we've started some work
mccool: important exercise for people to
participate in
... concept of reviewing the standard asap
elena: shorten the background section?
mccool: changed the examples to actual
examples
... example of an application servient
(some more discussion)
mccool: C. Endpoint Adaptation
... will try one more around update
... if you find any small problems (typos, missing words, etc.)
please create pullrequests
kaz: ok to fix the URL for link 14 after the publication of the Note?
mccool: can fix it now, and also can update later as well
[Kaz's comment on reference [14]]
The link "https://www.w3.org/TR/2017/WD-wot-security-20171116/" at:
[[
E. Reshetova and M. McCool, “Web of Things (WoT) Security
and Privacy Considerations,” W3C, W3C Note, Sep. 2017. [Online].
Available: https://www.w3.org/TR/2017/WD-wot-security-20171116/
]]
sould be:
[[
https://www.w3.org/TR/NOTE-wot-security/
]]
as the generic URL at the moment (but should be update with the dated URL, e.g., https://www.w3.org/TR/2017/NOTE-wot-security-20171214/ once the document is published
also "Sep." should be "Dec."
mccool: ok
https://github.com/w3c/wot-security/issues/59 TD/API security requirements for the next plugfest
https://github.com/w3c/wot-scripting-api/issues/82#issuecomment-350662317 related issue on Scripting
mccool: 2 issues here
... added a comment here to the scripting issue 82
... and created another issue for security repo 59
... adding another description to security issue 59
... perhaps there are two issues
... 1. specifying "security" section of an exposed TD. The
requirements for the scripting API will be given entirely by the
requirements for the TD spec. Right now the TD spec has an "open"
format for the security metadata so probably the API should just
allow similar arbitary data in the API
elena: 2nd issue would be much bigger?
mccool: 2. A possibly related issue is
now "provisioned security data" (keys, etc.) are provided to a
particular instanc of a WoT object, e.g., for a service
... do we assume a WoT servient magically find that key?
... how to handle this?
kaz: maybe we need 3 different kinds
of identifiers?
... one for the devices, 2nd for the apps and 3rd for the
users?
... and some mechanism to how to identify the combination of those
three identifiers
elena: depends on the application
mccool: the first point is easier
... related to the problem of lifecycle
elena: we have the 2nd point within the
privacy consideration?
... the lifecycle issue is related to how to handle the credential
for multiple apps
mccool: we can add a link from the
security document to specific issues on the GitHub repo
... any other issues to review?
https://github.com/w3c/wot-security/issues/52 Blockchains for WoT
mccool: blockchains may fit with
WoT
... the Payment WG is working on rechartering
... interledger would be a good place to start for "blockchain
authorization"
https://github.com/w3c/wot-security/issues/53 authorization and minimizing access to TD in Things directory
mccool: possibly multiple questions
here...
... 1. who is authorized to use the Thing Directory Web service?
shince this is a Web service, it can be handled like other Web
service.
... 2. How can/should we support sub-setting of Thing Descriptions,
i.e., should a Thing Directory support different levels of
authorization?
... 3. if we do a semantic search, the data that can be used for
inferencing should also only be data that the user has
authorization to access.
... for example, could have two levels of access, full and partial,
Then a user with partial access can only do inferencing over
partial TDs.
... a related problem
... Thing Directories are not officially part of the WoT
architecture.
... this may be a problem since we may leave out important security
hooks like the identity of the entity doing discovery.
elena: not available on 18th
mccool: can handle the next meeting
... let's talk about lifecycle, etc.
barry: won't be available on 18th
mccool: ah, in that case, maybe we can
simply cancel the meeting on 18th
... can just have discussion on publication with Kaz
https://www.w3.org/2017/12/04-wot-sec-minutes.html prev minutes
mccool: don't see problems
elena: we should update the publication plan
https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Schedule publication schedule
mccool: we'll update the publication with
Feb. 15 (Thu)
... the prev minutes themselves are accepted
[adjourned]