WoT Security

11 Dec 2017


Kaz_Ashimura, Elena_Reshetova, Michael_Koster, Michael_McCool, Tomoaki_Mizushima, Barry_Leiba


<scribe> scribenick: kaz

NDSS paper

mccool: deadline on Dec 11
... 4 commits after Barry's review
... can walk through the updates

publication status

kaz: Elena created a pullrequest about my question

elena: have fixed all the problems you mentioned

-> https://github.com/w3c/wot-security/pulls/57 Kaz's pullrequest

kaz: added the UID (W3C account id) for McCool and Elena

mccool: ok

mccool: merges the change

-> https://github.com/w3c/wot-security/pull/58 Elena's pullrequest on fixing problems Kaz pointed out

mccool: goes through the changes

(fixed broken links at reference)

mccool: merges the fix

kaz: will check the document using the checker again
... and will work with the webmaster for the publication

NDSS paper (revisited)

mccool: submission 3 and 4

barry: reviewed submission 3
... clarifying the goal of the paper would be helpful

mccool: 30 submissions so far
... 12 of them are expected at the workshop
... we're talking about reviewing the draft spec
... in the context of reviewing a standard
... I myself am one of the organizers, so can't support this paper itself due to Conflict of Interest

-> https://github.com/mmccool/ndss-wot-sec/blob/master/ndss-wot-sec.pdf PDF version

barry: looks good to me but how about the others?
... this is a workshop paper, not a conference paper
... explicitly mentioning that we've started some work

mccool: important exercise for people to participate in
... concept of reviewing the standard asap

elena: shorten the background section?

mccool: changed the examples to actual examples
... example of an application servient

(some more discussion)

mccool: C. Endpoint Adaptation
... will try one more around update
... if you find any small problems (typos, missing words, etc.) please create pullrequests

kaz: ok to fix the URL for link 14 after the publication of the Note?

mccool: can fix it now, and also can update later as well

[Kaz's comment on reference [14]]
The link "https://www.w3.org/TR/2017/WD-wot-security-20171116/" at:
E. Reshetova and M. McCool, “Web of Things (WoT) Security
and Privacy Considerations,” W3C, W3C Note, Sep. 2017. [Online].
Available: https://www.w3.org/TR/2017/WD-wot-security-20171116/
sould be:
as the generic URL at the moment (but should be update with the dated URL, e.g., https://www.w3.org/TR/2017/NOTE-wot-security-20171214/ once the document is published
also "Sep." should be "Dec."

mccool: ok

wot-security issues

https://github.com/w3c/wot-security/issues/59 TD/API security requirements for the next plugfest

https://github.com/w3c/wot-scripting-api/issues/82#issuecomment-350662317 related issue on Scripting

mccool: 2 issues here
... added a comment here to the scripting issue 82
... and created another issue for security repo 59
... adding another description to security issue 59
... perhaps there are two issues
... 1. specifying "security" section of an exposed TD. The requirements for the scripting API will be given entirely by the requirements for the TD spec. Right now the TD spec has an "open" format for the security metadata so probably the API should just allow similar arbitary data in the API

elena: 2nd issue would be much bigger?

mccool: 2. A possibly related issue is now "provisioned security data" (keys, etc.) are provided to a particular instanc of a WoT object, e.g., for a service
... do we assume a WoT servient magically find that key?
... how to handle this?

kaz: maybe we need 3 different kinds of identifiers?
... one for the devices, 2nd for the apps and 3rd for the users?
... and some mechanism to how to identify the combination of those three identifiers

elena: depends on the application

mccool: the first point is easier
... related to the problem of lifecycle

elena: we have the 2nd point within the privacy consideration?
... the lifecycle issue is related to how to handle the credential for multiple apps

mccool: we can add a link from the security document to specific issues on the GitHub repo
... any other issues to review?

https://github.com/w3c/wot-security/issues/52 Blockchains for WoT

mccool: blockchains may fit with WoT
... the Payment WG is working on rechartering
... interledger would be a good place to start for "blockchain authorization"

https://github.com/w3c/wot-security/issues/53 authorization and minimizing access to TD in Things directory

mccool: possibly multiple questions here...
... 1. who is authorized to use the Thing Directory Web service? shince this is a Web service, it can be handled like other Web service.
... 2. How can/should we support sub-setting of Thing Descriptions, i.e., should a Thing Directory support different levels of authorization?
... 3. if we do a semantic search, the data that can be used for inferencing should also only be data that the user has authorization to access.
... for example, could have two levels of access, full and partial, Then a user with partial access can only do inferencing over partial TDs.
... a related problem
... Thing Directories are not officially part of the WoT architecture.
... this may be a problem since we may leave out important security hooks like the identity of the entity doing discovery.

next meeting

elena: not available on 18th

mccool: can handle the next meeting
... let's talk about lifecycle, etc.

barry: won't be available on 18th

mccool: ah, in that case, maybe we can simply cancel the meeting on 18th
... can just have discussion on publication with Kaz

prev minutes

https://www.w3.org/2017/12/04-wot-sec-minutes.html prev minutes

mccool: don't see problems

elena: we should update the publication plan

https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Schedule publication schedule

mccool: we'll update the publication with Feb. 15 (Thu)
... the prev minutes themselves are accepted


Summary of Action Items

Summary of Resolutions

[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.147 (CVS log)
$Date: 2017/12/20 15:13:54 $