<McCool> https://www.w3.org/WAI/PF/wiki/Teleconference_cheat_sheet
<McCool> scribenick: mjkoster
<zkis> https://rawgit.com/zolkis/wot-scripting-api/master/index.html
McCool: where is the URL?
... for the topic?
<zkis> https://w3c.github.io/wot-thing-description/#security
Zoltan: what is the property"n"?
McCool: these belong inside the
"scheme" element
... do you have the latest version?
... the vocabulary is in the security metadata section
... each scheme has a set of properties for that scheme
Zoltan: this document is enough information to proceed, thanks
McCool: checking the document again,
pointing out some examples
... terminology comes from openAPI to be consistent with known
practice
<McCool> mccool: please look at the end of https://github.com/w3c/wot-security/blob/working/wot-security-metadata.md
<McCool> ... there are a lot more terms than just scheme and in
Elena: privacy section
... section 7
... privacy considerations
... who is the subject, whose privacy is being protected
... who are the privacy stakeholders?
... review of the roles involved, manufacturer, installer,
etc
McCool: the primary subject is the end user
Elena: agree, are there any other considerations we need to include
McCool: privacy is a personal consideration, for corporations it is confidentiality
Elena: review the table of threat categories
McCool: fingerprinting threat is
about assembling all of the information to create a unique
ID
... could elaborate in the last row of the table
... also add a tracking risk category
... behavior observation
Elena: any other threats or risks that are not covered here?
McCool: disclosure of sensitive data,
leaking
... Thing Directory could disclose a personal inventory, things
owned
... payload data
... unique IDs on things that can be used for tracking
Elena: please think about more cases and email or discuss
McCool: issues with converting
graphics and fonts, etc.
... added text discussing a tunnel proxy approach in addition
to local+remote proxies
... could be an IP tunnel or SSH tunnel that maps ports
... the thing is responsible for its own security
... which is somewhat hard
... another version is the proxy
... using http instead of https
... the security is added at the tunnel
... network endpoints are exposed locally
... but can be hidden behind other security and gateways
... have implemented this in an online test system
... has examples with different security schemes
... gives demonstration of the online systems including raw OCF
and generated TDs
... more secure system would only expose thing directory and
the interactions themselves
... camera example
... currently has basic and digest running, adding tokens
next
... please review and provide feedback, will merge next
week
... a section on the caching proxy
... also could use metadata of TD to pre-observe properties and
perform other optimization
... security implication of the proxy having access to the
payload, maybe OSCORE could be part of a solution
... 9 minutes left, could review some issues
Elena: what about the life
cycle/provisioning issue?
... #15
... is provisioning in scope?
McCool: thought it was out of scope
Elena: sharing the document
... haven't updated it
... last statement is about the scope
McCool: should be able to close the
issue as out of scope
... any objections?
... no objections, will close
... issue 93, end of life of TD
zoltan: going with observable TD
McCool: need to review the security
implications of this solution
... let's leave it open and return to it
... AOB?
... online system is in my apartment but go ahead and use it
anytime
... adjourn