W3C

- DRAFT -

WoT Security

21 May 2018

Attendees

Present
Kaz_Ashimura, Elena_Reshetova, Michael_McCool, Michael_Koster, Barry_Leiba, Tomoaki_Mizushima, Zoltan_Kis, Kazuaki_Nimura
Regrets
Chair
McCool
Scribe
kaz

Contents


Agenda

McCool: testing vs plugfest?
... doodle for both
... maybe we can use the editor's call slot for this week?
... and doodle for the next week
... this week plugfest slot for testing discussion
... and next week for plugfest as well based on the doodle results

Agenda

McCool: btw, any addition to the agenda?
... plugfest on Oct 20-21
... TPAC on Oct 22-26

TPAC page

McCool: should be added to the WoT wiki as well

Elena: Lyon should be fine

Kaz: the f2f meeting will be held on Oct 25-26

Reviewing prev minutes

Apr 30

May 7

May 14

McCool: skimming the minutes
... ok with this
... any objections?

(none)

McCool: accept Apr 30 minutes
... next one, May 7
... a couple of PRs
... any comments/corrections?

(none)

McCool: accepted - May 7 minutes
... next May 14
... privacy considerations
... this week as well
... no actions captured

Kaz: can copy the remaining ones here

McCool: privacy section still pending

[[

<scribe> ACTION: [ONGOING] elena to work on issue 68 (Thing Provider Data Specification) and issue 69 (Passive Observers Risk)

<scribe> ACTION: [ONGOING] elena/koster to work on terminology

<scribe> ACTION: [ONGOING] mccool to work on issue 70 (Require Not Exposing Immutable Hardware Identifiers?)

<scribe> ACTION: [ONGOING] mccool to talk with security guys about testing/validation timeline

<scribe> ACTION: [ONGOING] mccool to work on tunneling/shadow for the security metadata proposal

<scribe> ACTION: [ONGOING] mccool to work on PR 90

<scribe> ACTION: [ONGOING] zkis to create scripting issue for TD life cycle in scripting api

<scribe> ACTION: [ONGOING] mjkoster/elena to review examples in the security spec

]]

Kaz: which action items are done?

McCool: ongoing last week and we can close then this week
... let's copy them asis and talk about the status today

Kaz: ok

McCool: except that, the minutes are accepted - May 14

Review PRs

PRs

McCool: would close #92 first

PR 92

McCool: added a diagram
... and caching algorithm

Elena: cache combined with security

McCool: could address it
... question of how to interpret it

Elena: encryption
... good to mention both encryption and authentication

McCool: encryption, authentication and integrity of confidentiality?
... (goes to his repo)
... referring to a new figure with caching proxy
... have to check if the link is ok

Elena: problem with another link too

McCool: (fixed the links)

Elena: need clarification to [[The cache can either be combined with the security endpoint proxy or can be instantiated as a separate service or "middleware layer".]]

McCool: (add explanation)
... will remove "middleware layer"
... (add comment about the changes)
... let's accept the PR now
... we can add fixes later
... next thing to do is...
... PR 94

PR 94

Elena: don't see mitigation yet

McCool: why don't we add some text for mitigation then?
... (create an issue)
... add mitigations to privacy section
... we can discuss mitigation separately
... to follow up on PR 94
... (as issue #99)

Elena: link to my repo?

Elena's repo

McCool: possibly a separate subsection for mitigation
... now any objections to accept PR 94?

(none)

McCool: will merge it then
... (add a note)
... privacy threats now listed
... next PR 95
... (shows "working" branch)

working branch

McCool: Elena, did you merge the change with the working branch?

Elena: yes

rawgit version

McCool: any objections to merge PR 95?

(none)

McCool: will merge this
... (and merged PR #95)
... (and then check the master branch)

Plugfest

McCool: would more things to happen for the next plugfest
... some issues with security metadata
... and created GH issues for them
... security and privacy sections
... (add items to the Bundang f2f wiki)

f2f wiki

McCool: Review security metadata
... security testing/validation plan
... plugfest security recap
... anything else we should add?

(none at the moment)

McCool: regarding plugfest...
... Michael, is it ok if I add something like this...
... goal, objection, etc.

Koster: this is high-level description
... so would make sense

McCool: (adds topics)
... testing
... security implementations and interop testing

Koster: application scenarios
... proxy configurations

McCool: (adds them)
... 5 items should suffice at the moment
... and then
... (goes back to "Plenary and Breakouts")
... (and add some points to "WoT Testing")
... let's go back to issue reviews

Issue review

security issues

McCool: issue 98 on form-based authentication schemes on digest authentication

https://github.com/w3c/wot-security/issues/96

McCool: issue 98

https://github.com/w3c/wot-security/issues/98

McCool: issue 97 on TLS-SRP authentication scheme/

https://github.com/w3c/wot-security/issues/97

McCool: issue 93 on Thing end of life signaling

https://github.com/w3c/wot-security/issues/93

McCool: security implication change?
... broader issue on accessing security metadata in TD?
... (shows section 5.1.1 of wot security draft)

5.1.1 Secure Delivery and Storage of Thing Description

McCool: (create an issue on "Discuss Security Implications of TD Change and Deletion Notification" as Issue 100)

Koster: makes sense

McCool: (adds link to issue #114 of wot-scripting-api)
... this issue supersedes original issue 93
... (and add "superseded by issue 100" to issue 93)
... now we have more general issue
... another issue for today
... issue 83
... would close this

https://github.com/w3c/wot-security/issues/83

McCool: any comments?

(none)

McCool: (and closed issue 83)
... next issue 78

https://github.com/w3c/wot-security/issues/78

McCool: does WoT use cookies?
... think yes
... (add notes)

Koster: share them between clients?

McCool: could be a token or actual data

Koster: use them for session keys?

McCool: related to the issue #98
... would close issue 78

Koster: ok

McCool: please give comments to the other issues

[adjourned]

Summary of Action Items

[DONE] ACTION: elena to work on issue 68 (Thing Provider Data Specification) and issue 69 (Passive Observers Risk)
[DONE] ACTION: elena/koster to work on terminology
[ONGOING] ACTION: mccool to talk with security guys about testing/validation timeline
[ONGOING] ACTION: mccool to work on issue 70 (Require Not Exposing Immutable Hardware Identifiers?)
[DONE] ACTION: mccool to work on tunneling/shadow for the security metadata proposal
[DONE] ACTION: mccool to work on PR 90
[DONE] ACTION: zkis to create scripting issue for TD life cycle in scripting api
[ONGOING] ACTION: mjkoster/elena to review examples in the security spec
 

Summary of Resolutions

[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.152 (CVS log)
$Date: 2018/05/22 11:21:55 $