some discussion on the upcoming TPAC 2018 schedule
... Elena mentions she has conclict with the Linux Security Summit during the TPAC week and can't join TPAC this time
<kaz> Linux Security Summit Europe - Oct 25-26 in Edinburgh, UK
<kaz> scribenick: Soumya
McCool: shows the agenda
<kaz> prev minutes
<McCool> agenda: https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#May_28.2C_2018
McCool: review of previous
minutes
... reviews current actions
... accepts minutes
no other comments
McCool: no open PR expect one old
one
... websockets are out of scope for TD right now
<kaz> PRs
McCool: merged several items to master branch
McCool: separate testing and
plugfest prep meeting
... for testing, we need to think on security testing,
validation
... looked at some tools
... e.g. npm audit
... action - testing and validation for security
... plugfest prep - we will have a plugfest meeting this week,
mj koster will run it
Koster: matsukura-san may also chair that meeting
McCool: how to include more security and testing aspects in plugfest?
Koster: figure out what do we
mean by security - starting point
... common security practice
McCool: using self-sign
certificate for https, secured storage
... nodejs proxy for security
... how to distribute that
Koster/McCool: discussion on proxy
Elena: knows the process to make codes open source
McCool: I just have to follow the internal Intel processes
<not sure if it is correct spelling>
McCool: having https is
useful
... basic auth should be used in addition to https
... do at least basic auth, digest, bearer tokens
... https could be possible through proxy
Koster: supports the idea
McCool: action - write a short
proposal on what security tools to use in next plugfest
... action - write a proxy service
... service would work on a web API
<kaz> ACTION: mccool to write a short proposal on what security tools to use for the next plugfest
McCool: for next f2f - discussion
on security related agenda
... plugfest security review is secondary priority
... discuss something on privacy, any missing aspects
... provide a recommendation on best practice efforts for ppl
implementing w3c systems
... this could be another discussion
... looking at ongoing issues
<kaz> issue 98
McCool: issue 97, including a
password in TLS
... is it used in place of basic auth?
Elena: could look into it
McCool: Intel building management systems use form based authentication
Koster: we can also figure our exemplery protocols for WoT
<kaz> issue 97
McCool: adds an issue for security recommendations for 'native-wot' systems
<kaz> issue 102
McCool: discussing issue 85, it is to be closed. we don't have a separate version system. security systems have a stable implementation.
<kaz> issue 85
McCool: no objection heard
... writes conclusion in the issue and closes it.
<kaz> McCool: changes the label for #73 to "DOCUMENTATION"
McCool: discussing issue 72, it is a privacy risk
<kaz> issue 73
<kaz> McCool: qop parameter for digest authentication
<kaz> issue 96
<kaz> digest access authentication (Wikipedia)
AOB?
none
<kaz> [adjourned]