<kaz> scribenick: McCool
Koster: made some basic
organizational slides...
... look at what we did in Prague, what we want to develop,
develop plan
<kaz> Koster's slides
McCool: have proposal for
security, working on something for testing
... target ecosystems, target verticals
Kaz: would be good to have
integrated use cases or scenarios
... in order to motivate WoT
McCool: this is also why I suggested target verticals. Read "target markets"
Lagally: we might want to make a list of our current target verticals
Koster: will make list of
verticals and ecosystems
... under general category of "development topics"
... back to Prague: want to carry forward our successes
... still need to work on semantics, events
... also had good results with proxy, want to keep
developing
... and need to continue with security and accessibility
McCool: we need semantic applications as well...
Koster: that is new development
area
... new development areas: simplified TD, extended actions,
notifications via websockets and webhooks, FoI, recipes,
proxy/w/TDir, security, testing
... for semantics, iotschema.org is working on features of
interest (FoI)
... would like to see some examples
... recipes are good start
... but other approaches; generally, looking for a set of
things
... then want to operate on or orchestrate
... proxies on TDirs
... questions in the proxy pattern, i.e. local and remote
TDirs
... essentially have TD extensions, applications, and security
and testing
Kaz: matsukura-san wanted to understand how to use node-wot as an application servient
McCool: right now we don't have
very good "application" examples for node-wot
... need to show how to use it for proxies as well
... right now I have a transparent proxy, but a proxy based on
node-wot that actually translated hrefs in forms (for example)
would be useful
Koster: definitely want to make it easier to go through gateways, use proxies
McCool: I think we also need to demonstrate architectural configurations that include multiple TDirs and proxies, can traverse NATs, etc. etc.
Koster: infrastructure via common
patterns
... maybe time for federated directories
McCool: in theory SPARQL as used in the implementation of TDirs can handle federation...
<kaz> scribenick: kaz
Koster: strawman idea for goals
McCool: will show slides
... checked in
McCool: slides above
... basically
... defining goals
... [Scope]
... [Charter Review]
... [Goals]
... demonstrate Things supporting appropriate security
mechanisms
... modest goals
... straightforward authentication
... everybody can do
... achieve the goals using appropriate proxies
... authentication and confidentiality
... two proposals
... [Proposed Plugfest Security Requirements:
Authentication]
... HTTP Basic Auth
... HTTP Digest Auth
... Bearer tokens
... also having more than one
... metadata indicated within TD
... need to have more variety
... exposed thing must request/require authentication
... implementations consuming things must be able to provide
the corresponding credentials
... username/password, etc.
... 3 basic concrete things
... if you can, more than them
... [Confidentiality]
... support for HTTPS
... implementations should allow self-signed certificates
... do support proxy
... current implementation has to run on external cloud
server
... use TLS
... would add OAuth
Koster: what the assertions go into
this?
... public key pretty much uses domain name
... we should think about what the assertions go into
McCool: think about IDs for
that?
... I'm this thing and TD is...
... add note:
... [[
... but can we put some other information in the cert we can validate?
... ex. the id contained in the TD
... but spoofable...
... ]]
... [Thing Directory Security]
... for instance, using the Intel proxy, the current ThingWeb
Thing Directory can be set up to use HTTPS+Digest Auth
... Thing Directory APIs should provide authentication and
confidentiality
... HTTPS+Digest Auth so far
... should be OK
... [Tools]
... node-wot supports basic auth
... and bearer tokens
... digest in progress
... transparent proxy service that provides basic and digest
auth
... [Conclusion]
... we should look into secure devices
... 2 more plugfests before CR
... should start secure systems
... basic security
... DTLS, ACLs, OAuth, etc.
... the other issues
... key distribution: FIDO/Oauth, Kerberos, Preshared
keys
... certificates: what information can we include in a
self-signed cert to make it validatible
Koster: we have PGP, etc.
McCool: if we look at...
... adds some more points
... reviews the "Charter" slide as well
... adds:
... Object security (See charter! required!)
... COSE
... also access control
... ACL
Koster: also a question
... adapting ecosystem
... what WoT security in general would do
... what's the best practice
... e.g., node-wot can have object security
... access control added, etc.
McCool: we had discussion within the
security tf
... adds a slide including:
... Security TF Tasks
... recommended security practices for WoT
... we should have recommended/not-recommended practices
... just because we can describe it doesn't mean it is
good
... brownfield (poor) security issue
... testing
... interoperability
... would like to have TD testing mechanism
... e.g., TD playground
... as an automated process
Koster: Thing Directory would refuse if the TD is not valid
McCool: adds topics to testing
section
... penetration testing
... have only HTTP and ask basic authentication, etc.
... we can do something like that
... have stuff running
Koster: actual pragmatic security
McCool: getting out of time, so stop here
Koster: ok
... we now have this plugfest as a weekly call
... any more questions/comments?
(none)
Koster: anything else for plugfest planning?
(none)
[adjourned]