McCool: goes through the previous
minutes
... "to date" should be "to date"
... wondering about the progress on url schema
<mjkoster> URI templates are defined in RFC 6570
Koster: Matthias made some concrete
proposal
... very clear about how it works
... variables would be expanded
... we're calling payload schema
McCool: ok
... minutes are OK with the small typo above
... any objections?
(none)
the minutes accepted but "to data" should be "to date"
<McCool> https://github.com/w3c/wot-security/pull/103
McCool: goes through the
changes
... bunch of statements on mitigation
... e.g., access to TD limited to some certain clients
... for privacy
... and privacy consideration referring to coo13
... typo to be fixed
... and big change here
... L2384 => L2399
... some typical things
... threat never changes or changes rarely
... fingerprinting
... persistent tracking
... and TD id changed periodically
... probably TD changes and notification happens
... it's OK with it is though some more description might be
better
... would accept this PR itself and polish it later
Koster: there is another
submission
... look fine to me
McCool: don't think it's perfect but
ok to accept
... and clean up and polish the text later
... OK to merge this?
(no objections)
McCool: merged PR 103
... ok
... now just one PR here
McCool: adds notes to the issue
... fingerprinting risks now desicussed in text included in PR
103
... @jasonanovak, do these changes sufficiently address the
issue?
McCool: adds notes
... discussed in PR 103.
... currently for various reasons the WoT TD actually requires
unique id.
... however, it does not say they need to be "immutable" and
they can be updated
... adds "@jasonanovak" to the notes so that Jason would notice
the notes
McCool: closed
Barry: fine
McCool: adds notes
... actually, TD notifications are useful to mitigate privacy
issues...
McCool: have not responded much to
Matthias yet
... example of logging
... get access by credential presented every time
... exchange scheme seems to be useful
... one issue
... requiring semantics
... one way is simply to have credential
... need to look into URI template
... on my todo list
McCool: guess this is still
open
... would wait for Elena's update
McCool: adds comments
... Actually, a TD update/notification can be used to mitigate
certain forms of privacy risk
... for instance, theID can be updated periodically and only
authorized subscribers notified
McCool: is there anybody to chair the
possible security sessions during the upcoming f2f in
Korea?
... shows the f2f agenda
McCool: quickly skims the
agenda
... would add information on "session leaders" to the
agenda
... there are 5 topics on security
... put McCool's name to some of the topics
... review security metadata and scripting (McCool)
... security testing and validation planning (McCool)
... plugfest security review (Elena/McCool)
... privacy threats and mitigations (Elena)
... security implementation recommendations (Elena)
... also some test topics
... specification validation tools (Ege and?)
... TD validation tools (Ege and ?)
... test sutie for scripting API (?)
... online testing/demonstration systems (McCool)
Barry: regrets for the next week. see you in Korea!
[adjourned]