WoT Security

30 Jul 2018


Kaz_Ashimura, Michael_McCool, Tomoaki_Mizushima, Kazuaki_Nimura, Barry_Leiba


prev minutes

Review of minutes from last meeting

prev minutes

McCool: need to skip plugfest/f2f review again
... went over proposals
... (updates the agenda with "Testing plan")
... first action is done
... 2nd action, did the 2nd half
... waiting for answer
... carry forward with the 4 last actions
... and new action: "McCool to write PR on TD spec for security definition"
... any objections to accept the prev minutes?


McCool: ok. so the minutes has been accepted

<inserted> (Barry joins)

McCool: (goes through the agenda for today)
... anything else?


PR 107

PR 107

McCool: happy with it
... a few minor fixes
... go ahead with the next step
... nothing major
... go ahead and accept that
... any objection to merge this?


McCool: ok. will merge it :)
... get action to clean it up
... one more chance to discuss before merging with the main branch


McCool: follow through the action from f2f
... drafted a document here

Testing Plan

McCool: one thing would ask people to do
... go through the section on security testing
... limited scope (=list of "NOT do"s)
... lifecycle limitation for point 2
... protocols for point 3
... security best practices for point 4
... should have a separate document for security best practices
... but later
... MQTT - TODO: details: DTLS testing etc.
... for HTTP, I have SSL testing, etc.

Barry: we might do...
... to use HTTPS, CoAPS, MQTTS
... obvious to use secure version of protocols

McCool: ok
... need to have how to secure MQTT

Barry: need to see core working group document

McCool: create a PR for one paragraph?

Barry: can work on a shot

McCool: if you can send by email, I can make a PR
... CoAP-based protocol
... e.g., DTLS testing
... regarding HTTP, described web services here
... one of issues
... particular commercial service or tool?
... or standard
... may have political issues
... might have some example
... free/opensource one
... link to OWASP Testing Project


McCool: and penetration testing
... these 2 things should be enough
... please review this section and give comments
... Metasploit is a framework
... thought that was a free one

TD updates

McCool: PSK and none schemes




McCool: maybe the rendered version not correctly submitted yet...

<McCool> https://github.com/w3c/wot-thing-description/issues/165

McCool: created a TD issue above (165)
... Should "security" be mandatory
... can declare security "none" at the top level
... would like to respond to Ben and ask him clarification
... having nothing vs "none" have a bit different meanings
... actual implementations can do something if nothing is specified
... but TD should have explicit information
... would discourage TD to be incomplete
... personally think security should be mandatory
... we could recommend security is mandatory for machine-to-machine interaction
... would like to see people's opinions

Barry: definitely should be mandatory

McCool: others?

Nimura: should be mandatory

McCool: it is related to binding contract

Mizushima: no questions

McCool: (adds a comment to issue 165)
... discussed this in the security tf and the consensus was to make "security" mandatory
... also, we felt that the security spec in the TD should be "binding", e.g., it should be considered an error if the Thing goes off and does security a different way.
... resolution: yes, make it mandatory. also binding.


McCool: we can remove the first action (from the prev minutes)
... need to ping IIC
... 3 other things got no progress yet
... new action

<scribe> ACTION: Barry to suggest DTLS testing plan applicable for CoAP/MQTT

<McCool> ACTION: McCool to clean up Security and Privacy Considerations documents for final update to master by next week

McCool: also best practice document

<McCool> ACTION: everyone to generate set of best practices for draft by next week

McCool: no update on the long-term schedule
... will update people to find out

Other issues

issue 106

McCool: leave it open

issue 105

McCool: any opinions?
... originally raised by Lagally during f2f
... more than form for different mechanisms
... any prioritization?
... any objections to leave out priorities?

Barry: makes sense

(no objections)

McCool: adds a comment to issue 105
... We discussed this in the Security TF and felt that priorities caused more problems than they would solve and we should leave them out.

issue 102

McCool: adds a comment
... We ARE going to have a Best Practices document of some kind if only to limit the scope of testing. Initially this will just be a section of the Security and Privacy Considerations document although we should break it out into a separate document eventually.


Summary of Action Items

[ONGOING] ACTION: mccool to talk with IIC Security TF and W3C Web Security IG about testing/validation timeline (first item tbd; second item done)
[ONGOING] ACTION: mccool to work on issue 70 (Require Not Exposing Immutable Hardware Identifiers?)
[ONGOING] ACTION: mjkoster/elena to review examples in the security spec
[ONGOING] ACTION: mccool to look into URI templates (RFC6570) for issue 98
[ONGOING] ACTION: mcCool to write PR on TD spec for security definition
[NEW] ACTION: Barry to suggest DTLS testing plan applicable for CoAP/MQTT
[NEW] ACTION: everyone to generate set of best practices for draft by next week
[NEW] ACTION: McCool to clean up Security and Privacy Considerations documents for final update to master by next week

Summary of Resolutions

[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.152 (CVS log)
$Date: 2018/08/07 01:04:09 $