WoT Security

06 Aug 2018



Kaz_Ashimura, Michael_McCool, Elena_Reshetova, Ryo_Kajiwara, Tomoaki_Mizushima, Kazuaki_Nimura, Michael_Koster, Barry_Leiba


Permissions workshop

McCool: any updates?

Ryo: not submitted to GH but can explain my ideas

Elena: background, etc., about the workshop?

Permissions WS CfP

McCool: CfP above
... (creating a README.md for our position paper on McCool's GH repo)


McCool: previous minutes review
... permissions workshop
... TD update review
... planning, issues/PRs
... any comments on the agenda?

Elena: new PR for the security scenario

McCool: ok
... captured within the PR review

Review minutes from the last meeting

prev minutes

McCool: skipped the f2f review
... (goes through the prev minutes)

<inserted> (Barry joins)

McCool: if any updates on DTLS, we can discuss that today
... (add that to the agenda for today)
... did these things...
... (goes through TD updates, actions, other issues, ...)
... there are bunch of actions here
... 1st ACTION: ongoing
... 2, 3, 4: we'll talk about these
... 5: need to do
... 6: no updates from Barry yet
... 8: not yet done
... comments?
... objections to accept the minutes?

(no objections)

McCool: ok. the minutes are accepted
... (goes through the updated agenda for today)

* W3C Permissions Workshop
* TD Update Review
* Testing (Fuzz testing, DTLS)
* Best practices (brainstorming)
* Planning: next steps
* Other issues and PRs
* Other business

TD Update Review

TD draft

6.1.7 security

McCool: security mandated
... (goes through the examples)
... example 15, 16, 17
... fixed a bunch of things about security examples

pr 183

McCool: the bottom line is fixing all the examples
... PSKSecurityScheme, etc., to be fixed as well
... NoneSecurityScheme is bizarre

Testing (Fuzz testing, DTLS)

McCool: (shows Elena's email)
... WoT Security testing

Elena: security testing to be moved to validation part?

McCool: is testing plan a separate document?
... the Charter says we produce a testing plan
... one big document including all the testing stuff
... all in one place

Kaz: what kind of content for that?

<inserted> policy? W3C WGs usually generate test planning document and test report for each spec, one by one

Kaz: testing plan? policy?

McCool: scripting api and TD
... logically one WG
... we could split up various pieces into various documents
... network interface testing

Kaz: if that is a document on the testing infrastructure, that could be a single separate document

McCool: we can have some discussion during the main call
... we can start with one document and split it up later

Elena: mentions some idea on fuzz testing

McCool: cites her message
... test suites available for example for HTTP
... probably CoAP need more work

Elena: Scapy is recommended for HTTP, MQTT and CoAP
... I've not tried this yet

Scapy site

Elena: generates random input
... can try to study it

McCool: it seems there is CoAP support as well
... do you want to create a PR for testing document?

Elena: ok

Permissions workshop (revisited)


McCool: only Kajiwara-san can make the workshop
... do you have any specific input?

<ryo-k> https://github.com/mmccool/w3c-permissions-2018/blob/master/0806-kajiwara-original-plans.txt

Ryo: my proposal above
... medical prescription system
... access permission based on user consent
... my original intention was standardized way to manage that on the large scale basis

McCool: giving people access?

Ryo: access control based on user consent is important because some people don't want to let their data accessed

McCool: what would be the story?
... OCF is looking at medical use cases as well

Ryo: some kind of vital data can be accessed
... heartbeat rate, etc.

McCool: features of interest have been discussed
... measurement we can share
... share with the doctor
... but not family, etc.
... maybe you could use an example of medical device annotated using "feature of interest"

Ryo: ok

Koster: feature of interest can specify special things like medical data
... location and body part
... interesting design question

McCool: user decides whether the data is accessible or not
... but how to describe that?

Koster: makes perfect sense actually

McCool: category of information?

Ryo: something like "I don't share the information with somebody."
... information about "who to what"
... interesting discussion during the workshop

McCool: (adds comment)
... wondering about the deadline


Kaz: August 17

Barry: it's extended till August 17

McCool: we can generate a one-pager
... Kajiwara-san, let's have discussion

Ryo: would like to hear background expectation from you as well

McCool: (adds some edits)
... use WoT as an example of "consent as access control"

Ryo: will give input to the GH repo

<McCool> https://github.com/mmccool/w3c-permissions-2018

McCool: (will make the repo public)

Best practices

McCool: we've been discussing a separate document on best practices

Security draft - 5. Recommended Security Practices

McCool: we could make this version more generic
... and create a separate document for more specific content
... how to make it testable
... for the moment, we can put specific content to this section, though
... but a bit concerned to put too much specific content to this Note itself

Kaz: maybe we can put all the content here first
... and if the structure gets too complicated, we can move some of the detail into the appendix
... and split that appendix into a separate document later

McCool: that's fine
... note that we need a testable document and need to limit our scope for testing
... let's just put things into the subsection of section 5
... and we should think about test on fuzzing, etc.
... testing the subsection of best practice section as well
... for now, let's stick into that approach

<McCool> https://github.com/w3c/wot-security/pull/108



McCool: we should talk about industrial security scenarios

Elena: please take a look at the changes

McCool: ok
... let's discuss it next time


McCool: Barry, you can send me your proposal on DTLS

Barry: ok. btw, can I get Elena's proposal about security testing?

McCool: Elena, you can send the proposal to the whole group?

Elena: ok


Summary of Action Items

[ONGOING] ACTION: mccool to talk with IIC Security TF and W3C Web Security IG about testing/validation timeline (first item tbd; second item done)
[ONGOING] ACTION: mccool to work on issue 70 (Require Not Exposing Immutable Hardware Identifiers?)
[ONGOING] ACTION: mjkoster/elena to review examples in the security spec
[ONGOING] ACTION: mccool to look into URI templates (RFC6570) for issue 98
[ONGOING] ACTION: mcCool to write PR on TD spec for security definition
[ONGOING] ACTION: Barry to suggest DTLS testing plan applicable for CoAP/MQTT
[ONGOING] ACTION: everyone to generate set of best practices for draft by next week
[ONGOING] ACTION: McCool to clean up Security and Privacy Considerations documents for final update to master by next week

Summary of Resolutions

[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.152 (CVS log)
$Date: 2018/08/14 12:49:13 $