McCool: any updates?
Ryo: not submitted to GH but can explain my ideas
Elena: background, etc., about the workshop?
McCool: CfP above
... (creating a README.md for our position paper on McCool's GH
repo)
McCool: previous minutes review
... permissions workshop
... TD update review
... planning, issues/PRs
... any comments on the agenda?
Elena: new PR for the security scenario
McCool: ok
... captured within the PR review
McCool: skipped the f2f review
... (goes through the prev minutes)
<inserted> (Barry joins)
McCool: if any updates on DTLS, we
can discuss that today
... (add that to the agenda for today)
... did these things...
... (goes through TD updates, actions, other issues, ...)
... there are bunch of actions here
... 1st ACTION: ongoing
... 2, 3, 4: we'll talk about these
... 5: need to do
... 6: no updates from Barry yet
... 8: not yet done
... comments?
... objections to accept the minutes?
(no objections)
McCool: ok. the minutes are
accepted
... (goes through the updated agenda for today)
[[
* W3C Permissions Workshop
* TD Update Review
* Testing (Fuzz testing, DTLS)
* Best practices (brainstorming)
* Planning: next steps
* Other issues and PRs
* Other business
]]
McCool: security mandated
... (goes through the examples)
... example 15, 16, 17
... fixed a bunch of things about security examples
McCool: the bottom line is fixing
all the examples
... PSKSecurityScheme, etc., to be fixed as well
... NoneSecurityScheme is bizarre
McCool: (shows Elena's email)
... WoT Security testing
Elena: security testing to be moved to validation part?
McCool: is testing plan a separate
document?
... the Charter says we produce a testing plan
... one big document including all the testing stuff
... all in one place
Kaz: what kind of content for that?
<inserted> policy? W3C WGs usually generate test planning document and test report for each spec, one by one
Kaz: testing plan? policy?
McCool: scripting api and TD
... logically one WG
... we could split up various pieces into various
documents
... network interface testing
Kaz: if that is a document on the testing infrastructure, that could be a single separate document
McCool: we can have some discussion
during the main call
... we can start with one document and split it up later
Elena: mentions some idea on fuzz testing
McCool: cites her message
... test suites available for example for HTTP
... probably CoAP need more work
Elena: Scapy is recommended for
HTTP, MQTT and CoAP
... I've not tried this yet
Elena: generates random input
... can try to study it
McCool: it seems there is CoAP
support as well
... do you want to create a PR for testing document?
Elena: ok
McCool: only Kajiwara-san can make
the workshop
... do you have any specific input?
<ryo-k> https://github.com/mmccool/w3c-permissions-2018/blob/master/0806-kajiwara-original-plans.txt
Ryo: my proposal above
... medical prescription system
... access permission based on user consent
... my original intention was standardized way to manage that
on the large scale basis
McCool: giving people access?
Ryo: access control based on user consent is important because some people don't want to let their data accessed
McCool: what would be the
story?
... OCF is looking at medical use cases as well
Ryo: some kind of vital data can
be accessed
... heartbeat rate, etc.
McCool: features of interest have
been discussed
... measurement we can share
... share with the doctor
... but not family, etc.
... maybe you could use an example of medical device annotated
using "feature of interest"
Ryo: ok
Koster: feature of interest can
specify special things like medical data
... location and body part
... interesting design question
McCool: user decides whether the data
is accessible or not
... but how to describe that?
Koster: makes perfect sense actually
McCool: category of information?
Ryo: something like "I don't
share the information with somebody."
... information about "who to what"
... interesting discussion during the workshop
McCool: (adds comment)
... wondering about the deadline
https://www.w3.org/Privacy/permissions-ws-2018/cfp.html
Kaz: August 17
Barry: it's extended till August 17
McCool: we can generate a
one-pager
... Kajiwara-san, let's have discussion
Ryo: would like to hear background expectation from you as well
McCool: (adds some edits)
... use WoT as an example of "consent as access control"
Ryo: will give input to the GH repo
<McCool> https://github.com/mmccool/w3c-permissions-2018
McCool: (will make the repo public)
McCool: we've been discussing a separate document on best practices
Security draft - 5. Recommended Security Practices
McCool: we could make this version
more generic
... and create a separate document for more specific
content
... how to make it testable
... for the moment, we can put specific content to this
section, though
... but a bit concerned to put too much specific content to
this Note itself
Kaz: maybe we can put all the
content here first
... and if the structure gets too complicated, we can move some
of the detail into the appendix
... and split that appendix into a separate document later
McCool: that's fine
... note that we need a testable document and need to limit our
scope for testing
... let's just put things into the subsection of section
5
... and we should think about test on fuzzing, etc.
... testing the subsection of best practice section as
well
... for now, let's stick into that approach
<McCool> https://github.com/w3c/wot-security/pull/108
McCool: we should talk about industrial security scenarios
Elena: please take a look at the changes
McCool: ok
... let's discuss it next time
McCool: Barry, you can send me your proposal on DTLS
Barry: ok. btw, can I get Elena's proposal about security testing?
McCool: Elena, you can send the proposal to the whole group?
Elena: ok
[adjourned]