WoT Security

13 Aug 2018



Kaz_Ashimura, Michael_McCool, Ryo_Kajiwara, Michael_Koster, Elena_Reshetova


<kaz> scribenick: mjkoster

Agenda review

(McCool goes through the draft agenda for today)

Review minutes from the last meeting

<kaz> minutes from last meeting

McCool: last minute change to the term "none" to "nosec"
... any corrections to the minutes?
... minutes accepted
... please carry the action items to the next agenda

Permissions workshop

<McCool> https://github.com/mmccool/w3c-permissions-2018

Ryo: focus on user permission of access control and how users decide which data to share

McCool: should mention how this aligns with the WoT approach of access metadata
... could edit online

<McCool> https://github.com/mmccool/w3c-permissions-2018/blob/sec-edit/README.md

PR on Security scenarios

McCool: looks ready to merge

<inserted> PR 108

Elena: PR #108
... review and walk-through the PR
... this is a basic description of scenarios, does anyone have feedback or comments

McCool: building tenants and employees may come and go, requiring management of access rights to users
... when a tenant leaves there is a privacy issue where data must not be retained
... for example, there may need to be temporary access granted to an employee for the thermostat in a room while the employee is in the room
... ideally there should be some access control that doesn't require use of the device

Elena: threat model characterization

McCool: should emphasize that this is an office environment

Elena: it includes company information as a protected asset

McCool: also access to the premises

Elena: scenario3 is industrial, focus on safety and availability, privacy is less important
... another assumption is access would be protected by partitioning networks

McCool: for example access from the IT network to the OT network to collect statistics
... but need to make it difficult to access the OT network by compromising the IT network
... also has the requirement to manage employee access in a dynamic way
... e.g. when employees transition in and out of the company
... does anyone else have comments, would anyone else be willing to review?
... which issues can we close?

Elena: 20 and 21

<kaz> issue 20

<kaz> issue 21

McCool: review other issues

<kaz> issue 44

<kaz> issue 48

<kaz> issue 106

scribenick: kaz

McCool: this is out of the scope for standardization?

Koster: right

McCool: updates the issue and closes it

<inserted> issue 70

Elena: what is the hardware identifier discussed in issue 70?

McCool: there should be a short paragraph about immutability
... need to create a PR to use appropriate terminology

scribenick: mjkoster

<kaz> TD draft - 5.2.1 Thing

McCool: this has to do with the identifier of the TD
... create a PR to clarify the immutability of the "id" property in Thing Description

<kaz> ACTION: mccool to create a PR to clarify the immutability of the "id" property in Thing Description

McCool: mccool to edit the W3C permissions document

<kaz> ACTION: mccool to edit the W3C permissions document

McCool: creating a PR for CoAP DTLS scheme
... any input on what is needed

<scribe> ACTION: mccool to create 2 additional schemes for CoAP DTLS

McCool: also need to discuss MQTT security scheme


Summary of Action Items

[ONGOING] ACTION: mccool to talk with IIC Security TF and W3C Web Security IG about testing/validation timeline (first item tbd; second item done)
[ONGOING] ACTION: mccool to work on issue 70 (Require Not Exposing Immutable Hardware Identifiers?)
[ONGOING] ACTION: mjkoster/elena to review examples in the security spec
[ONGOING] ACTION: mccool to look into URI templates (RFC6570) for issue 98
[ONGOING] ACTION: mcCool to write PR on TD spec for security definition
[ONGOING] ACTION: Barry to suggest DTLS testing plan applicable for CoAP/MQTT
[ONGOING] ACTION: everyone to generate set of best practices for draft by next week
[ONGOING] ACTION: McCool to clean up Security and Privacy Considerations documents for final update to master by next week
[NEW] ACTION: create a PR to clarify the immutability of the "id" property in Thing Description
[NEW] ACTION: mccool to create 2 additional schemes for CoAP DTLS
[NEW] ACTION: mccool to edit the W3C permissions document

Summary of Resolutions

[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.152 (CVS log)
$Date: 2018/08/14 12:45:43 $