WoT Security

20 Aug 2018


Kaz_Ashimura, Michael_McCool, Elena_Reshetova, Xiaoru_Li, Kazuaki_Nimura, Tomoaki_Mizushima, Ryo_Kajiwara


Invited guest from Baidu

scribenick: kaz

Kaz: is it OK by you to invite Xiaoru to the meeting today?
... note the invited guest also should be aware of the W3C Patent Policy below
... but this is an IG call, so we have less problem

<kaz> https://www.w3.org/Consortium/Patent-Policy-20170801/

<kaz> https://www.w3.org/2003/12/22-pp-faq.html

McCool: OK to invite her

Review previous minutes

scribenick: nimura

<McCool> https://www.w3.org/2018/08/13-wot-sec-minutes.html

reviewing last minutes.

<kaz> mm: regarding the actions, the second last one on CoAP DTLS is retired. other actions to be carried over for today

<kaz> (minutes accepted)

guest from Baidu, Xiaoru Li

McCool: during TPAC, would have extra meeting in early week, say Monday

New DTLS schemes: cert, public

<kaz> TD pullrequest 198 - Add CoAP/DTLS "cert" and "public" security schemes

created PR that current TD is checked

<kaz> TD draft - 5.4.1 SecurityScheme

added two new scheme and merged.

CoAP: private, shared, : pre destributed keys

<kaz> TD draft - 5.4.6 PSKSecurityScheme

cert and public key: give identity of system

TD spec does not updated properly yet.

no section for those for public and cert somehow

<kaz> McCool: will check why

MQTT Security (wrt DTLS security schemes)

<kaz> McCool: need Koster's input

Permissions workshop

kajiwara san submitted W3C permission for the application

Remaining issues

Issue #109

<inserted> issue 109

mostly done, but rendering issue.

<McCool> https://tools.ietf.org/html/rfc7252#section-9.1

<inserted> The Constrained Application Protocol (CoAP)

Section 9.1: defines three schemes

there are some algorithm choices.

this PR is not clitical for current TD

Issue #105

<inserted> issue 105

difficult to prioritize security scheme.

assume implementers work one by one.

security TF does not feel additional feature for prioritize security is necessary.

Issue #102

<kaz> issue 102

Testing TF need to have sets of security recommendation

prioritize CoAP over UDP, but not prioritize others

we will focus on HTTPS-TLS CoAPS-DTLS and MQTT-TLS

but leave out others.

In terms of the recommendation, is there any particular reason to recommend CoAPS-TLS over CoAPS-DTLS?

from the security point of view.

create another md document for collecting those recommendation.

describing wot security best practice.

recommendation for pretty good security and easy to implement

In the current main document, recommendation is high level and good structure.

<McCool> https://github.com/w3c/wot-security/blob/master/wot-security-best-practices.md

will include recommended best practice.

Issue #100

<inserted> issue 100

TD Change and Deletion notification

this relates to immutable identifiers.

Issue #98

<kaz> issue 98

URI template are coming.

Issue #77

<kaz> issue 77

can close this.


kajiwara-san: notification of workshop will be received by this Friday or so.

<kaz> [adjourned]

Summary of Action Items

[ONGOING] ACTION: mccool to talk with IIC Security TF and W3C Web Security IG about testing/validation timeline (first item tbd; second item done)
[ONGOING] ACTION: mccool to work on issue 70 (Require Not Exposing Immutable Hardware Identifiers?)
[ONGOING] ACTION: mjkoster/elena to review examples in the security spec
[ONGOING] ACTION: mccool to look into URI templates (RFC6570) for issue 98
[ONGOING] ACTION: mcCool to write PR on TD spec for security definition
[ONGOING] ACTION: Barry to suggest DTLS testing plan applicable for CoAP/MQTT
[ONGOING] ACTION: everyone to generate set of best practices for draft by next week
[ONGOING] ACTION: McCool to clean up Security and Privacy Considerations documents for final update to master by next week
[ONGOING] ACTION: create a PR to clarify the immutability of the "id" property in Thing Description
[ONGOING] ACTION: mccool to edit the W3C permissions document

Summary of Resolutions

[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.152 (CVS log)
$Date: 2018/08/28 02:56:08 $