<McCool> https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Aug_27.2C_2018
McCool: will review the whole minutes next week due to small participation today
... check actions
... last one done
... 2nd last keep
<McCool> keep the following action items:
<McCool> mccool to talk with IIC Security TF and W3C Web Security IG
<McCool> create a PR to clarify the immutability of the "id" property in Thing Description
McCool: will do that
<McCool> mccool to look into URI templates (RFC6570) for issue 98
McCool: ongoing
<McCool> Barry to suggest DTLS testing plan applicable for CoAP/MQTT
McCool: ongoing
<McCool> mcCool to write PR on TD spec for security definition
McCool: still to do
<McCool> everyone to generate set of best practices
McCool: ongoing
... let's create action list based on the above
... Xiaoru has joined the group
... additional security meeting during TPAC on Monday
Kaz: have conflict on Monday for the M&E IG
McCool: please send an email to me and Elena
... maybe we can do that during breakfast or weekend
Kaz: ok
(some more attendees join)
McCool: some more attendees have just joined this call and we've got quorum, so let's review the previous minutes
... (goes through the minutes)
... actions again
... mccool to look into URI templates (RFC6570) for issue 98
... we can discuss the issue later
... would propose to accept the minutes
Ryo: typo?
... TDLS to be DTLS?
McCool: right
... with that change, can we accept the minutes?
(no objection)
Ryo: sent the position paper on the GitHub repo
Ryo: got notification
... accepted for the workshop
... so will participate in the workshop
McCool: need to generate some slide deck?
Ryo: not sure
... it will be held in one month
sep 26-27
McCool: let's think about the slide deck for that
Ryo: will let you know about the time schedule and requirements
McCool: ok
McCool: Elena says she will clean up
figures
... also 2 empty sections
... simply commented out them
... best practices for non-wot devices
McCool: bunch of small changes
... commented out here (<!-- Don't think these are necessary...)
... 2 empty sections here
... Elena is happy to merge this PR
... merging it with mmccool:master (from mccool:polish)
<McCool> https://rawgit.com/mmccool/wot-security/polish/index.html
McCool: next week we aim to publish the
official version
... finding any small issues
... we should be prepared and make decision
... would merge this agains the master
... any objection to merge this now?
Kaz: against w3c/wot-security/master ?
McCool: right
... any objections?
(none)
[merged PR 112]
McCool: want to hear your input where to
go
... created an MD file
McCool: will elaborate this later
on
... should be specific about transport, authentication, access
control, ...
... if you have any specific best practices, we can create some
notes here
... limited scope on best practices on security configuration
... questions?
<Xiaoru> Does the MQTTS mean MQTT + TLS 1.3?
Kaz: maybe "MQTTS (CoAP + TLS 1.3)" is typo, isn't it?
<Xiaoru> yes
McCool: ah, ok
... would like to flesh this out during the week
https://github.com/w3c/wot-security/issues/109
McCool: updated PR 198
... this issue can be closed?
(no objections)
McCool: closed issue 109
McCool: let's change the name of this
issue
... to "Security Best Practices for WoT Systems"
McCool: generate MD file
... please give your comments
McCool: we can close this
... question of URI thing
... will close this since once we have URI templates we can use "in
= query" to represent authentication information in query
parameters
... like a form would do
... for various schemes
... but we should definitely use this as a test case for combining
URI templates with security
McCool: kind of confused with
reverse-proxy and forward-proxy
... client side vs server side
... reverse-proxy is often transparent
... my question is
... would propose to close this issue
... considering it's done
Nimura: are we just thinking about
network configuration?
... or security?
McCool: caching or NAT traversal
... not specific for proxy
... authentication on proxy for endpoint
... you can give endpoint security information separately
... we should test it at plugfest
... the original goal of this issue was that we needed to add some
metadata
... and it's done
... and now we need to test it
... and then let me know if any problem
... make sense?
Kaz: in that case, we need to add one check point explicitly to the online plugfest planning document. right?
McCool: right
... will make the update and then close this issue
McCool: next issue similar approach
... metadata already exists
... will update the plugfest planning document and then close this issue
McCool: similar approach
... will update the plugfest planning document and then close the
issue
McCool: leave this out in this version draft
McCool: we did add fingerprinting
risks
... privacy risks
... immutable hardware
... role of consent
... will create a PR for issue 70
... any objections to close these 3 issues?
(no objections)
McCool: 72 closed
https://github.com/w3c/wot-security/issues/71
McCool: did add a new section
... but still pretty empty
... should keep it open
https://github.com/w3c/wot-security/issues/67
McCool: 67 closed
McCool: Wendy suggests integrity
protection
... but the security Note itself is not normative
McCool: will create a PR to put a normatie SHOULD statement for confidentiality of TD distribution in the TD spec draft
<scribe> ACTION: McCool to create a PR to put a normative SHOULD statement for confidentiality of TD distribution in the Thing Description document.
McCool: will update the best practice
document
... give your comments
... final review for the security draft
... (updates the agenda for Sep. 3)
... issue and PR review
... review of last minutes
... anything else?
(none)
[adjourned]