WoT Security

03 Sep 2018



Kaz_Ashimura, Michael_McCool, Elena_Reshetova, Kazuaki_Nimura, Xiaoru_Li, Michael_Koster, Tomoaki_Mizushima


<kaz> scribenick: nimura


<McCool> https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Sept_3.2C_2018

todays topics: "TD security and Privacy Consideration" and "Best practice document review".

Previous minutes

Previous minutes

review of minutes from last meeting.

<McCool> mccool: moved action items to https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Actions

allocated responsible persons to each action items.

<kaz> [ Kaz will add "McCool to update plugfest planning docs to include security scheme configurations to test from best practices" as an additional action to the prev minutes ]


Final review of updated Security and Privacy Considerations

PR 116

PR #116: Fixed the figures in section 7.

get rid of the commas in the figure.

<kaz> updated figure

MM to create PR for scripting API security consideration section to include normative statements.

no objection to merge the figure after changing the comma part.

that's can be PR.

ZK mentions he'll make some more changes on Scripting API.

We can do one more PR for it and review it in main call.

we'll have review/discussion on the Scripting API draft during the main call on Wednesday, Sep. 5.

Those are not related security and privacy.

we will have the version for publication on this Thursday.

TD Security and Privacy Considerations

<McCool> https://rawgit.com/w3c/wot-thing-description/0aa72308cdb8e0743a503ebdd98ddeff78d77995/index.html

There several issues in TD:

normative "SHOULD" statement.

Keep on discussing in the current TD.

Added some references in the TD doc.

that defines various normative descriptions.

security and privacy is not standard but do want to follow this guideline.

Kaz mentions that there are several possibilities:

1. would suggest we simply add an "Editor's Note" for that

2. if we want to make the guideline document an additional normative deliverable, we need to wait until the new charter period

3. or if the guideline is simply a separate section of the current security Note, we can publish it as an additional Note

4. or possibly included in the existing normative deliverables, e.g., TD

write informative document and reflect in the next charter as normative document.

<inserted> McCool will add an Editor's note about that idea as the starting point

only thing about security that has recommendations.

ID: Thing should not be fixed in hardware.

update allows only reinitialized the thing.

Is there any feed back from TD group?

access to TD: only authorized use should access the thing.

this part sounds security depends on security.

pre-authenticate user before distribute TD.

Thing directory would provide the capability.

signing TD capability can be introduced.

protecting authentication credential as well.

MUST: need to have user consent for users data.

"user consent" vary depends on places.

"a thing must satisfy all legal requirements" would be the reasonable description.

de-capitalized the MUST.

Kaz wonders if we want to mention GDPR

<inserted> note that GDPR is just one of the example policies/regulations here

TD PR #207 is about consent.

swap "on" and "off" actions is the example of problem of tampering.

<kaz> mm: (summarizes)
... Security PR116 for the upcoming publication if possible
... TD PR207 long-term point for the next publication

Security PR 116

TD PR 207

<kaz> [adjourned]

Summary of Action Items

See the Action wiki.

Summary of Resolutions

[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.152 (CVS log)
$Date: 2018/09/12 11:48:58 $