https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Agenda
<kaz> scribenick: ryo-k
Online plugfest next week; do we move the security conference?
Kaz: it's actually in 2 weeks
McCool: security call will be held as normal
<kaz> [Kaz to add the link from the prev minutes to the action wiki]
no changes to last week's minutes
<kaz> https://www.w3.org/2018/09/03-wot-sec-minutes.html
McCool: adding kaz to the editor list
-> talk later when there are more people in the call
<McCool> https://rawgit.com/w3c/wot-security/master/index.html
<kaz> latest draft above
RESOLUTION: No objection, so we will publish the current version in GitHub if the main call agrees
reviewing https://github.com/w3c/wot-thing-description/pull/207
McCool: not decided on what to do with mlagally's feedback, have to update PR
6.2 User Consent -> should be a SHOULD statement
Nimura: how to handle TD's security in plugfest?
McCool: in the unmerged TD security best practice: TDs should be only accessible to authorized users
(please correct me if I got anything wrong; wasn't able to hear well
McCool: (showing wot-proxy
implementation
... wrap Siemens's thing directory (that has no authentication)
with wot-proxy and give them authentication
<kaz> TD draft for PR207
McCool: security metadata happens
outside of scripting API right now
... but we don't want scripting API to modify security
metadata
<kaz> preparation-intel.md
McCool: will implement more schemes into wot proxy
Nimura: we can test "no security scheme" as it's part of the standard
McCool: security scheme is now mandatory; if there is no security then at the minimum include "scheme" : "nosec"
(the coaps security scheme in the example should be "psk" not "apikey"
McCool: need a TD rewriter that
replaces nosec with basic auth etc
... secure delivery of TD itself is a different issue
Nimura: how to access TD securely?
McCool: it boils down to secure
transport + secure authentication
... consuming a TD securely with node-wot does not work right
now
<kaz> WoT Security Best Practices
McCool: the authentication server checks access rights based on role; the 'thing' does not know about the role
topics for next week
Ryo: if there are any updates on Privacy and User Consent workshop I will send it to the public mailing list
<kaz> [adjourned]
See the Action wiki.