WoT Security

10 Sep 2018



Kaz_Ashimura, Michael_McCool, Kazuaki_Nimura, Ryo_Kajiwara, Tomoaki_Mizushima




<kaz> scribenick: ryo-k

Next call

Online plugfest next week; do we move the security conference?

Kaz: it's actually in 2 weeks

McCool: security call will be held as normal

Review of last minutes

<kaz> [Kaz to add the link from the prev minutes to the action wiki]

no changes to last week's minutes

<kaz> https://www.w3.org/2018/09/03-wot-sec-minutes.html

Security and Privacy Considerations

McCool: adding kaz to the editor list

-> talk later when there are more people in the call

<McCool> https://rawgit.com/w3c/wot-security/master/index.html

<kaz> latest draft above

RESOLUTION: No objection, so we will publish the current version in GitHub if the main call agrees

PR 207

reviewing https://github.com/w3c/wot-thing-description/pull/207

McCool: not decided on what to do with mlagally's feedback, have to update PR

6.2 User Consent -> should be a SHOULD statement

Online plugfest

Nimura: how to handle TD's security in plugfest?

McCool: in the unmerged TD security best practice: TDs should be only accessible to authorized users

(please correct me if I got anything wrong; wasn't able to hear well

McCool: (showing wot-proxy implementation
... wrap Siemens's thing directory (that has no authentication) with wot-proxy and give them authentication

<kaz> TD draft for PR207

McCool: security metadata happens outside of scripting API right now
... but we don't want scripting API to modify security metadata

<kaz> preparation-intel.md

McCool: will implement more schemes into wot proxy

Nimura: we can test "no security scheme" as it's part of the standard

McCool: security scheme is now mandatory; if there is no security then at the minimum include "scheme" : "nosec"

(the coaps security scheme in the example should be "psk" not "apikey"

McCool: need a TD rewriter that replaces nosec with basic auth etc
... secure delivery of TD itself is a different issue

Nimura: how to access TD securely?

McCool: it boils down to secure transport + secure authentication
... consuming a TD securely with node-wot does not work right now

Best Practice document review

<kaz> WoT Security Best Practices

McCool: the authentication server checks access rights based on role; the 'thing' does not know about the role

topics for next week

Ryo: if there are any updates on Privacy and User Consent workshop I will send it to the public mailing list

<kaz> [adjourned]

Summary of Action Items

See the Action wiki.

Summary of Resolutions

  1. No objection, so we will publish the current version in GitHub if the main call agrees
[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.152 (CVS log)
$Date: 2018/09/24 11:51:06 $