<McCool> https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf
<McCool> https://www.w3.org/2018/12/03-wot-sec-minutes.html
<scribe> scribenick: kaz
McCool: (goes through the prev
minutes)
... any objections?
(none)
McCool: accepted
Kaz: will fix the style later and then send them out
McCool: security and privacy consideration published on Dec 3
security draft (published version)
McCool: unfortunately, new security/privacy considerations not included in the published TD spec
Elena: PR for the architecture draft
<elena> https://github.com/w3c/wot-architecture/pull/63
McCool: runtime considerations
<elena> https://github.com/w3c/wot-scripting-api/pull/155
McCool: rutime considerations to be
taken out form the scripting api draft
... we should discuss the status/progress with the architecture
editors
... 2 more items here
... documentation planning and implementation report
... what we should do
... create a repo and prepare for a skeleton
... wot-security-best-practices and
wot-security-testing-plan
... focus of security testing plan
... kind of involving document
... normal penetration testing
... more a living academic document
... the work we did on threat modeling
... something we need to push to the next level
Elena: anyone from W3C for penetration testing?
McCool: W3C folks are not really in charge of testing
Elena: somebody supposed to do something
McCool: library expectation
... checking implementation has poor input validation,
etc.
... we should create an appropriate repo
... and the next step is to create a skeleton
... we should cover the outline
... can do that during the Christmas vacation
... we can send out an email to get a final confirmation
... updating Notes is not difficult
Kaz: the only question is just
that the expected URL shortname is unique
... the proposed names are ok
... I can create GitHub repos after getting groups'
confirmation
McCool: ok
... let's confirm that during the main call this Wed
McCool: we had TestFest
McCool: implementation description
here within the pink area
... but not yet for SmartThings or Siemens
... main thing is identifying the gap
... to improve the tests
... the result table has Pass/Fail/Not-impl
... still need to work on pink assertions
... not well-represented
... eventing, etc., to be taken care
... links also left out
... assuming people will work on that shortly
... easier to fix
... rest of the stuff
... security mostly
... td-security-binding, td-security-no-extras
... required security schemes
... only myself reported these features
... but shouldn't be hard to achieve, e.g., using
node-wot
... the rest of these
... scopes and bunch of stuff
... more aggressive to get implementations
... some of them pretty easy
... easy to add default value
... need to flesh out them
... in terms of schemes
... easy to expose each scheme
... which implementations did which?
... regarding security: nosc, basic, cert, digest, bearer, pop,
psk, public, oauth2, apikey
... any comments?
(some discussion with Elena)
McCool: everyone uses same library
for TLS
... what is independent code-base?
... still waiting for node-wot result and smartthings
result
... will update on Wednesday for reporting at the main call
<McCool> https://github.com/w3c/wot-thing-description/pull/314
McCool: we're getting 6-month
extension for the WG
... can be as far out as March 2019
... before we're entering into CR/PR
... who will do this?
... mizushima-san, any idea?
mizu: no, not at the moment
McCool: W3C official review for security?
Kaz: can ask security groups and TAG
McCool: would like to ask Valerie
Fenwick from Intel (Web Application Security WG) for help
... (checks actions)
... convirm final decision on the main call on Dec 19
... will talk to the W3C WEb Security IG about formal security
validation
... btw, decide whether to make Kaz an editor for the security
note?
... can do an email vote
McCool: waiting for architecture merge
McCool: confirm one more time in the main call
[[
"security": {
"type": "array",
"items": {
"oneOf": [
{ "type": "string" },
{ "$ref": "#/definitions/securityScheme" }
]
}
}
]]
McCool: discussion on Friday?
McCool: Dec 24/31 no meetings
... next meeting will be Jan 7
[adjourned]
See the Action wiki.