McCool: we're interested in the
interfaces
... how to make the IoT devices accessible
... also working with the HTTPS local CG within W3C
... HTTPS in browsers expect global visibility
Bergman: issue with local hosts
McCool: yes
... the other group interested is IIC
... CTA is related to consumer devices?
Bergman: we're also reaching out
IIC
... we're trying to talk with multiple sectors
McCool: (starts to share his screen
for the questionnaire from CTA)
... Elena Reshetova, one of the active members, is not
available today but would like to review this spreadsheet
... we're working for official transition for our spec
now
... but happy to go over the questionnaire
... activities we're working with
Bergman: the genesis is US regulatory
activity
... but people are not only interested in US regulatory
... but also global activities
... the concern is many organizations creating many Best Practices,
etc.
... many philosophies, etc.
... too many fragmentations is not good
... general principle and requirements needed
... we got over 70 organizations
... we want de-fragmentation
... medical, automotive, other industries, ...
... some requirements specific to industries
McCool: whole a lot of good topics so
far
... OCF, IIC, etc.
... but each work covers some specific areas
... IETF's best practice work as well
... the other issue is conformance
... baseline for ecosystems
... however, big problem with IoT
... so many people are building stuff
Bergman: we have similar
discussion
... suitable set of specs for conformity
... some kind of label structure
... general baseline for reasonable version
(some more discussion on IoT fragmentations)
Bergman: what we did was sent out
invitations
... all the government agencies
... also internet societies
... baseline security
... EU, UK, etc.
... not only US government
... have spoken with METI from Japan, Canada, etc.
... have you seen the attendees list?
... partners involved
... good time to go through the spreadsheet
McCool: how to deal with the
fragmentation problem
... this is "narrow waist" idea by WoT
... deep history of multiple industries
... like automotive, factory automation
... (shows the spreadsheet)
... suspect your documents are more than this
... but good questions listed here
... many arguments
... we have been having many discussions
... the issue is there is too much work for a small group like
us
Bergman: here is 15 organizations
here
... if some of them are out of scope of your work, that's also
useful input
McCool: should put that kind of comment here?
Bergman: column G to be used
McCool: ok
... most of the things are reasonable
... there are common references
... but no definition about lifecycle so far
... standard terminology for lifecycle, etc.
Bergman: the idea of device caries out
some XML data
... what the intent is
... what if IoT attempt to contact Facebook, etc.?
... should be denied
McCool: very interesting
... could be supporeted with links in TD
... general mechanism for extension using hyperlink
... relation with MUD things here
... a lot of topics here are interesting
Bergman: in the initial instruction
about the spreadsheet
... you can't change the order of the lines
... but can add additional lines
McCool: ok
... unfortunately, we don't have Elena today
... but our main spec from W3C WoT is Thing Description
... might be various ways to handle metadata for TD
... change the ID, track ID, etc.
... various risks associated to IDs
... probably two sub categories here
... one is confidentiality
... another is modification protection
Bergman: metadata confidentiality and
arguments on browser fingerprinting
... on the other hand, interoperability of systems
... my work related to internet video distribution
... can explain both sides of the picture
... in terms of integrity of the data
... can see link for encryption
McCool: thinking more about
end-to-end connection
... link protection is given
... might want to cash intermediate data?
... may want to have a trusted gateway
Bergman: there is a section about
protection and trust
... requirements to go for E and comments for G
McCool: one of the fundamental things
is end-to-end security
... (7E) Yes, if includes COSE (object security), ENd-to-end
security is a necessity. Link security is inadequate if
intermediaries
... one thing people are concerned is privacy information
... I think this list is for the first level requirements
Kaz: note that "security and
privacy" has two target areas
... device side and user side
... WoT related to the device side
... and Verifiable Claims from W3C related to the user
side
... so would make sense to talk with the Verifiable Claims WG
as well
(Elena joins)
McCool: mentions several organizations/events
Bergman: why don't you send a message on the collocations
McCool: ok
... e.g., IIC
... CTA's workshop is occurring soon
... we should include summaries of those related specs
Elena: is the spreadsheet sent to me as well?
McCool: yes
Elena: will check it
Bergman: we've not done our final
requirements yet
... discussion on Thursday
... sorry not to provide remote connection for the workshop
McCool: np
... Elena, can you look into the spreadsheet?
Elena: will do
McCool: double check the basic requirements, check the scope, give comments, etc.
Bergman: when we look at 6-10
equivalent spreadsheets
... comments on E and G are also useful as well as the
questionnaire at F
... probably other people also have similar situation if you
have specific notes at G
McCool: ok
... (adds comments to G26)
Bergman: can you check the data in
column F?
... please make sure the column F would not effect other lines
after you copied it from line 28
McCool: ok
... (adds comments on G29)
... baseline requirements
McCool: have updated the explainer documents
TD explainer above
McCool: listed features at risk
... based on the test results
... we need 2 implementations for each feature
... TD security scheme to be included in the results soon
[[
In summary, the features currently at risk are:
The APIKey, Cert, PSK, OAuth2, PoP, and Public security schemes.
The scopes field in forms since it is only used with the OAuth2 security scheme.
Certain options for security, such as proxy fields and some specialized options for some security schemes.
]]
McCool: (explains the features at
risk)
... would clarify what "runtime" is for the Architecture
document
... management of private information, etc., as well
... clear separation is the direction to go
... better to have a separate container
... get rid of confusion
... please continue to work on the CTA spreadsheet
Elena: ok
[adjourned]