<scribe> ScribeNick: taki

Privacy discussion

McCool: I want to mention something about the issues.
... privacy. I want to expand privacy discussions.

<McCool> https://github.com/w3c/wot/blob/master/proposals/privacy.md

McCool: targeted assertions targeting privacy.
... I listed possible assertions.
... We made "id" non-unique and optional.
... there are also best practices in the document.
... privacy in discovery search.
... privacy of requester for discovery search.
... please take a look at it.

Issue #148

<McCool> https://github.com/w3c/wot-security/issues/148

McCool: server authentication. we used to call it this way.
... we changed "client" to consumer.
... server, or producer, we have not formally defined.
... Thing generally match server.
... In pub-sub, the role is slightly different.
... we need to expand on this.
... How specific we are. We are not looking for a new scheme. We can refer existing documents.

Oliver: Let me think about consumer perspective.
... authentication is important.
... server authentication is common concern.
... It relates to WoT.
... actual/expected value is one.
... We need people to be aware of server authentication.

McCool: we need to summarize how server authentication generally happens.
... and how it is related to WoT.
... In IoT, which is server is not very clear, for example.

McCool is summarizing discussion in GitHub #148 comment...

McCool: In the case of HTTP server, we should follow existing practices.

Oliver: If things are familiar, we do not want to screw things up.

McCool: next step is to make a PR.
... first step is to make a PR.
... to summarize existing web server authentication mechanism.

McCool assigned issue #148 to Oliver for now...

Oliver: I will try to make something meaningful. I also will get in touch with Sebastian.

Issue: #147

McCool: We focused on HTTP. There is also CoAP.
... We need to address ACE.
... we have a long list of references. We did not use all of them necessarily.

Oliver: ACE delivers part of what is needed.
... In implementation, people realize something is missing.
... We need people to understand this.
... domain-specific on-boarding, for example.

McCool: we can refer to references, but they are not complete.
... Things are still in flight.
... we can refer to Anima reference.
... when we introduce ACE, we can introduce Anima.

Oliver: Anima can complement ACE.
... Anima includes on-boarding.

McCool: We have a life cycle discussion. ACE takes place in operation phase.
... We can discuss Anima in on-boarding section.

Oliver: good approach.
... ob-boarding needs security, and Anima is one that can help.

McCool: We limited our scope to operation phase.
... We received lots of criticism from people about this.
... Why we do not cover on-boarding, for example.

Oliver: I did not realize it was out of scope.

McCool: We have a life cycle section. There we say about scope.
... Life cycle diagram can move to architecture document.
... we can refer to architecture doc.
... there is also decommissioning.

Oliver: on-boarding, off-boarding phase takes about half of time in implementation projects I was involved.

Issue #146.

<McCool> https://github.com/w3c/wot-security/issues/146

Oliver: This is minor issue.

McCool: Are you willing to make a PR?

Oliver: That is a good start for me. I will learn about how to make PR.

McCool: About the list of references, you can take a look at it and comment.
... references, lots of them are local. We should use re-spec references.
... localBiblio is strongly discouraged.

<McCool> right now we use a lot of this: https://github.com/w3c/respec/wiki/localBiblio

<McCool> we should be doing this: https://www.specref.org/

McCool: we should use specref database.
... we should replace localBiblio.

Issue #145

<McCool> https://github.com/w3c/wot-security/issues/145

McCool: best practices can reduce testing.
... testing framework is about how we do tests.
... W3C does not do conformance.
... first, people should follow best practices before doing security test.
... we did not have time to do MQTT and CoAP.
... there are few tools for CoAP penetration test when we look at it.
... We should create a section and say we will work on that.

Oliver: Yes, we cannot do everything at once.
... we can apply technique of client-server, but there is also pub-sub.
... I understand there is tool perspective.
... OPC-UA is both client-server and pub-sub.
... It used to be only client-server.
... There is TLS, and also their own. two security mechanisms.
... For end-to-end application security.

McCool: we can mention dimensions.
... In the case of OPC-UA, we can limit our scope to systems that follow OPC-UA.
... Some companies want to focus on HTTP, but do not like protocols such as OPC-UA.
... There is a scope problem.
... Abstraction system can cover different aspects.
... We can mostly be focused on REST/HTTP.
... We should outline the scope we want to cover.
... e.g. which protocols we care about.
... WoT can cover diverse protocols.
... But we want to limit the scope.
... We need to explicitly decide.
... Then we look at patterns of object security, token mechanism, access control, etc.
... OPC-UA has best practice, and we can refer to it.

McCool is summarizing the discussion in GitHub comment...

McCool: we should also explicitly defined bad practices.
... basic authentication with no encryption, etc.
... architecture doc has definition of security/privacy.
... I am not happy with ISO definition of privacy.
... It is a bit circular.
... We should expand definition of privacy. It needs to address trust, for example.

Oliver: ok.

McCool: end-of-end security definition is also an issue.
... I can make the next three weeks meeting, but cannot guarantee I can fully.
... I will capture the minutes and send it to Kaz.

[adjourned]