<scribe> ScribeNick: taki
McCool: I want to mention something
about the issues.
... privacy. I want to expand privacy discussions.
<McCool> https://github.com/w3c/wot/blob/master/proposals/privacy.md
McCool: targeted assertions targeting
privacy.
... I listed possible assertions.
... We made "id" non-unique and optional.
... there are also best practices in the document.
... privacy in discovery search.
... privacy of requester for discovery search.
... please take a look at it.
<McCool> https://github.com/w3c/wot-security/issues/148
McCool: server authentication. we
used to call it this way.
... we changed "client" to consumer.
... server, or producer, we have not formally defined.
... Thing generally match server.
... In pub-sub, the role is slightly different.
... we need to expand on this.
... How specific we are. We are not looking for a new scheme. We
can refer existing documents.
Oliver: Let me think about consumer
perspective.
... authentication is important.
... server authentication is common concern.
... It relates to WoT.
... actual/expected value is one.
... We need people to be aware of server authentication.
McCool: we need to summarize how
server authentication generally happens.
... and how it is related to WoT.
... In IoT, which is server is not very clear, for example.
McCool is summarizing discussion in GitHub #148 comment...
McCool: In the case of HTTP server, we should follow existing practices.
Oliver: If things are familiar, we do not want to screw things up.
McCool: next step is to make a
PR.
... first step is to make a PR.
... to summarize existing web server authentication mechanism.
McCool assigned issue #148 to Oliver for now...
Oliver: I will try to make something meaningful. I also will get in touch with Sebastian.
Issue: #147
McCool: We focused on HTTP. There is
also CoAP.
... We need to address ACE.
... we have a long list of references. We did not use all of them
necessarily.
Oliver: ACE delivers part of what is
needed.
... In implementation, people realize something is missing.
... We need people to understand this.
... domain-specific on-boarding, for example.
McCool: we can refer to references,
but they are not complete.
... Things are still in flight.
... we can refer to Anima reference.
... when we introduce ACE, we can introduce Anima.
Oliver: Anima can complement
ACE.
... Anima includes on-boarding.
McCool: We have a life cycle
discussion. ACE takes place in operation phase.
... We can discuss Anima in on-boarding section.
Oliver: good approach.
... ob-boarding needs security, and Anima is one that can help.
McCool: We limited our scope to
operation phase.
... We received lots of criticism from people about this.
... Why we do not cover on-boarding, for example.
Oliver: I did not realize it was out of scope.
McCool: We have a life cycle section.
There we say about scope.
... Life cycle diagram can move to architecture document.
... we can refer to architecture doc.
... there is also decommissioning.
Oliver: on-boarding, off-boarding phase takes about half of time in implementation projects I was involved.
<McCool> https://github.com/w3c/wot-security/issues/146
Oliver: This is minor issue.
McCool: Are you willing to make a PR?
Oliver: That is a good start for me. I will learn about how to make PR.
McCool: About the list of references,
you can take a look at it and comment.
... references, lots of them are local. We should use re-spec
references.
... localBiblio is strongly discouraged.
<McCool> right now we use a lot of this: https://github.com/w3c/respec/wiki/localBiblio
<McCool> we should be doing this: https://www.specref.org/
McCool: we should use specref
database.
... we should replace localBiblio.
<McCool> https://github.com/w3c/wot-security/issues/145
McCool: best practices can reduce
testing.
... testing framework is about how we do tests.
... W3C does not do conformance.
... first, people should follow best practices before doing
security test.
... we did not have time to do MQTT and CoAP.
... there are few tools for CoAP penetration test when we look at
it.
... We should create a section and say we will work on that.
Oliver: Yes, we cannot do everything
at once.
... we can apply technique of client-server, but there is also
pub-sub.
... I understand there is tool perspective.
... OPC-UA is both client-server and pub-sub.
... It used to be only client-server.
... There is TLS, and also their own. two security
mechanisms.
... For end-to-end application security.
McCool: we can mention
dimensions.
... In the case of OPC-UA, we can limit our scope to systems that
follow OPC-UA.
... Some companies want to focus on HTTP, but do not like protocols
such as OPC-UA.
... There is a scope problem.
... Abstraction system can cover different aspects.
... We can mostly be focused on REST/HTTP.
... We should outline the scope we want to cover.
... e.g. which protocols we care about.
... WoT can cover diverse protocols.
... But we want to limit the scope.
... We need to explicitly decide.
... Then we look at patterns of object security, token mechanism,
access control, etc.
... OPC-UA has best practice, and we can refer to it.
McCool is summarizing the discussion in GitHub comment...
McCool: we should also explicitly
defined bad practices.
... basic authentication with no encryption, etc.
... architecture doc has definition of security/privacy.
... I am not happy with ISO definition of privacy.
... It is a bit circular.
... We should expand definition of privacy. It needs to address
trust, for example.
Oliver: ok.
McCool: end-of-end security
definition is also an issue.
... I can make the next three weeks meeting, but cannot guarantee I
can fully.
... I will capture the minutes and send it to Kaz.
[adjourned]