W3C

- DRAFT -

WoT-Security

20 Apr 2020

Agenda

Attendees

Present
Kaz_Ashimura, Michael_McCool, Clerley_Silveira, David_Ezell, Oliver_Pfaff, Tomoaki_Mizushima
Regrets
Elena_Reshetova
Chair
McCool
Scribe
kaz

Contents

<scribe> scribenick: kaz

Welcome Clerley from Conexxus

David: specifically working on apis

Clerley: tx!

McCool: we're capturing use cases now
... very useful to have you to get requirements
... we have a number of TFs
... this one is working on security/privacy guidelines
... also components for the other TF's work
... also we have another TF on discovery which is related to security

(discovery call in 1h 45m :)

McCool: we have the WoT main call on Wednesday

Clerley: trying to understand how the group is working

McCool: if you have a question, you can raise your hand by "q+" command on IRC
... but we just have 5 people or so for this security call, so feel free to jump in as well
... generally we rotate for the scribe roll

Review minutes

McCool: (explains how we take minutes, etc.)
... we review the previous minutes and make decision whether to publish them or not

Apr-6 minutes

McCool: typo for "Issues and PRs"
... objections for publishing the minutes?

(none)

McCool: approved

PRs

McCool: Oliver, any updates?

Oliver: no, sorry

McCool: ok
... we'll wait for Oliver's new changes

Oliver: there was something unclear

McCool: you're now editing the target file, index.html
... OK with merging the PR

Oliver: if you can create the old PR 164, I can create a new one

McCool: ok
... please do so

Oliver: will do

<scribe> ACTION: Oliver to generate a new PR for end-to-end security

Issues

McCool: would like to look into Issues here

Issues

Oliver: please assign me if my review is needed

McCool: we want to have a section about end-to-end security within the guidelines document

Issue 144

McCool: we should open this issue 144 itself
... and then should ask some of the other participants to join the discussion, e.g., Elena

Oliver: ok

McCool: (adds comments on the issue)
... first draft has been done
... but there are some pending wording changes requested
... and it needs further review
... so we'll leave this issue open
... and I'll re-assign Oliver to do the requested edits
... then will also assign Elena to do a review

McCool's comments

Thing authentication

<McCool> https://github.com/w3c/wot-security/issues/148

McCool: new issue on thing authentication
... created an issue on architecture repo

wot-architecture issue 429

McCool: related to the lifecycle discussion

Oliver: lifecycle is one aspect
... and authentication is another
... would have clear picture for onboarding
... if we could get good response from another expert (within Siemens), could close it sooner
... need clear expectation for the mechanism

McCool: basically, in certain situation authentication expects validation
... (adds comments to issue 148)
... key is lifecycle discussion and definition of states/actors where authentication plays a role
... this is a relevant issue...

wot-architecture issue 476

McCool: what to do next?

Oliver: leave this issue open and clarify those points

McCool: (adds comments to issue 148 again)
... ok
... let's leave this issue open
... when the above issue is resolved review it to enure that authentication is properly addressed

McCool's updated comments

McCool: (and adds comments to Architecture issue 476 as well)

wot-architecture issue 476

McCool's comments for wot-architecture issue 476

Use cases and requirements

McCool: since we have Clerley and David here, would talk about use cases and requirements
... e.g., for the Singapore ones
... review all the use cases on the wot-architecture repo

Use case on public health monitoring

McCool: based on the discussion with Singapore govtech
... bunch of cameras in the public spaces
... face recognition is not necessary
... but would see if people have fever
... identify them but not necessarily with names

proposed use case description

McCool: what do you think?
... may be additional requirements from the retail viewpoints
... target of advertisement, etc.
... two issues here, I think
... identifying people
... and opt-in
... many requirements for security as well

Clerley: absolutely

McCool: for example, OAuth came up
... to manage access rights
... we have this issue tracker here
... David did create an issue
... for retail use case

David: wanted to point out there are 3 different topics
... how to make sure people able to hack it
... and caching security scenario
... then access to services
... all playing in retail
... do you agree?

McCool: yeah
... would like to have security/privacy consideration section for each use case
... you need to protect cached data
... proposing here is generate that section
... that's something we should do
... (creates a new issue)
... add "security and privacy considerations" section to all the use cases
... should add that to the requirements template too

Requirements template

McCool: for example, for the retail use cases

David: let's talk about the details later (need to leave for another meeting)

new issue 168

[adjourned]

Summary of Action Items

[NEW] ACTION: Oliver to generate a new PR for end-to-end security
 

Summary of Resolutions

[End of minutes]
Minutes manually created (not a transcript), formatted by David Booth's scribe.perl version 1.154 (CVS log)
$Date: 2020/04/26 13:27:22 $