W3C

– DRAFT –
WoT Security

13 December 2021

Attendees

Present
Jiye_Park, Kaz_Ashimura, Michael_McCool, Philipp_Blum, Tomoaki_Mizushima
Regrets
-
Chair
McCool
Scribe
jiye, kaz

Meeting minutes

minutes review

<McCool> https://www.w3.org/2021/12/06-wot-sec-minutes.html

McCool: reviewing the minutes from last week call

<kaz> minutes approved

Discuss TD/OAuth2 resolution

McCool: TD/Oauth2 problems got solved from the last TD call

Local transport

McCool: today's topic is Local transport and secure onboarding #28

wot-security-best-practices PR 28 - Local transport and secure onboarding

merged

McCool: (creates related issues)

Issue 30 - Separate local and offline sections; they have distinct needs

Issue 31 - (D)TLS1.3

Issue 3

Issue 3 - Add a best practice description on logging security events

McCool: (takes notes on the issue 3)
… (lists several possible best practices to be recommended)

McCool's comments

McCool: any volunteer to work on the logging section?

Issue 31 (revisited)

<McCool> https://github.com/w3c/wot-security-best-practices/issues/31

McCool: DTLS 1.3 is still a draft, we would recommend to use it when it's ready

https://github.com/w3c/wot-security-best-practices/issues/29

Scripting Issues

McCool: (adds labels to Scripting API issues, e.g., "security-tracker" and "discovery")

wot-scripting-api Issue 315 - Security TaskForce related issues

wot-scripting-api Issue 314 - Discovery TaskForce related issues

wot-scripting-api Issue 299 - Chose a particular security schema for an ExposedThing

<McCool> Issues marked as "security-tracker"

Issue 5

wot-security-best-practices Issue 5 - Recommended OAuth2 flows

McCool: (adds a comment to refer to the wot-scripting-api Issue 214)

wot-scripting-api Issue 214 - Requirements from oAuth 2.0 code flow

Old PRs and Issues

McCool: today, we have a look the old security issues and close it if it's possible

PR 150

<kaz> wot-security PR 150 - an initial attempt on security provisioning section

<kaz> merged

Issue 147

<kaz> wot-security Issue 147 - Discuss IETF Anima

<kaz> (changed the title to "Discus IETF Anima)

Issue 123

<McCool> wot-security Issue 123 - Terminology inconsistency - Proxy and Gateway are used interchangeably.

Use Cases-related Issues

McCool: (checks wot-usecases repo and add "security-privacy" label to security-related issues)
… maybe we should go through all the issues marked as "publication-2.0" as well

McCool: going through the issues and label it only explicitly security related ones

<kaz> wot-usecases Issues marked as "publication-2.0"

<McCool> wot-usecases Issues marked as "security-privacy"

<kaz> 3.7 Security section of the WoT Use Cases and Requirements ED

McCool: missing security consideration parts in usecase document

McCool: (goes through use cases, e.g., ECHONET, Automotive, Transportation, Smart City, Building Technologies, ...)

McCool: at some point we need to work on this document

Meeting schedule

<kaz> Cancellations section of the WoT Main wiki

McCool: next meeting will be held on Jan 10

[adjourned]

Minutes manually created (not a transcript), formatted by scribe.perl version 185 (Thu Dec 2 18:51:55 2021 UTC).