Meeting minutes
Minutes
approved
McCool: (goes through the minutes)
approved
Wide reviews
McCool: we created issues above for our previous version specs
<McCool> self-review assessment
McCool: seems question 2.1 and 2.2 have been added
… 2.8 also
dated version (16 December 2021)
Kaz: probably we should use the dated version questionnaire as the basis
McCool: yeah
… we need to go through the latest questions
… could reuse some of the previous answers, though
… need to work on the questions and answers offline
… would like to generate a dedicated MD to manage the content
… (copies the content of the MD under the wot-thing-description repository)
… (and creates a PR for that)
McCool: (adds checklists for the next steps to the PR too)
… last time I did the questionnaire, so this time somebody else should also go through the questions
… Jiye, could you go through them?
Jiye: yes
McCool: also possibly Philipp
<McCool> https://
McCool: (adds Jiye and Philipp to the Assignees of the PR)
Discovery PR 264
wot-discovery PR 264 - Update Security and Privacy Considerations
McCool: added new Security section separately
… both the security issues and privacy issues point to the Security and Privacy Note
Jiye: good to have those sections separately
… but wondering if "7.2 Limited Duration Accesses" really should belong to this WoT Discovery spec
… it's rather generic issue depending on use cases
McCool: yeah
… (adds comments about that)
… "limited duration access" may not belong here
… move it to the TD spec's security considerations section
… also probably need a generic security consideration aroud mitigating all OWASP top 10 security issues in Directory implementations
… we've not yet considered replay attacks (but already included in the OWASP top 10?)
McCool: those are largest percent of the security issues
… seems "replay" is not included there
… maybe we could another one
… if you think any other issues are important, we should certainly added them
… (add some more comments)
… if here is a longer list of security concerns, we can add it as well
… but my thought is that mitigating the OWASP Top 10 should be a minimal requirement
updated comment for wot-discovery issue 254 - Review Security and Privacy Considerations
TD PR 1360
wot-thing-description PR 1360 - Update Security and Privacy Considerations
Jiye: mutual authentication doesn't help mitigate MITM attack
McCool: should consider bootstrapping secure connection
… need to reed the text again
Jiye: if needed, please let me know so that we can have some more dedicated discussion offline
McCool: ok
[adjourned]