Meeting minutes
Previous Minutes
<kaz> Mar-7
McCool: (goes over the last meeting's minutes)
https://
McCool: We should discuss fixups of the security schemes and the possible addition of an AutoSecurityScheme
… any objections to the previous minutes?
There are no objections to the minutes of the last meeting
McCool: There is also a spelling problem in the minutes of the meeting on Feb 28
Kaz: I have just fixed the spelling issue
PRs
TD PR 1421
<kaz> wot-thing-description PR 1421 - feat: Add AutoSecurityScheme
The PR contains a possible new AutoSecurityScheme that can be used to indicate that there is some security but it is negotioted between a Consumer and a Thing
McCool: Should be structured as same as NoSecurity
… the PR should be ready by wednesday so that it can go into the CR
Security Considerations
Discovery PR #287
<kaz> wot-discovery PR 287 - Cleanup of Security Considerations
McCool: (Presents the changes contained in the PR)
McCool: There is a comment raised by Philipp in the PR that is not very specific. I will ask him to clarify.
Discovery PR #286
<kaz> wot-discovery PR 286 - Add Amplification DDOS Security Consideration and Mitigations
McCool: I made some clarifications regarding DoS and DDoS attacks
… addresses a couple of possible amplification attacks possible with CoAP, were a topic at the T2TRG meeting
… a number of possible mitigations are also added
… we will discuss making them assertions in the Discovery call
… this PR can have a little more time, I want to merge #287 as quickly as possible as it simply addresses issues we have already discussed
McCool: (adds another comment with the next steps to PR #287)
TD PR #1428
<kaz> wot-thing-description PR 1428 - Cleanup Security, Privacy, and IANA Considerations
McCool: There is a lot in this PR
… Security Considerations are now turned into assertions, a number of assertions from Discovery are also included
… tried to make assertions consistent with IANA, for example with regard to caching
… and also to context fetching in constrained environments
… we should probably wait until Jiye
McCool: There also buffer overflow related JSON-LD security considerations that are addressed
McCool: The TM part could probably be moved into a separate PR
McCool: (Requests reviews from Jiye and Jan
Security Testing Plan
<kaz> WoT Security Testing Plan
McCool: The Security Testing Plan was recently merged into the wot-testing repository
McCool: (Goes over the current version of the Testing Plan document)
… not too bad, but we need to add a few things
… we could open an issue in testing
McCool: (opens the issue regarding the possible updates to the document/a migration to an external document, addressing the 2022 deliverables)
https://
McCool: This document was not actually published, we could mention the deliverables and do so
Kaz: It can be published as a Group Note
McCool: (Creates an issue with the steps required for publishing)
… it would be an IG Note
… we should discuss it in the main call
AOB?
wot-scripting-api Issue 390 - Passing Credentials to Discovery Methods|
McCool: There is a general issue regarding the storing of credentials, we might need some assertions on how to deal with this
… Scripting API is not normative, so this should be included in the Architecture
… in general, secrets should be stored in vaults
… scripts should never have access
… we need to review the security considerations in architecture
Jan: Maybe Credential Management API could be reused
McCool: Could be possible, but we need to review it carefully
<kaz> [adjourned]