W3C

– DRAFT –
WoT Security

02 May 2022

Attendees

Present
Jan_Romann, Kaz_Ashimura, Michael_McCool, Philipp_Blum, Tomoaki_Mizushima
Regrets
-
Chair
McCool
Scribe
citrullin

Meeting minutes

review minutes

<kaz> Apr-25

McCool: Any objections to publish the minutes? No objections.

S&P Considerations

Make Security and Privacy Considerations Normative

<McCool> https://github.com/w3c/wot-architecture/pull/734/files - line 3984 - moved assertions to mitigations

<McCool> https://github.com/w3c/wot-architecture/pull/734/files#diff-0eb547304658805aad788d320f10bf1f292797b5e6d745a3bf617584da017051R3984

McCool: Just for information. It already got merged.

McCool: We had a dublication in public metadata. I moved one of it out.

McCool: It didn't have a mention of discovery. I added it.

McCool: There was a consideration about PII I added an assertion to.

McCool: Philipp, can you have a look over it, until Thursday?

pb: Will do.

Profiles

McCool: There are some troubling things in the new draft.

McCool: There are 14 open PRs. So, there will probably be a lot of changes.

McCool: There are some things in Profiles that we didn't reach consensus in the TD spec. Some include implications for security, especially privacy.

McCool: In the end we took out globally unique IDs.

McCool: I am not worrying about for the moment, until we have a draft though.

Additional security schemes

PR 1474 - allow definition of additional security schemes

Jan: While dealing with json schema, I noticed there are some issues in the document itself.

Jan: Scheme is optional in 1.1, but mandatory in 1.0. The type changed from string to any type.

McCool: any type was there, because we also had to allow URIs beside strings.

Some discussion between jre and mm.

McCool: Okay, I think we make it mandatory.

Jan: The changed example is just an realignment with the current document.

McCool: Unfortunately, the renderer doesn't wrap lines.

McCool: I guess we will see what happens when we discuss this in the call. This shouldn't break anything if we leave it out, right?

Jan: Actually, in example 49, this isn't a valid thing description.

McCool: Right, your chain would allow it, right?

Jan: yes.

McCool: We don't have a way to validate extensions.

McCool: It's a bigger topic. We had a discussion 2 years ago about this.

McCool: We will go in the TD call and discuss it there.

References for best practises

Issue 206 - Add References

McCool: the ncsc reference doesn't look like a specification document. I am little bit concerned.

Jan: There is a version number on the side though.

mm adds a comment to the issue.

McCool: The documents are focused on web, but not IoT. There is a NIST security guidelines for IoT.

pb: That would be something I am also more concerned about.

Jan: Wouldn't it be better to reference international organizations, instead of national ones?

McCool: Yes, if possible.

mm adds a comment.

<JKRhb> https://www.iso.org/standard/44373.html

https://github.com/w3c/wot-security/issues/206#issuecomment-1114812282

Minutes manually created (not a transcript), formatted by scribe.perl version 185 (Thu Dec 2 18:51:55 2021 UTC).