Meeting minutes
Minutes Review
<kaz> Aug-1
McCool: There is a formatting issue regarding long lines, could you fix this, kaz?
Kaz: Will insert newlines
McCool: Any objections to approving the minutes?
No objections, minutes are approved
Issues
Discovery Issue #254
<kaz> wot-discovery issue 254 - Review Security and Privacy Considerations
McCool: I think we have finished reviewing things here
… any objections to closing?
No objections to closing, issue is closed
TAG Review
<kaz> TAG design-reviews issue 733 - Web of Things (WoT) Discovery
<kaz> TAG design-reviews issue 715 - Web of Things (WoT) Thing Description 1.1: TAG and Security Review
<kaz> TAG design-reviews issue 736 - Web of Things (WoT) Architecture 1.1
McCool: I answered the TAG review in a comment
… we took care of discovery and TD
… we now need to take care of Architecture
… Michael Lagally created a number of issues, which also overlap with security
… his issues span the entire document, however, while our interest focuses on security and privacy
… we will therefore create additional issues that solely focus on security and privacy
… (adds issue addressing policy-like security and privacy assertions)
McCool: In section 10.1.1 there is some redundancy in the assertions, one of which could be removed
… regarding testing, these are more like requirements than policies
… any objections to removing the redundant assertions?
There are none
McCool: The one that is removed is the last assertion from the paragraph, as it does not mention extensions
McCool: (adds more notes to the issue)
… what I am worried about are untestable assertions. Is it okay to leave requirements as assertions, Kaz?
Kaz: I think so. We could also describe them in a note, not containing MUST assertions
McCool: I think we should decide whether to keep this kind of assertions
… question if assertion is testable at the time of implementing a Thing
… let's keep track of them for now and see if we need to adjust them later on
<kaz> Web Content Accessibility Guidelines (WCAG) 2.1
Kaz: Another point: documents like the a11y guidelines could also be referred to
… the easiest way might be to cite the Thing Description implementation report for these assertions
McCool: Regarding testing, I think the first three assertions in this section are verifiable
… the first one could be changed from a SHOULD to a MUST, though
… binding templates assertions in section 10.1.2 are a bit strange, as they are referring to informative documents in normative statements
… this is a general problem
… these should be verifiable and covered by tests
<kaz> WoT Architecture 1.1 - 10. Security Considerations
<kaz> WoT Architecture 1.1 Implementation Report
McCool: assertions in section 10.2.1 are difficult as they formulate requirements for WoT runtimes not specific to the Scripting API
… an issue with this assertion is that Node.js does not run in a sandbox, so this requirement is not satisfied yet
… you could run everything inside a sandbox, so nothing could get out
… easiest solution would be to turn the assertions into informative statements regarding policy
… there are several of this kind of statements
McCool: I could deploy the runtime inside a Docker container to satisfy the assertion. So it is rather a deployment issue. An implementation in WASM could be done to achieve sandboxing, but not isolation
McCool: There are more assertions which I would review offline so that we can discuss them next week
… we need at least one more meeting to get through this
… I will update the issue with additional points as I review the assertions
Jiye: Next week will be a holiday in (some parts of) Germany
McCool: We will cancel our next meeting then
… next one will be on August 22
[adjourned]