W3C

– DRAFT –
WoT Security

22 August 2022

Attendees

Present
Jiye_Park, Kaz_Ashimura, Michael_McCool, Philipp_Blum, Tomoaki_Mizushima
Regrets
-
Chair
McCool
Scribe
citrullin

Meeting minutes

Minutes

McCool: Can we use Zoom instead of WebEx?

McCool: I would like to use Zoom for next week. Kaz, can you look into it?

Kaz: I can provide a Zoom call if needed. However, Siemens and some other participants had some issues with Zoom, that's why we use WebEx for now.

McCool: Let's just discuss it in the main call.

Minutes

McCool: Any objections for the minutes? No objections.

policy-like security and privacy assertions

WIP: Adjust policy-like security and privacy assertions

Kaz: There are several options here. We have to clarify what assertion has to be covered and what not.

McCool: There are things you can test well and there are things like this that are not testable.

Some discussion between kaz and mm about how to handle the assertions marked by the RFC2119 keywords within the WoT Architecture spec.

and how to organize the testing/not-testing/manual-assertions

<kaz> WoT Architecture - Section 10.2.2 Physical Device Direct Access Risk as an example which includes RFC 2119 keywords

McCool: I don't want to do major restructuring here. So, my conclusions are that these are manual testable. So we could keep them.

mm changes description of #824

McCool: the security credential storage part isn't well defined. Securely stored can be interpreted in different ways. There is also a non capitalized assumption.

McCool: 10.3.2 needs some work.

McCool: except for those points, the other things should be verifiable.

McCool: We probably have to mark it at risk anyway.

McCool: If we have a private network with more than 2 devices, it's not limited. mTLS would be great in those situations. Pre-shared keys also works.

McCool: 10.4 should not be a problem to test.

McCool: I am wondering if we have overlaps in the assumptions.

mm changes the descripton of #824

McCool: We may have to remove 11.1.1, because it is, more or less, dublicated.

McCool: If we use a wot directory to hold the TDs. WoT TD has features like access control etc. in order to stop not authorized access.

McCool: Discovery is designed to cover these topics.

McCool: I am fine with leaving it in though and it is testable.

McCool: 11.2 overlaps a a little with the previous assertions. It's testable.

McCool: 11.2 may conflict with some assertions in the TD. Some assertions may be softer in the TD.

McCool: I am going to double check, if this is the case.

<kaz> [adjourned]

Minutes manually created (not a transcript), formatted by scribe.perl version 192 (Tue Jun 28 16:55:30 2022 UTC).