Meeting minutes
Minutes
McCool: (goes through the minutes)
minutes approved and will be published
Next Charter
McCool: we'll cancel the call next week and Jan 9
wot PR 1031 - Create Security Deliverable Proposal
McCool: proposal for a normative spec for Security and Privacy
… would put onboarding
… also thinking that key management for DID, etc.
Jiye: normative document for Security and Privacy?
McCool: there is some ambiguity around onboarding
… need discussion on what would be a better security scheme
… embedded security key is not a good practice
… best practice to be clarified
Kaz: so far, we've put security/privacy portions into the other specs
… e.g., Architecture, TD, Discovery and Profile
… but do we want to change that approach?
McCool: right
… note that right now security guideline is an informative document
Kaz: the expectation for the normative security/privacy document is describing the best practices for WoT systems in general rather than the level of TDs, etc.
McCool: right
Kaz: so "WoT Best Practices" or something like that could be the name for that document
McCool: yeah
… still need discussion, though
… should include security scheme and ontology for that purpose as well
… registry for that purpose as well
… (mentions "WoT Security and Privacy Recommendations" or "WoT Security and Privacy Best Practices" as potential titles)
Jiye: we don't need to make decision today
McCool: right
… one more thing I wanted to mention
… VC, SSI, and key distribution
(merged)
Publication for S&P Guidelines
McCool: not have time to go through the Security Guideline doc...
… would aim to complete the reviews and suggested changes by Jan 23
Planning
McCool: January 23
Testing
McCool: Testfest happened last week
… as expected, the most of the remaining features at-risk were around security
… (shows the results)
TD
latest Implementation Report on GitHub
McCool: (shows the latest Implementation Report on his PC)
Kaz: how many remaining?
McCool: 18
… and 12 or so of them are around security
… regarding "282: security-mutual-auth-td", need to see if it's really correct because it says "mutually authenticated"
… the next one "283: security-server-auth-td" should be easy
Kaz: have you updated the results during the weekend?
McCool: still need to work on that
Jiye: what about OAuth2?
McCool: "td-security-oauth2-client-*" to be looked into
… "td-security-oauth2-code-flow" is already covered, though
Discovery
latest Implementation Report on GitHub
McCool: still have 44 features at-risk
… a bit weird to have this big number
… 33, 34, 35, 36 are easy, though
… 56, etc., are not security
… "137: sec-tdd-throttle-queries", etc., are around mitigation
… "142: sec-tdd-intro-if-multicast-required" might be difficult due to lack of library
… hope we can get rid of some of the features at-risk
… think client-flow features are more important than others like watchdog features
Architecture
latest Implementation Report on GitHub
McCool: "31: arch-security-consideration-communication-platform", etc., were added for binding
… to be honest, I'm OK with removing this feature because it's kind of vague
… (goes through the features at-risk)
… "46: arch-security-consideration-tls-recommended-priv" should be done
… "50: arch-security-consideration-dtls-1-3" to be changed
Kaz: what do you mean by "change" here?
… removing the feature?
<McCool> Revise (D)TLS-1-2 assertions
Kaz: so the proposed change is "TLS 1.2 MAY be used" to be changed to "at least TLS 1.2 SHOULD be used"
McCool: we need to consult with the Director before PR transition
… regarding "31: arch-security-consideration-communication-platform", it depends of which platform to be considered, ECHONET, OPC UA or what?
Charter discussion
Special Meeting on Next Charter
McCool: we'll have a special meeting on new WG Charter on Jan 16-19
… Security normative spec idea also to be discussed there
… would be great if you also could join that meeting, Jiye
jiye: overlapping with the WoT Security call?
McCool: the Security call will be cancelled on Jan 16
… we'll use a different WebEx for that meeting
jiye: OK, will try to join that meeting on Jan 16
McCool: Sebastian will be also join it
[adjourned]