Meeting minutes
Agenda
<kaz> agenda
McCool: Minutes, New Member, Security Mechanism Analysis, Review Issues, S&P guidelines, Next Chater
Minutes
(no objection on publishing minute)
Welcome Luca Barbato!
<kaz> (Luca Barbato from Luminem gives self intro))
McCool: S&G has security analaysis, it will be good to look at that if there is anything missing.
… knowing real world implication of IoT device will be interesting
<kaz> ashimura@w3.org
Kaz: join the WoT main call, you will get more information that you need
McCool: your question was what kind of security scheme you need to implement, right?
Luca: currently we don't have any security implementation
McCool: obviously step for security implementation is mutual authentication which is now at risk as lack of implementation
McCool: as default, TLS is not doing mutual authentication with browser
… OAuth2.0 client side implementation is recommended
McCool: in LAN if you don't want to reveal your device to Internet, CA verfication is a problem. in that case you can use PSK but how to setup the PSK is not defined. Need to do manually.
Luca: I wanted to try or get around mDNS, you need to trust mDNS and need to sign, chicken and egg problem
Jiye: if it's to have some security for the implementation, then TLS + basic authentication is recommended
Luca: having not too high barrier for security implementation will be good
Jiye: I would say really minimum security implemenation is TLS + PSK
… it's easy to have, and no problem in LAN
(discussion about implementation on ESP series experience)
Kaz: this is very important discussion. Suggest to document this discussion, could be extended version of best practice document or use case document, but maybe we at least can start with some MD file to record this kind of feedback on paint points.
<kaz> Use Cases and Requirements
<kaz> Security Best Practices
McCool: these documents are quite out dated. Filing issues is the best to do now.
… would say start with TLS first as Jiye said. and we see
… not sure what protocol you are using
Luca: HTTP, and some implementation with web sockets. MQTT we tried and discarded
McCool: Speaking of Single point failture, for CA could also happens
… if it's for home, you can make some assumptions for DNS
McCool: We can start collecting some issues, and will be good to point these issues in the future calls.
Security Mechanism Analysis
Ege: Jiye and me are supervising a person doing a security analysis of security mechanisms supported in TD 1.1.
… question is we have it in PDF right now, and ideally I want to bring it to working group somehow. Where should be, how should be bring in?
Ege: We wrote what we need and stopped there in TD document, it's about how to use it
McCool: If the document is shared, will have a look and we can discuss
Kaz: we don't care about the document format itself. The question is rather what level of analysis is done.
Ege: more than 10 pages.
Kaz: it will be good to know some background and structure of the document, etc.
Charter Draft
<kaz> wot-charter-drafts repo
Kaz: as discussed during the main call last week, I've generated a dedicated repo for the new Charter, and copied all the existing PRs to that repo as above
… we should confirm that during the main call
Architecture Issue on DTLS
wot-architecture PR 886 - Revise (D)TLS-1-2 assertions
McCool: PLH is OK with merging this
… would merge this during the next Architecture call
McCool: so if you have objection, comment it
Profile Issues
<McCool> https://
McCool: there are security issues, so feel free to have a look and work on it
<McCool> w3c/
<kaz> [adjourned]