IG Security WebConf

From Web of Things Interest Group
Jump to: navigation, search

The WoT Security task force is responsible for identifying and analyzing the security and privacy considerations of the WoT and providing recommendations to support appropriate security technologies and to mitigate security and privacy risks.

WebConf Information

This is a joint call of WoT Interest Group (IG) and WoT Working Group (WG).

Schedule

External Review

  • Possible Reviewers:
    • Terri Oda (Intel)
    • Valerie Fenwick (Intel)
    • Sven Schrecker (IIC)
    • Mike West and Daniel Veditz (W3C Web Application Security WG)
    • DISS participants

Key Dates

  • See new WG charter

Actions

  • Penetration testing


Future Topics

  • Lifecycle and Onboarding
  • Trust Establishment
    • Use Case Analysis
  • Look at Verifiable Claims
    • Technically VC WG is closed, but people are in DID WG now
  • Ecosystem Research
    • OCF Bootstrapping
      • Correspondence with Lifecycle, provisioning, etc.
  • Discovery
    • Privacy preservation

Agenda

Cancellations

  • None currently

Upcoming

To Do: add links to the items below, e.g. to labelled issues, minutes, etc.

  • Review editor's sync call minutes and actions
  • Review (and comment on/close) security-related issues in other repos
    • TD
    • Arch
    • Profiles
  • OAuth2 flows in TD...
    • When and where do non-client flows make sense?
      • The client flow needs a confidential client, and browsers do not qualify (need mutual auth?) so...
      • relates to the example used in the TD spec for non-client flow, i.e. maybe we recommend that there needs to be at *least* a client flow but other flows can be allowed as well for affordances that make sense to use directly from a browser.
    • We may have to put implicit and password back into the TD1.1 spec for TD1.0 compatibility
      • But then need to add text saying that these are deprecated and SHOULD NOT be used (and will be removed in TD 2.0)
  • Profiles Security

Next Meeting

Items to schedule in the next meeting.

  • combo discussion; are all combinations appropriate?

To Do

27 November 2023

Scribe: Mahda

20 November 2023

Scribe: Kaz

13 November 2023

(Note: 30m meeting)

Scribe: Mahda

6 November 2023

Cancelled.

30 October 2023

Scribe: Luca

23 October 2023

Scribe: Kaz

2 October 2023

Scribe: Mahda

25 September 2023

Scribe: Kaz

  • Minutes:
  • PRs and Issues
  • TPAC Followup
    • To dos
    • Use Case and Requirements
  • Next Agenda
  • AOB

18 September 2023

Scribe: Jan

4 September 2023

Scribe: Luca

7 August 2023

Scribe: Kaz

31 July 2023

Scribe: Mahda

24 July 2023

Scribe: Kaz

26 June 2023

Cancelled - insufficient attendance

Scribe:

29 May 2023

Cancelled - insufficient attendance.

Scribe: NA

22 May 2023

Scribe: Luca

15 May 2023

Scribe: Kaz

8 May 2023

Cancelled due to conflict with AC Meeting

1 May 2023

Cancelled due to conflict with Golden Week and May Day.

24 April 2023

Cancelled due to vacations.

17 April 2023

Scribe:

10 April 2023

CANCELLED due to holiday.

3 April 2023

Scribe: Luca

20 March 2023

Scribe: Jiye

  • Minutes:
  • Security Issues
  • Next Charter Work Items
    • Onboarding (and relationship to lifecycle, TDD registration, profiles, etc.)
    • Signing
    • Other?
  • TD Assertions for Dev Meeting
  • Profile issues and PRs

13 March 2023

Scribe: Kaz

  • Minutes:
  • Logistics
  • Security PRs
  • Profile issues and PRs
    • Security for SSE, WebSockets, etc. (use of headers)
  • Charter
    • Architecture, Onboarding, etc.

6 March 2023

Scribe: Kaz

27 February 2023

Scribe: Jiye

20 February 2023

Scribe: Kaz

13 February 2023

Scribe: Jan

  • Minutes:
  • Review Issues
    • Profile
    • Architecture
    • TD
  • S&P Guidelines
    • Issues and PRs
  • Next Charter Draft
  • AOB

6 February 2023

Scribe: Jiye

  • Minutes:
  • New Member
    • SIFIS - wot-rust
  • Security Mechanism Analysis
  • Review Issues
    • Profile
    • Architecture
    • TD
  • S&P Guidelines
    • Issues and PRs
  • Next Charter Draft
  • AOB

30 January 2023

Scribe: Jan

  • Minutes:
  • Next Charter
    • Review draft
  • S&P Guidelines
    • Update still needed
  • AOB

23 January 2023

Scribe: Kaz

Pending Agenda Items (with Deadlines)

  • Review requirements from prioritized list of IoT systems/protocols
    • OCF, oneM2M, LwM2M, ZWave, AWS IoT/GG, etc

Future Agenda Items

  • New Use Cases
  • Review of IETF-ACE, IIC-SF, CoAP and other security models
  • Discuss use of semantic annotations for security
  • Review existing threat models eg from IIC Security Framework
  • Review of existing security models and mechanisms in target protocols
      • Get that up somewhere for people to provide input
      • Some of the threats depend on the vulnerability of the protocols
    • Review COSE (although still in draft)
    • Use main call to synchronize this activity and gather feedback
    • Create a template so we can consolidate the information
    • Identify people or groups that can look at individual target protocols and mechanisms
  • Review issues and feedback on draft documents
    • Via github issues

Resources

Past Content

Security and Privacy Questionnaires, Review Forms