IG Security WebConf

The WoT Security task force is responsible for identifying and analyzing the security and privacy considerations of the WoT and providing recommendations to support appropriate security technologies and to mitigate security and privacy risks.

WebConf Information

• Quick start guide for W3C teleconferences
• Table of all the WoT calls on our Web page
• W3C WG Calendar - Please use this for schedule and call-in logistics.
• Main WoT WebConf
• Scripting APIs | Security | Discovery | Marketing | Use Cases | PlugFest/Testing | TD | Architecture | Profile

This is a joint call of WoT Interest Group (IG) and WoT Working Group (WG).

Schedule

External Review

• Possible Reviewers:
  • Terri Oda (Intel)
  • Valerie Fenwick (Intel)
  • Sven Schrecker (IIC)
  • Mike West and Daniel Veditz (W3C Web Application Security WG)
  • DISS participants

Key Dates

• See new WG charter

Actions

• Penetration testing

Future Topics

• Lifecycle and Onboarding
• Trust Establishment
  • Use Case Analysis
• Look at Verifiable Claims
  • Technically VC WG is closed, but people are in DID WG now
• Ecosystem Research
  • OCF Bootstrapping
    • Correspondence with Lifecycle, provisioning, etc.
• Discovery
  • Privacy preservation

Agenda

Cancellations

• None currently

Upcoming

To Do: add links to the items below, e.g. to labelled issues, minutes, etc.

• Review editor's sync call minutes and actions
• Review (and comment on/close) security-related issues in other repos
  • TD
  • Arch
  • Profiles
• OAuth2 flows in TD...
  • When and where do non-client flows make sense?
    • The client flow needs a confidential client, and browsers do not qualify (need mutual auth?) so...
    • relates to the example used in the TD spec for non-client flow, i.e. maybe we recommend that there needs to be at *least* a client flow but other flows can be allowed as well for affordances that make sense to use directly from a browser.
  • We may have to put implicit and password back into the TD1.1 spec for TD1.0 compatibility
    • But then need to add text saying that these are deprecated and SHOULD NOT be used (and will be removed in TD 2.0)
• Profiles Security
  • https://github.com/w3c/wot-profile/issues/6
  • https://github.com/w3c/wot-profile/pull/87
  • Also discuss S & P considerations for Profiles

Next Meeting

Items to schedule in the next meeting.

• combo discussion; are all combinations appropriate?

To Do

• Testing plan, incl security: https://github.com/w3c/wot-testing/pull/210
• auto in "in" for TD: https://github.com/w3c/wot-thing-description/issues/1394#issuecomment-1046876055
• TD security/privacy/iana consolidation: https://github.com/w3c/wot-thing-description/pull/1402
• security questionnaire (-> arch?): https://github.com/w3c/wot-thing-description/pull/1382
• arch lifecycle PR: https://github.com/w3c/wot-architecture/pull/704
• wide review:
  • https://github.com/w3c/wot-thing-description/issues/1490 - 9 May Agenda
• uuids
  • Profiles has made a resolution to require uuidv4 for ids
  • This is instead of saying "globally unique ids": https://github.com/w3c/wot-profile/issues/139
  • But uuidv4 may or may be the best option; UUID sure, but which version? Any? V4 specifically? Something other than v4? Allow hashing of some other metadata to provide stability?
    • Anything earlier than v4 should probably not be used; v3 provides hashing but using MD5 which is vulnerable
    • We *might* want to allow v5, which supports SHA-1 hashing, but this might *become* vulnerable in the future
    • v4 is completely random which is safe, but for "stability" a TD generator needs to generate it and remember it
  • Requiring UUIDs generally also avoid certain other non-security/privacy issues, i.e. directory id collisions
  • DIDs are another option but not mature; note this is for *profiles*, which are prescriptive in nature
• Issues to revisit
  • everything a server is problematic

22 April 2024

Scribe: Kaz

• Minutes:
  • 15 April 2024
• Logistics
  • Security TF: suspension; new TF lead?
• Security Categories
  • https://github.com/w3c/wot-usecases/pull/255
  • Any updates?
• Issues and PRs
  • New feedback on threat model: https://github.com/w3c/wot-security/issues/235
• AOB

15 April 2024

Scribe: Kaz

• Minutes:
  • 18 March 2024
  • Note: No minutes for 25 March 2024
• Security Categories
  • https://github.com/w3c/wot-usecases/pull/255
  • Retail, health categories updated
• Logistics
• Issues and PRs
• AOB

25 March 2024

cancelled - low turnout

Scribe:

• Minutes:
  • 18 March 2024
• Security Categories
  • https://github.com/w3c/wot-usecases/pull/255
• Issues and PRs
• AOB

18 March 2024

Scribe: Kaz

• Minutes:
  • 11 March 2024
• Security Categories
  • WIP - updating categories in table
  • https://github.com/w3c/wot-usecases/pull/255
• AOB

11 March 2024

Scribe: Kaz

• Minutes:
  • 26 February 2024
• Logistics
  • Cancellations and Schedule
• Use Cases and Requirements
  • Risks in Security and Privacy Guidelines
  • Draft requirements
  • Update/complete table
  • Cross-link work items to (tentative) requirements
• Issues
  • Security
  • Thing Description
    • Security
    • Privacy
  • Discovery
  • Architecture
  • Profiles
  • Scripting API
  • Use Cases and Requirements
• AOB

4 March 2024

cancelled

26 February 2024

Scribe: Kaz

• Minutes:
  • 15 January 2024
• Logistics
  • Cancellations and Schedule
• Use Cases and Requirements
• Issues
  • Security
  • Thing Description
    • Security
    • Privacy
  • Discovery
  • Architecture
  • Profiles
  • Scripting API
  • Use Cases and Requirements
• AOB

19 February 2024

(Cancelled due to poor attendance - topics deferred to next week)

15 January 2024

Scribe: Mahda

• Minutes:
  • 11 December 2023
• Logistics
  • Cancellations and Schedule
  • next meeting is Feb 19
• Requirements and Use Cases
  • Work on category/requirements table
• Issues
  • Thing Description
    • Security
    • Privacy
  • Discovery
  • Architecture
  • Profiles
  • Scripting API
  • Use Cases and Requirements
• AOB

Pending Agenda Items (with Deadlines)

• Review requirements from prioritized list of IoT systems/protocols
  • OCF, oneM2M, LwM2M, ZWave, AWS IoT/GG, etc

Future Agenda Items

• New Use Cases
• Review of IETF-ACE, IIC-SF, CoAP and other security models
• Discuss use of semantic annotations for security
• Review existing threat models eg from IIC Security Framework
• Review of existing security models and mechanisms in target protocols
  • • Get that up somewhere for people to provide input
    • Some of the threats depend on the vulnerability of the protocols
  • Review COSE (although still in draft)
  • Use main call to synchronize this activity and gather feedback
  • Create a template so we can consolidate the information
  • Identify people or groups that can look at individual target protocols and mechanisms
• Review issues and feedback on draft documents
  • Via github issues

Resources

• IEEE Security and Privacy Symposium, May 2018
  • Call for Workshops
• List of Security Conferences in 2018

Past Content

• /2023
• /2022
• /2021
• /2020
• /2019
• /2018

Security and Privacy Questionnaires, Review Forms

• Review form for the WoT Threat Model
• Questionnaire on Privacy