IG Security WebConf

From Web of Things Interest Group
Jump to: navigation, search

WebConf Information

Mondays at 8am US Eastern / 2pm Europe / 9pm Japan

WebEx

IRC

The IRC is used for the minutes, speaker queue, and sharing links etc.

Schedule

  • Next release of "WoT Security and Privacy Considerations"
    • Soon after Bundang Plugfest (mid-July)
  • External review:
    • September-October 2018 (first external review)
    • if 3mo, can be as far out as December 2018 - January 2019 (second external review)
  • Finalization:
    • November 2018 (should at least be a good first draft)
    • if 3mo ext, moves out to February 2019; do "second round"

Actions

  • McCool to talk with IIC Security TF and W3C Web Security IG about testing/validation timeline
  • McCool to look into URI templates (RFC6570) for issue 98
  • McCool to write PR on TD spec for security definition
  • (Someone) to suggest DTLS testing plan applicable for CoAP/MQTT
  • Everyone to generate set of best practices
  • McCool to update plugfest planning docs to include security scheme configurations to test from best practices
  • Decide whether to make Kaz an editor
  • Actions covered by PR207: TD Normative Security Statements
    • Normative SHOULD statement for confidentiality of TD distribution in the Thing Description document.
    • Issue 70 (Require Not Exposing Immutable Hardware Identifiers?)
    • Clarify the immutability of the "id" property in Thing Description
    • Consent policy
  • Actions covered by (new PR here): Scripting API Normative Security Statements
    • Elena to create an issue (in Scripting API repo) and McCool to create PR for Scripting API Security Considerations section to include normative statements on security credential isolation

Agenda

Oct 29, 2018

  • Review of minutes from last meeting
  • Status of W3C Note publication
  • W3C Permissions workshop
    • Review of feedback
  • Action item review
  • Issue and PR review
  • Other issues

Oct 22, 2018

  • Online meeting cancelled, at TPAC

Oct 15, 2018

  • Review of minutes from last meeting
  • Status of W3C Note publication
  • TPAC and plugfest planning
  • Best practices document
  • Object security
    • COSE, JOSE, and OSCORE (Koster)
  • Security consideration sections
    • Thing Description (McCool)
    • Scripting API (Reshetova)
  • Action item review
  • Issue and PR review
  • Other issues

Oct 8, 2018

  • Review of minutes from last meeting
  • Status of W3C Note publication
  • Object security
    • COSE, JOSE, and OSCORE (Koster)
  • Secure multicast
  • Security consideration sections
    • Thing Description (McCool)
    • Scripting API (Reshetova)
  • Action item review
  • Issue and PR review
  • Other issues

Sept 17, 2018

Sept 10, 2018

  • Review of minutes from last meeting
  • Security and Privacy Considerations: to resolve if ready to publish
  • TD Security and Privacy Considerations
  • Online plugfest
    • Security call will be held that week as normal; before plugfest starts, technically
    • Best practices document review and testing
  • Action item review
  • Issue and PR review
  • Other issues

Sept 3, 2018

  • Review of minutes from last meeting
  • Final review of updated Security and Privacy Considerations
  • TD Security and Privacy Considerations
  • Best practice document review
  • Issue and PR review
  • Other issues

Aug 27, 2018

Aug 20, 2018

  • Guest: Xiaoru Li, Baidu
    • Reviewed IG patent policy for the record...
  • Review of minutes from last meeting
  • Extra meetings at TPAC early in the week?
  • New DTLS schemes: cert, public
  • MQTT Security (wrt DTLS security schemes)
  • W3C Permissions: application submitted
  • Other issues

Aug 13, 2018

Aug 6, 2018

  • Review of minutes from last meeting
  • W3C Permissions Workshop
  • TD Update Review
  • Testing (Fuzz testing, DTLS)
  • Best practices (brainstorming)
  • Planning: next steps
  • Other issues and PRs
  • Other business

July 30, 2018

  • Review of minutes from last meeting
  • PR 107: Document Restructuring
  • Testing plan: security section
  • TD Updates (psk and none schemes)
  • Making "security" mandatory
  • Planning: next steps
  • Other issues and PRs
  • Other business

July 23, 2018

June 25, 2018

  • Review of minutes from last meeting(s)
  • Plugfest and F2F Prep
  • Next release
  • External validation
    • IIC
    • W3C Web Security IG
  • Review other issues and PRs
  • Other business

June 11, 2018

June 4, 2018

May 28, 2018

  • Review of minutes from last meeting(s)
  • Review PRs
  • Plugfest/F2F/TPAC Preparation
    • Conflicts w/ TPAC: Linux Security Summit Europe (Oct 25-26)
  • Review issues
  • Other business

May 21, 2018

  • Review of minutes from last meeting(s)
  • Review PRs
  • Plugfest/F2F/TPAC Preparation
  • Review issues
  • Other business

May 14, 2018

  • (X) Review of minutes from last meeting(s)
  • Review PRs
    • Privacy
    • Tunneling
  • TD Security Vocabulary
  • Online Test System - Intel
  • Review issues
  • Other business

May 7, 2018

  • (X) Review of minutes from last meeting(s)
  • Review PRs
  • Review issues
  • Other business

Apr 30, 2018

  • Review of minutes from last meeting(s)
  • Events for signaling lifecycle transitions, eg destroying an object
  • Review PRs
  • Review issues
  • Other business

Apr 23, 2018

Apr 16, 2018

  • Review of minutes from last meeting(s)
  • Review topology of plugfest scenarios
  • Review updated security metadata proposal
    • merge PR if appropriate
  • Review issues and other PRs
    • Especially Jason Novak's issues

Apr 9, 2018

  • Review of minutes from last meeting(s)
  • NDSS DISS workshop paper: updates to publication version
  • Updated "security metadata" PR
  • Update master with working
  • Planning: What Next?
    • Lifecycle: overall vs. security-specific
    • Testing and validation: https://github.com/w3c/wot/pull/439
    • Industrial and enterprise use case discussion (ACLs? Roles and profiles? Root of trust? TPMs?)
    • More updates to security metadata: roles, profiles, scopes, other schemes
    • Related IETF WGs:
      • TEEP: Trusted Execution Environments Provisioning
      • SUIT: Software updates for the IoT
    • Requesting security review from W3C Security group
    • Goals for next F2F and plugfest
    • Security review of the scripting API, including metadata and errors
  • Other topics
    • Review issues and other PRs
      • Next time make sure to review Jason Novak's issues

Pending Agenda Items (with Deadlines)

  • Review requirements from prioritized list of IoT systems/protocols
    • OCF, oneM2M, LwM2M, ZWave, AWS IoT/GG, etc

Future Agenda Items

  • New Use Cases
  • Review of IETF-ACE, IIC-SF, CoAP and other security models
  • Discuss use of semantic annotations for security
  • Review existing threat models eg from IIC Security Framework
  • Review of existing security models and mechanisms in target protocols
      • Get that up somewhere for people to provide input
      • Some of the threats depend on the vulnerability of the protocols
    • Review COSE (although still in draft)
    • Use main call to synchronize this activity and gather feedback
    • Create a template so we can consolidate the information
    • Identify people or groups that can look at individual target protocols and mechanisms
  • Review issues and feedback on draft documents
    • Via github issues

Resources

Meeting Minutes

2017

Security and Privacy Questionnaires, Review Forms