IG Security WebConf
From Web of Things Interest Group
The WoT Security task force is responsible for identifying and analyzing the security and privacy considerations of the WoT and providing recommendations to support appropriate security technologies and to mitigate security and privacy risks.
Contents
- 1 WebConf Information
- 2 Schedule
- 3 Actions
- 4 Future Topics
- 5 Agenda
- 5.1 Cancellations
- 5.2 Upcoming
- 5.3 Next Meeting
- 5.4 To Do
- 5.5 27 November 2023
- 5.6 20 November 2023
- 5.7 13 November 2023
- 5.8 6 November 2023
- 5.9 30 October 2023
- 5.10 23 October 2023
- 5.11 2 October 2023
- 5.12 25 September 2023
- 5.13 18 September 2023
- 5.14 4 September 2023
- 5.15 7 August 2023
- 5.16 31 July 2023
- 5.17 24 July 2023
- 5.18 26 June 2023
- 5.19 29 May 2023
- 5.20 22 May 2023
- 5.21 15 May 2023
- 5.22 8 May 2023
- 5.23 1 May 2023
- 5.24 24 April 2023
- 5.25 17 April 2023
- 5.26 10 April 2023
- 5.27 3 April 2023
- 5.28 20 March 2023
- 5.29 13 March 2023
- 5.30 6 March 2023
- 5.31 27 February 2023
- 5.32 20 February 2023
- 5.33 13 February 2023
- 5.34 6 February 2023
- 5.35 30 January 2023
- 5.36 23 January 2023
- 6 Pending Agenda Items (with Deadlines)
- 7 Future Agenda Items
- 8 Resources
- 9 Past Content
- 10 Security and Privacy Questionnaires, Review Forms
WebConf Information
- Quick start guide for W3C teleconferences
- Table of all the WoT calls on our Web page
- W3C WG Calendar - Please use this for schedule and call-in logistics.
- Main WoT WebConf
- Scripting APIs | Security | Discovery | Marketing | Use Cases | PlugFest/Testing | TD | Architecture | Profile
This is a joint call of WoT Interest Group (IG) and WoT Working Group (WG).
Schedule
External Review
- Possible Reviewers:
- Terri Oda (Intel)
- Valerie Fenwick (Intel)
- Sven Schrecker (IIC)
- Mike West and Daniel Veditz (W3C Web Application Security WG)
- DISS participants
Key Dates
- See new WG charter
Actions
- Penetration testing
Future Topics
- Lifecycle and Onboarding
- Trust Establishment
- Use Case Analysis
- Look at Verifiable Claims
- Technically VC WG is closed, but people are in DID WG now
- Ecosystem Research
- OCF Bootstrapping
- Correspondence with Lifecycle, provisioning, etc.
- OCF Bootstrapping
- Discovery
- Privacy preservation
Agenda
Cancellations
- None currently
Upcoming
To Do: add links to the items below, e.g. to labelled issues, minutes, etc.
- Review editor's sync call minutes and actions
- Review (and comment on/close) security-related issues in other repos
- TD
- Arch
- Profiles
- OAuth2 flows in TD...
- When and where do non-client flows make sense?
- The client flow needs a confidential client, and browsers do not qualify (need mutual auth?) so...
- relates to the example used in the TD spec for non-client flow, i.e. maybe we recommend that there needs to be at *least* a client flow but other flows can be allowed as well for affordances that make sense to use directly from a browser.
- We may have to put implicit and password back into the TD1.1 spec for TD1.0 compatibility
- But then need to add text saying that these are deprecated and SHOULD NOT be used (and will be removed in TD 2.0)
- When and where do non-client flows make sense?
- Profiles Security
- https://github.com/w3c/wot-profile/issues/6
- https://github.com/w3c/wot-profile/pull/87
- Also discuss S & P considerations for Profiles
Next Meeting
Items to schedule in the next meeting.
- combo discussion; are all combinations appropriate?
To Do
- Testing plan, incl security: https://github.com/w3c/wot-testing/pull/210
- auto in "in" for TD: https://github.com/w3c/wot-thing-description/issues/1394#issuecomment-1046876055
- TD security/privacy/iana consolidation: https://github.com/w3c/wot-thing-description/pull/1402
- security questionnaire (-> arch?): https://github.com/w3c/wot-thing-description/pull/1382
- arch lifecycle PR: https://github.com/w3c/wot-architecture/pull/704
- wide review:
- uuids
- Profiles has made a resolution to require uuidv4 for ids
- This is instead of saying "globally unique ids": https://github.com/w3c/wot-profile/issues/139
- But uuidv4 may or may be the best option; UUID sure, but which version? Any? V4 specifically? Something other than v4? Allow hashing of some other metadata to provide stability?
- Anything earlier than v4 should probably not be used; v3 provides hashing but using MD5 which is vulnerable
- We *might* want to allow v5, which supports SHA-1 hashing, but this might *become* vulnerable in the future
- v4 is completely random which is safe, but for "stability" a TD generator needs to generate it and remember it
- Requiring UUIDs generally also avoid certain other non-security/privacy issues, i.e. directory id collisions
- DIDs are another option but not mature; note this is for *profiles*, which are prescriptive in nature
- Issues to revisit
27 November 2023
Scribe: Mahda
- Minutes:
- Requirements
- Use Cases
- Issues
- Thing Description
- Discovery
- Architecture
- Profiles
- Scripting API
- Use Cases and Requirements
- AOB
20 November 2023
Scribe: Kaz
- Minutes:
- Review PRs
- Merged requirements template - Mahda to take over requirements, see https://github.com/w3c/wot-usecases/issues/243
- Use Cases
- Issues
- Thing Description
- Discovery
- Architecture
- Profiles
- Scripting API
- Use Cases and Requirements
- AOB
13 November 2023
(Note: 30m meeting)
Scribe: Mahda
- Minutes:
- Review PRs
- Use Cases
- Issues
- Thing Description
- Discovery
- Architecture
- Profiles
- Scripting API
- Use Cases and Requirements
- AOB
6 November 2023
Cancelled.
30 October 2023
Scribe: Luca
- Minutes:
- Review PRs
- Use Cases
- Issues
- Thing Description
- Discovery
- Architecture
- Profiles
- Scripting API
- Use Cases and Requirements
- AOB
23 October 2023
Scribe: Kaz
- Minutes:
- Review PRs
- Prep for Use Case call this week
- Review new issues in other repos
- Thing Description
- Discovery
- Architecture
- Profiles
- Scripting API
- Use Cases and Requirements
- Todo: capture separate links for privacy when label different
- AOB
2 October 2023
Scribe: Mahda
- Minutes:
- Review new issues in other repos (deferred)
- Thing Description
- Discovery
- Architecture
- Profiles
- Scripting API
- Use Cases and Requirements
- Todo: capture separate links for privacy when label different
- Capture plan to update UC&R document
- Create issues in wot-usecases repo to execute security revisions
- Review other wot-security issues
- Starting with https://github.com/w3c/wot-security/issues/202
25 September 2023
Scribe: Kaz
- Minutes:
- PRs and Issues
- TPAC Followup
- To dos
- Use Case and Requirements
- Next Agenda
- AOB
18 September 2023
Scribe: Jan
- Minutes:
- PRs
- TPAC Followup
- AOB
4 September 2023
Scribe: Luca
- Minutes:
- PRs
- TPAC Preparation
- https://www.w3.org/WoT/IG/wiki/Main_WoT_WebConf/2023_WoT_TPAC_Agenda
- Agenda
- Presentation Materials - Outline
- To dos
- AOB
7 August 2023
Scribe: Kaz
- Minutes:
- Logistics
- Issues and PRs
- Requirements and Use Cases
- To Dos
- Lists vs. tables
- AOB
31 July 2023
Scribe: Mahda
- Minutes:
- Issues and PRs
- Profile TAG Review
- https://github.com/w3ctag/design-reviews/issues/818
- Requirements
- AOB
24 July 2023
Scribe: Kaz
- Minutes:
- Logistics
- How often do we want to have meetings?
- Do we need to change the time?
- Planning
- Update and review detailed planning
- Security Planning
- Architecture Planning (includes many security and privacy items)
- Issue and PRs
- Profile TAG Review
- AOB
26 June 2023
Cancelled - insufficient attendance
Scribe:
- Minutes:
- Planning
- Update and review detailed planning
- Security Planning
- Architecture Planning (includes many security and privacy items)
- Issue and PRs
- AOB
29 May 2023
Cancelled - insufficient attendance.
Scribe: NA
- Minutes:
- Security Issues
- Other issues and PRs in other repos
- Profile wide review
- Next Charter
- Agenda items for Planning meeting
- AOB
22 May 2023
Scribe: Luca
- Minutes:
- Review Final PR Drafts
- Architecture
- Thing Description
- Discovery
- Security Issues
- Other issues and PRs in other repos
- Profile wide review
- AOB
15 May 2023
Scribe: Kaz
- Minutes:
- Review of Remaining At-Risk Items
- Security Issues
- Other issues and PRs in other repos
- Profile wide review
- AOB
8 May 2023
Cancelled due to conflict with AC Meeting
1 May 2023
Cancelled due to conflict with Golden Week and May Day.
24 April 2023
Cancelled due to vacations.
17 April 2023
Scribe:
- Minutes:
- Review of Dev Meeting Slides
- Security Issues
- Other issues and PRs in other repos
- AOB
10 April 2023
CANCELLED due to holiday.
3 April 2023
Scribe: Luca
- Minutes:
- Review of Arch Dev Meeting Slides
- Security Issues
- Profile issues and PRs
- AOB
20 March 2023
Scribe: Jiye
- Minutes:
- Security Issues
- Next Charter Work Items
- Onboarding (and relationship to lifecycle, TDD registration, profiles, etc.)
- Signing
- Other?
- TD Assertions for Dev Meeting
- Profile issues and PRs
13 March 2023
Scribe: Kaz
- Minutes:
- Logistics
- Security PRs
- Profile issues and PRs
- Security for SSE, WebSockets, etc. (use of headers)
- Charter
- Architecture, Onboarding, etc.
6 March 2023
Scribe: Kaz
- Minutes:
- Logistics
- Meeting schedule
- Managing agendas
- Security PRs
- Profile issues
- Charter
27 February 2023
Scribe: Jiye
- Minutes:
- Logistics
- Archiving old agendas
- Remaining Profile issues
- https://github.com/w3c/wot-profile/labels/security
- WebHook
- subscribeallevents
- https://github.com/w3c/wot-profile/issues/224
- Let's use this issue to capture comments and research
- WoT Security PRs
- Next Steps
- Ask for help from TAG?
20 February 2023
Scribe: Kaz
- Minutes:
- Profile PRs
- Remaining Profile issues
- https://github.com/w3c/wot-profile/labels/security
- WebHook
- subscribeallevents
- https://github.com/w3c/wot-profile/issues/224
- Let's use this issue to capture comments and research
- WoT Security PRs
13 February 2023
Scribe: Jan
- Minutes:
- Review Issues
- Profile
- Architecture
- TD
- S&P Guidelines
- Issues and PRs
- Next Charter Draft
- AOB
6 February 2023
Scribe: Jiye
- Minutes:
- New Member
- SIFIS - wot-rust
- Security Mechanism Analysis
- Review Issues
- Profile
- Architecture
- TD
- S&P Guidelines
- Issues and PRs
- Next Charter Draft
- AOB
30 January 2023
Scribe: Jan
- Minutes:
- Next Charter
- Review draft
- S&P Guidelines
- Update still needed
- AOB
23 January 2023
Scribe: Kaz
- Minutes:
- Next Charter
- Review draft
- https://github.com/w3c/wot/pull/1057
- Planning
- S&P Guidelines update still needed - TF members still reviewing; Jan 30
- DTLS 1.3 Arch assertions
- AOB
Pending Agenda Items (with Deadlines)
- Review requirements from prioritized list of IoT systems/protocols
- OCF, oneM2M, LwM2M, ZWave, AWS IoT/GG, etc
Future Agenda Items
- New Use Cases
- Review of IETF-ACE, IIC-SF, CoAP and other security models
- Discuss use of semantic annotations for security
- Review existing threat models eg from IIC Security Framework
- Review of existing security models and mechanisms in target protocols
- Get that up somewhere for people to provide input
- Some of the threats depend on the vulnerability of the protocols
- Review COSE (although still in draft)
- Use main call to synchronize this activity and gather feedback
- Create a template so we can consolidate the information
- Identify people or groups that can look at individual target protocols and mechanisms
- Review issues and feedback on draft documents
- Via github issues
