IG Security WebConf

From Web of Things Interest Group
Jump to: navigation, search

WebConf Information

Mondays at 8am US Eastern / 1pm Europe / 9pm Japan

Note:

  • Calls are all scheduled in US Eastern Time, and European daylight savings starts on a different date, so...
  • In Europe, calls will start one hour earlier after March 10 and then go back one hour later after March 31.
  • In Japan, calls will start one hour earlier after March 10.


WebEx

IRC

The IRC is used for the minutes, speaker queue, and sharing links etc.

Schedule

  • External review:
    • Elena working with Terri Oda (Intel)
      • Focus: Security and Privacy Considerations, Testing, Best Practices
      • Scripting if it is ready, and if time
    • Michael working with Valerie Fenwick (Intel) and Sven Schrecker (IIC)
      • Focus: REC Documents (TD, Arch)
    • Michael will email Mike West and Daniel Veditz
      • Mention already talking to TAG, but would welcome their input
      • Focus: REC Documents (TD, Arch)

Key Dates

  • June 6-7 - F2F
    • Initial Security Review Results
    • Proposed updates to TD and Arch docs (editorial)
    • Decide to take out at-risk or try to add a test/impl
  • June 12 - Target for Security Review Results
  • June 13 - PRs to update Arch
  • June 14 - PRs to update TD
  • June 19 - PR Transition Resolution
  • June 20 - PR Transition Request

Actions

  • Follow up on external security reviews and TAG review as necessary
  • Penetration testing report

Agenda

  • Michael only semi-available until Aug 17
  • Elena not (available except by email) from Aug 15 until Aug 23

Aug 5, 2019

July 8, 2019

June 10, 2019

June 3, 2019

Cancelled due to workshop

May 27, 2019

Cancelled due to conflicts

May 20, 2019

May 6, 2019

  • Review of Minutes from earlier meetings
  • Quick Updates
    • CTA/NIST for Workshop (declined)
  • Review progress
  • Updates to TD and Arch specs
    • Remove direct refs to Best Practices and Testing docs
  • Issues and PRs
  • AOB

April 29, 2019

  • Review of Minutes from earlier meetings
  • Quick updates
  • Review progress
    • Let's target May 8 now...
    • Gives us one week to update things before May 15 CR target
  • Publication schedule
    • After CR in mid-May, edit Security Docs for consistency
    • Updated Note published in mid-June; can update when go to REC.
    • Should publish Best Practices and Testing Plan as Notes
    • Want to cite "latest" version in Arch document, not dated version
    • Target May 8 as meeting to have "publication resolution"
    • Go to publication immediately afterwards
  • Penetration testing planning
    • McCool updating code and system description for Workshop demos
    • System description for pen test done by May 15
    • Will be travelling to IIC workshop May 17-23
    • Penetration testing target: May 30
  • Issues and PRs
  • AOB

April 22, 2019

Cancelled due to holiday.

April 15, 2019

April 8, 2019

  • CANCELLED due to AC Meeting

April 1, 2019

  • Minute review
    • Deferred again, Elena can't join
  • CR Transition preparations
  • Implementation experience for TD
    • What else can we do?
  • Security scheme extensions
    • Review recent update to TD
  • Penetration testing
    • Reschedule given change to CR dates
  • Architecture and TD spec changes
    • Security and Privacy Considerations
  • AOB

Mar 25, 2019

  • TAG Submission review
    • Security questionnaire
  • Security and Privacy Considerations
    • WoT Architecture
    • WoT Thing Description
  • Review of minutes from previous meetings
  • AOB

Mar 18, 2019

  • Review of minutes from previous meetings
  • CTA/NIST Questionnaire review
  • Testing status, explainers, and extensions
  • Security consideration in WoT Arch doc
  • AOB

Mar 11, 2019

  • Review of minutes from previous meetings
  • Pen Test Planning
  • Docs
    • Arch
    • Best Practices
  • Reviews
  • PRs
  • TD Testing
  • AOB

Mar 4, 2019

  • Review of minutes from previous meetings
    • Deferred again since Kaz is not available
  • Pen Test Planning
  • Best Practices Doc
  • AOB

Feb 25, 2019

  • No (real) meeting

Feb 18, 2019

  • Review of minutes from previous meetings
    • Deferred to next meeting
  • External reviews
    • Found one external reviewer (IIC), two W3C reviewers (Web Security)
    • Question about formal requirements
  • IIC/OpenFog report
  • Security conferences
    • See email from Dave Raggett on mailing list
  • Security sections related to runtime
  • PR on Testing (ITU vocabulary change)
  • Best practices
    • McCool to do PR to update, get into minimally-publishable form
  • AOB

Feb 11, 2019

  • Things we have to do:
  1. Security section of Arch and Scripting document
  2. TD Implementation Report - sample implementations
  3. Security Best Practices document
  4. Document reviews
  5. Testing experience - penetration testing
    • Focus on Intel implementations, on McCool's private network
    • When: Second week of March
  6. Security section of Scripting API
  • Other business

Feb 4, 2019

No meeting, Travelling.

Jan 28, 2019

No meeting, TestFest.

Jan 14, 2019

Jan 7, 2019

Dec 31, 2018 (New Year's Eve)

No meeting

Dec 24, 2018 (Christmas Eve)

No meeting

Dec 17, 2018

Dec 3, 2018

Nov 26, 2018

Nov 19, 2018

Nov 12, 2018

  • Review of minutes from previous meetings
  • Update on publication status
  • New meeting time: discuss
  • Update on pending PRs
    • Security definitions got merged... but not done...
      • Still a problem with strings vs. objects in "security"
    • Other PRs that were ready... did not get merged due to conflicts (fixed)
    • Scopes example updated: regular -> limited
  • Candidate for Scripting API security considerations section (Elena)
  • Testing

Nov 5, 2018

Oct 29, 2018

  • Cancelled, post-TPAC recovery

Oct 22, 2018

  • Online meeting cancelled, at TPAC

Oct 15, 2018

  • Review of minutes from last meeting
  • Status of W3C Note publication
  • TPAC and plugfest planning
  • Best practices document
  • Object security
    • COSE, JOSE, and OSCORE (Koster)
  • Security consideration sections
    • Thing Description (McCool)
    • Scripting API (Reshetova)
  • Action item review
  • Issue and PR review
  • Other issues

Oct 8, 2018

  • Review of minutes from last meeting
  • Status of W3C Note publication
  • Object security
    • COSE, JOSE, and OSCORE (Koster)
  • Secure multicast
  • Security consideration sections
    • Thing Description (McCool)
    • Scripting API (Reshetova)
  • Action item review
  • Issue and PR review
  • Other issues

Sept 17, 2018

Sept 10, 2018

  • Review of minutes from last meeting
  • Security and Privacy Considerations: to resolve if ready to publish
  • TD Security and Privacy Considerations
  • Online plugfest
    • Security call will be held that week as normal; before plugfest starts, technically
    • Best practices document review and testing
  • Action item review
  • Issue and PR review
  • Other issues

Sept 3, 2018

  • Review of minutes from last meeting
  • Final review of updated Security and Privacy Considerations
  • TD Security and Privacy Considerations
  • Best practice document review
  • Issue and PR review
  • Other issues

Aug 27, 2018

Aug 20, 2018

  • Guest: Xiaoru Li, Baidu
    • Reviewed IG patent policy for the record...
  • Review of minutes from last meeting
  • Extra meetings at TPAC early in the week?
  • New DTLS schemes: cert, public
  • MQTT Security (wrt DTLS security schemes)
  • W3C Permissions: application submitted
  • Other issues

Aug 13, 2018

Aug 6, 2018

  • Review of minutes from last meeting
  • W3C Permissions Workshop
  • TD Update Review
  • Testing (Fuzz testing, DTLS)
  • Best practices (brainstorming)
  • Planning: next steps
  • Other issues and PRs
  • Other business

July 30, 2018

  • Review of minutes from last meeting
  • PR 107: Document Restructuring
  • Testing plan: security section
  • TD Updates (psk and none schemes)
  • Making "security" mandatory
  • Planning: next steps
  • Other issues and PRs
  • Other business

July 23, 2018

June 25, 2018

  • Review of minutes from last meeting(s)
  • Plugfest and F2F Prep
  • Next release
  • External validation
    • IIC
    • W3C Web Security IG
  • Review other issues and PRs
  • Other business

June 11, 2018

June 4, 2018

May 28, 2018

  • Review of minutes from last meeting(s)
  • Review PRs
  • Plugfest/F2F/TPAC Preparation
    • Conflicts w/ TPAC: Linux Security Summit Europe (Oct 25-26)
  • Review issues
  • Other business

May 21, 2018

  • Review of minutes from last meeting(s)
  • Review PRs
  • Plugfest/F2F/TPAC Preparation
  • Review issues
  • Other business

May 14, 2018

  • (X) Review of minutes from last meeting(s)
  • Review PRs
    • Privacy
    • Tunneling
  • TD Security Vocabulary
  • Online Test System - Intel
  • Review issues
  • Other business

May 7, 2018

  • (X) Review of minutes from last meeting(s)
  • Review PRs
  • Review issues
  • Other business

Apr 30, 2018

  • Review of minutes from last meeting(s)
  • Events for signaling lifecycle transitions, eg destroying an object
  • Review PRs
  • Review issues
  • Other business

Apr 23, 2018

Apr 16, 2018

  • Review of minutes from last meeting(s)
  • Review topology of plugfest scenarios
  • Review updated security metadata proposal
    • merge PR if appropriate
  • Review issues and other PRs
    • Especially Jason Novak's issues

Apr 9, 2018

  • Review of minutes from last meeting(s)
  • NDSS DISS workshop paper: updates to publication version
  • Updated "security metadata" PR
  • Update master with working
  • Planning: What Next?
    • Lifecycle: overall vs. security-specific
    • Testing and validation: https://github.com/w3c/wot/pull/439
    • Industrial and enterprise use case discussion (ACLs? Roles and profiles? Root of trust? TPMs?)
    • More updates to security metadata: roles, profiles, scopes, other schemes
    • Related IETF WGs:
      • TEEP: Trusted Execution Environments Provisioning
      • SUIT: Software updates for the IoT
    • Requesting security review from W3C Security group
    • Goals for next F2F and plugfest
    • Security review of the scripting API, including metadata and errors
  • Other topics
    • Review issues and other PRs
      • Next time make sure to review Jason Novak's issues

Pending Agenda Items (with Deadlines)

  • Review requirements from prioritized list of IoT systems/protocols
    • OCF, oneM2M, LwM2M, ZWave, AWS IoT/GG, etc

Future Agenda Items

  • New Use Cases
  • Review of IETF-ACE, IIC-SF, CoAP and other security models
  • Discuss use of semantic annotations for security
  • Review existing threat models eg from IIC Security Framework
  • Review of existing security models and mechanisms in target protocols
      • Get that up somewhere for people to provide input
      • Some of the threats depend on the vulnerability of the protocols
    • Review COSE (although still in draft)
    • Use main call to synchronize this activity and gather feedback
    • Create a template so we can consolidate the information
    • Identify people or groups that can look at individual target protocols and mechanisms
  • Review issues and feedback on draft documents
    • Via github issues

Resources

Meeting Minutes

2017

Security and Privacy Questionnaires, Review Forms