IG Security WebConf

From Web of Things Interest Group
Jump to: navigation, search

The WoT Security task force is responsible for identifying and analyzing the security and privacy considerations of the WoT and providing recommendations to support appropriate security technologies and to mitigate security and privacy risks.

WebConf Information

Mondays at 5am US Pacific / 8am US Eastern / 2pm Europe / 10pm Japan

This is the joint call of WoT Interest Group (IG) and WoT Working Group (WG).

Note: Due to Daylight Savings in US, the call will start one hour earlier in Europe between March 15 March and 26 March. Calls are all scheduled in US Eastern Time, European daylight savings starts on a different date, and some places do not have Daylight Savings at all, so the following changes will need to be observed:

  • In Europe, calls will start one hour earlier after March 15 and then go back one hour later (=usual time) after March 29.
  • In China, Japan and Russia, where Daylight Savings is not observed, calls will start one hour earlier after March 15.

See email here for further information.

WebEx

IRC

The IRC is used for the minutes, speaker queue, and sharing links etc.

Schedule

External Review

  • Possible Reviewers:
    • Terri Oda (Intel)
    • Valerie Fenwick (Intel)
    • Sven Schrecker (IIC)
    • Mike West and Daniel Veditz (W3C Web Application Security WG)
    • DISS participants

Key Dates

  • See new WG charter

Actions

  • Penetration testing


Future Topics

  • Lifecycle and Onboarding
  • Trust Establishment
    • Use Case Analysis
  • Look at Verifiable Claims
    • Technically VC WG is closed, but people are in DID WG now
  • Ecosystem Research
    • OCF Bootstrapping
      • Correspondence with Lifecycle, provisioning, etc.
  • Discovery
    • Privacy preservation

Agenda

Cancellations

  • None currently

Upcoming

To Do: add links to the items below, e.g. to labelled issues, minutes, etc.

  • Review editor's sync call minutes and actions
  • Review (and comment on/close) security-related issues in other repos
    • TD
    • Arch
    • Profiles
  • OAuth2 flows in TD...
    • When and where do non-client flows make sense?
      • The client flow needs a confidential client, and browsers do not qualify (need mutual auth?) so...
      • relates to the example used in the TD spec for non-client flow, i.e. maybe we recommend that there needs to be at *least* a client flow but other flows can be allowed as well for affordances that make sense to use directly from a browser.
    • We may have to put implicit and password back into the TD1.1 spec for TD1.0 compatibility
      • But then need to add text saying that these are deprecated and SHOULD NOT be used (and will be removed in TD 2.0)
  • Profiles Security

Next Meeting

Items to schedule in the next meeting.

  • combo discussion; are all combinations appropriate?

To Do


5 December 2022

Scribe: Jiye

28 November 2022

Scribe: Kaz

21 November 2022

Scribe:

  • Minutes:
  • Publications
    • Architecture - "Trusted Environment" review
  • Updates to S&P Guidelines doc
  • Security Testing
    • Testfest goal?
  • AOB

14 November 2022

CANCELLED - McCool unavailable

7 November 2022

CANCELLED - McCool unavailable

31 October 2022

CANCELLED - Kaz unavailable

24 October 2022

Scribe: Jiye

  • Minutes:
  • Issues
    • Implementation Reports
  • PRs
  • Planning
    • Cancellations
    • S&P Guidelines update
    • Security Testing
  • AOB

17 October 2022

Scribe: Kaz

  • Minutes:
  • Issues
    • Implementation Reports
  • PRs
  • Planning/Logistics
    • McCool unavailable Nov 7-18.
  • AOB

10 October 2022

Scribe: Jan

3 October 2022

CANCELLED - Plugfest

26 September 2022

Scribe: Philipp

  • Minutes:
  • Review issues
  • Planning
    • Publication
    • Testing
  • AOB

22 August 2022

Scribe: Jiye/Philipp

  • Minutes:
  • TAG Review
    • Architecture S&P assertion review
  • AOB

8 August 2022

Scribe: Kaz

  • Minutes:
  • Wide Review
    • Check links below
  • TAG Review
    • Action items - progress
    • Architecture S&P assertion review
  • AOB

1 August 2022

Scribe: Kaz

25 July 2022

Security call cancelled due to testfest.

Please review https://github.com/w3ctag/design-reviews/issues/736 and in particular consider how to modify security and privacy assertions in deliverables to make them more testable (point 4 in response to TAG).

18 July 2022

Scribe: Kaz

11 July 2022

Scribe: Kaz

4 July 2022

Scribe: Philipp

No agenda - wiki was down.

27 June 2022

Scribe: Kaz

20 June 2022

Scribe: Philipp

13 June 2022

Scribe: Kaz

  • Minutes:
  • Discovery and TLS/DTLS
  • Issues & Wide Reviews
  • AOB

30 May 2022

Scribe: Jiye

23 May 2022

Scribe: Jiye

16 May 2022

Scribe: Jan/Kaz

9 May 2022

Scribe: Jan

  • Minutes:
  • Wide Review Responses
    • https://github.com/w3c/wot-thing-description/issues/1490
      • Summary: PING requesting we disallow "nosec" if TD has PII (or has immutable ID, e.g. if required by law)
      • Same issue probably also applies to discovery
      • BUT:
        • non-nosec schemes need transport security (TLS) to actually be effective
        • Not really critical on private networks, and TLS is difficult (but not impossible) on private networks, due to CA/Browsers expecting non-local URLs, disallowing self-signed certs, etc. etc.
        • Might still want non-nosec on private networks without TLS to avoid *causal* access
      • Proposal: context-dependent assertions
        • When TDs contain PII or PII can be inferred from them...
          • Note that in general this would not apply to "development"
        • MUST use (D)TLS/transport security on internet (Things with public URLs), MUST NOT use "nosec" in this case
        • SHOULD ... and SHOULD NOT ... on local (non-public) networks
        • On the public internet not using transport security or authentication is a Bad Idea even for development without PII risk, so maybe there should be a "SHOULD" assertion for this case... or the MUST assertion can just apply to everything, whether or not there is PII at risk.
      • There is an additional problem with "descriptive TDs" e.g. brownfield devices, that may not follow these assertions. We can't fix such issues in existing devices, but we could add an assertion (to Discovery, say) that such TDs MUST NOT be distributed publicly.
      • See https://github.com/w3c/wot-architecture/pull/747
  • Profiles and UUIDs
    • See above
  • Issues
  • AOB

2 May 2022

Scribe: Philipp

25 April 2022

Scribe: Jan

11 April 2022

Scribe: Philipp

4 April 2022

Scribe: Jiye

Future meeting:

28 March 2022

Scribe: Jan

28 February 2022

Scribe: Jan

28 February 2022

Scribe:

21 February 2022

Scribe: Philipp

14 February 2022

Scribe: Jan

7 February 2022

Scribe: Kaz

7 February 2022

Scribe: Kaz

31 January 2022

Scribe: Philipp

24 January 2022

Scribe: Kaz

17 January 2022

Scribe: Jiye

10 January 2022

First meeting of 2022.

Scribe: Jan

13 December 2021

Note: last meeting in 2021.

Scribe: Jiye

  • Minutes:
  • Discuss TD/OAuth2 resolution
  • Review Issues and PRs
  • AOB

6 December 2021

Scribe: Kaz

  • Minutes:
  • See "Upcoming issues" above
    • Need to deal with various issues in other documents
  • Review issues and PRs
  • AOB

29 November 2021

Scribe: Cristiano

  • Minutes:
  • See "Upcoming issues" above
    • Need to deal with various issues in other documents
  • Review issues and PRs
  • AOB

22 November 2021

Scribe: Philipp

15 November 2021

Scribe: Kaz

8 November 2021

Scribe: Kaz

  • Minutes:
  • New attendees
    • Jiye Park, Siemens
  • Review issues and PRs
  • AOB

1 November 2021

Scribe: Kaz

18 October 2021

Scribe: Philipp

20 September 2021

Scribe: Kaz

13 September 2021

Scribe: Philipp

6 September 2021

Scribe: Kaz

  • Minutes:
  • Signatures
    • Oliver's Review
    • Discussion - Next steps, alternatives
  • Other Issues & PRs
  • AOB

30 August 2021

Scribe: Philipp

26 July 2021

Scribe: Kaz

19 July 2021

Scribe: Philipp

  • Minutes:
  • Best Practices
    • PRs
  • Signing - Review
    • Schedule
      • July - McCool to cleanup spec
      • August - Pfaff to review
      • Sept - close/finalize
  • AOB

12 July 2021

Scribe: Oliver

14 June 2021

CANCELLED

Scribe:

31 May 2021

Scribe: Elena

  • Minutes:
  • Best Practices
    • Review of issues created last week
  • Signing
  • F2F Planning
    • Schedule
  • AOB

24 May 2021

Note: Holiday in Europe and Canada today, but we met anyway and discussed the state of the Best Practices document, and added several issues for things that needed to be done to whip it into shape.

Regrets: Oliver, Elena

  • Minutes:
  • Best Practices
    • OAuth2
    • Local transport
    • Discovery
    • Usages, Updates, Issues
    • Publication schedule
  • AOB

17 May 2021

Regrets: Elena

Scribe: Oliver

  • Minutes:
  • Signing and Canonicalization
  • Use Case Questionnaire
  • Scripting Requirements
  • Issues and PRs
  • AOB

10 May 2021

Regrets: Oliver

Scribe: Kaz

3 May 2021

Scribe: Cristiano

19 April 2021

Scribe: Philipp

12 April 2021

Scribe: Elena

29 March 2021

Short meeting (30).

  • Capture F2F outcomes

22 March 2021

Cancelled.

15 March 2021

Cancelled.

8 March 2021

Scribe: Elena

1 March 2021

No call due to plugfest.

22 February 2021

Scribe: Philipp

15 February 2021

Scribe: Cristiano

8 February 2021

Scribe: Oliver

1 February 2021

Scribe: Kaz

25 January 2021

Scribe: Elena

18 January 2021

Scribe: Oliver

11 January 2021

Scribe: Cristiano

4 January 2021

Scribe: McCool

7 December 2020

Scribe: Oliver

30 November 2020

Regrets: Elena

Scribe: Kaz

23 November 2020

Scribe: Elena

16 November 2020

Scribe: Kaz

9 November 2020

Scribe: Oliver

28 September 2020

Cancelled due to plugfest

21 September 2020

Scribe: Oliver

  • Minutes
  • Updates
    • Minutes publishing policy - must be public for reasons
    • Lifecycle (see arch issue)
  • Planning
    • Next steps, publications/updates, etc.
    • F2F agenda
    • Testing
    • Joint call topics
  • Issues and PRs
  • AOB

14 September 2020

Scribe: Elena

7 September 2020

Scribe: Cristiano

  • Minutes
  • Updates
    • TD PRs and feedback
    • Arch lifecycle
  • Directory Security
  • Security Issues and PRs
  • AOB

31 August 2020

Scribe: Clerley

  • Minutes
  • TD Security PRs and Issues
  • Discussion topics
    • OAuth2 mandatory items - necessary or not?
    • Directory Security
    • Lifecycle Review
  • Other Security Issues and PRs
  • AOB

24 August 2020

Scribe: Cristiano

17 August 2020

Scribe: Clerley

10 August 2020

Scribe: Oliver

Regrets: Elena

  • Minutes
  • OAuth2 update
  • Document updates
  • Issue and PRs
  • AOB

3 August 2020

Scribe: Clerley

  • Minutes
  • OAuth2 update
  • Document updates
  • Issue and PRs
  • AOB

27 July 2020

Regrets: Elena

Scribe: Farshid

  • Minutes
  • OAuth2 TD update
  • Updates to documents
    • Best practices
      • OAuth2 usage - implicit, password deprecated
    • Others?
  • Deliverables
    • Documents
    • Standard vocab? Extension vocab? OAuth2 for deprecated flows
  • Issue and PRs
  • Use Case review
    • Add Security and Privacy sections to existing UCs
    • But pending conversion to HTML
  • AOB

20 July 2020

Scribe: Cristiano

Regrets: Elena

  1. Binding Templates
  • TD Signing
  • AOB

13 July 2020

6 July 2020

29 June 2020

No meeting post F2F.

22 June 2020

No regular meeting, but security session held during F2F.

15 June 2020

Cancelled due to plugfest.

8 June 2020

Cancelled due to overlap with T2TRG/WoT Workshop.

1 June 2020

Note: Today is a public holiday in Germany.

25 May 2020

18 May 2020

11 May 2020

  • Review Minutes
  • OAuth Requirements for Scripting
  • Use case review
    • Security and Privacy considerations sections
  • Lifecycle review and input
    • State definitions
  • AOB

4 May 2020

27 Apr 2020

20 Apr 2020

13 Apr 2020

  • No meeting - Easter Monday

6 Apr 2020

30 Mar 2020

  • Review Minutes
  • Lifecycle
    • Anima mapping
  • Issues and PRs
  • AOB

23 Mar 2020

9 Mar 2020

2 Mar 2020

24 Feb 2020

17 Feb 2020

  • Review Minutes
  • DID review
  • PING feedback
  • PRs
  • Issues
  • AOB

10 Feb 2020

3 Feb 2020

  • Review Minutes
  • PRs and Issues
    • Work bottom-up to try and retire older issues this time
  • AOB

27 Jan 2020

  • Review Minutes
  • PRs and Issues
  • AOB

20 Jan 2020

  • Review Minutes:
    • deferred to main call
  • Edge Apps
    • Security and Privacy implications
  • Lifecycle
  • PRs and Issues
    • MUDs
    • Privacy Threat Model
  • AOB

13 Jan 2020

Dec 16, 2019

Dec 9, 2019

Cancelled - meeting slot needed to finalize PRs.

Nov 25, 2019

Cancelled - multiple conflicts.

Nov 18, 2019

Nov 11, 2019

Nov 5, 2019

Sept 9, 2019

Sept 2, 2019

  • Quick updates
  • Review Minutes
  • Rescheduling
    • Doodle
    • 7pm-8pm Japan Time works for everyone but Taki
  • WG Charter Draft
  • Issue tracker and PR review
  • AOB

Aug 26, 2019

  • Quick updates
    • Michael is relocating
      • to Atlantic Canada
      • Altantic Time: Eastern - 1
  • Review Minutes
  • Rescheduling
    • Options: Monday 6pm, 7pm JST, Tuesday 7pm, 8pm, 9pm JST
    • Monday strongly preferred by Kaz and Mizushima
    • Kaz to create a doodle
  • Issue tracker and PR review
  • AOB

Aug 5, 2019

July 8, 2019

June 10, 2019

June 3, 2019

Cancelled due to workshop

May 27, 2019

Cancelled due to conflicts

May 20, 2019

May 6, 2019

  • Review of Minutes from earlier meetings
  • Quick Updates
    • CTA/NIST for Workshop (declined)
  • Review progress
  • Updates to TD and Arch specs
    • Remove direct refs to Best Practices and Testing docs
  • Issues and PRs
  • AOB

April 29, 2019

  • Review of Minutes from earlier meetings
  • Quick updates
  • Review progress
    • Let's target May 8 now...
    • Gives us one week to update things before May 15 CR target
  • Publication schedule
    • After CR in mid-May, edit Security Docs for consistency
    • Updated Note published in mid-June; can update when go to REC.
    • Should publish Best Practices and Testing Plan as Notes
    • Want to cite "latest" version in Arch document, not dated version
    • Target May 8 as meeting to have "publication resolution"
    • Go to publication immediately afterwards
  • Penetration testing planning
    • McCool updating code and system description for Workshop demos
    • System description for pen test done by May 15
    • Will be travelling to IIC workshop May 17-23
    • Penetration testing target: May 30
  • Issues and PRs
  • AOB

April 22, 2019

Cancelled due to holiday.

April 15, 2019

April 8, 2019

  • CANCELLED due to AC Meeting

April 1, 2019

  • Minute review
    • Deferred again, Elena can't join
  • CR Transition preparations
  • Implementation experience for TD
    • What else can we do?
  • Security scheme extensions
    • Review recent update to TD
  • Penetration testing
    • Reschedule given change to CR dates
  • Architecture and TD spec changes
    • Security and Privacy Considerations
  • AOB

Mar 25, 2019

  • TAG Submission review
    • Security questionnaire
  • Security and Privacy Considerations
    • WoT Architecture
    • WoT Thing Description
  • Review of minutes from previous meetings
  • AOB

Mar 18, 2019

  • Review of minutes from previous meetings
  • CTA/NIST Questionnaire review
  • Testing status, explainers, and extensions
  • Security consideration in WoT Arch doc
  • AOB

Mar 11, 2019

  • Review of minutes from previous meetings
  • Pen Test Planning
  • Docs
    • Arch
    • Best Practices
  • Reviews
  • PRs
  • TD Testing
  • AOB

Mar 4, 2019

  • Review of minutes from previous meetings
    • Deferred again since Kaz is not available
  • Pen Test Planning
  • Best Practices Doc
  • AOB

Feb 25, 2019

  • No (real) meeting

Feb 18, 2019

  • Review of minutes from previous meetings
    • Deferred to next meeting
  • External reviews
    • Found one external reviewer (IIC), two W3C reviewers (Web Security)
    • Question about formal requirements
  • IIC/OpenFog report
  • Security conferences
    • See email from Dave Raggett on mailing list
  • Security sections related to runtime
  • PR on Testing (ITU vocabulary change)
  • Best practices
    • McCool to do PR to update, get into minimally-publishable form
  • AOB

Feb 11, 2019

  • Things we have to do:
  1. Security section of Arch and Scripting document
  2. TD Implementation Report - sample implementations
  3. Security Best Practices document
  4. Document reviews
  5. Testing experience - penetration testing
    • Focus on Intel implementations, on McCool's private network
    • When: Second week of March
  6. Security section of Scripting API
  • Other business

Feb 4, 2019

No meeting, Travelling.

Jan 28, 2019

No meeting, TestFest.

Jan 14, 2019

Jan 7, 2019

Dec 31, 2018 (New Year's Eve)

No meeting

Dec 24, 2018 (Christmas Eve)

No meeting

Dec 17, 2018

Dec 3, 2018

Nov 26, 2018

Nov 19, 2018

Nov 12, 2018

  • Review of minutes from previous meetings
  • Update on publication status
  • New meeting time: discuss
  • Update on pending PRs
    • Security definitions got merged... but not done...
      • Still a problem with strings vs. objects in "security"
    • Other PRs that were ready... did not get merged due to conflicts (fixed)
    • Scopes example updated: regular -> limited
  • Candidate for Scripting API security considerations section (Elena)
  • Testing

Nov 5, 2018

Oct 29, 2018

  • Cancelled, post-TPAC recovery

Oct 22, 2018

  • Online meeting cancelled, at TPAC

Oct 15, 2018

  • Review of minutes from last meeting
  • Status of W3C Note publication
  • TPAC and plugfest planning
  • Best practices document
  • Object security
    • COSE, JOSE, and OSCORE (Koster)
  • Security consideration sections
    • Thing Description (McCool)
    • Scripting API (Reshetova)
  • Action item review
  • Issue and PR review
  • Other issues

Oct 8, 2018

  • Review of minutes from last meeting
  • Status of W3C Note publication
  • Object security
    • COSE, JOSE, and OSCORE (Koster)
  • Secure multicast
  • Security consideration sections
    • Thing Description (McCool)
    • Scripting API (Reshetova)
  • Action item review
  • Issue and PR review
  • Other issues

Sept 17, 2018

Sept 10, 2018

  • Review of minutes from last meeting
  • Security and Privacy Considerations: to resolve if ready to publish
  • TD Security and Privacy Considerations
  • Online plugfest
    • Security call will be held that week as normal; before plugfest starts, technically
    • Best practices document review and testing
  • Action item review
  • Issue and PR review
  • Other issues

Sept 3, 2018

  • Review of minutes from last meeting
  • Final review of updated Security and Privacy Considerations
  • TD Security and Privacy Considerations
  • Best practice document review
  • Issue and PR review
  • Other issues

Aug 27, 2018

Aug 20, 2018

  • Guest: Xiaoru Li, Baidu
    • Reviewed IG patent policy for the record...
  • Review of minutes from last meeting
  • Extra meetings at TPAC early in the week?
  • New DTLS schemes: cert, public
  • MQTT Security (wrt DTLS security schemes)
  • W3C Permissions: application submitted
  • Other issues

Aug 13, 2018

Aug 6, 2018

  • Review of minutes from last meeting
  • W3C Permissions Workshop
  • TD Update Review
  • Testing (Fuzz testing, DTLS)
  • Best practices (brainstorming)
  • Planning: next steps
  • Other issues and PRs
  • Other business

July 30, 2018

  • Review of minutes from last meeting
  • PR 107: Document Restructuring
  • Testing plan: security section
  • TD Updates (psk and none schemes)
  • Making "security" mandatory
  • Planning: next steps
  • Other issues and PRs
  • Other business

July 23, 2018

June 25, 2018

  • Review of minutes from last meeting(s)
  • Plugfest and F2F Prep
  • Next release
  • External validation
    • IIC
    • W3C Web Security IG
  • Review other issues and PRs
  • Other business

June 11, 2018

June 4, 2018

May 28, 2018

  • Review of minutes from last meeting(s)
  • Review PRs
  • Plugfest/F2F/TPAC Preparation
    • Conflicts w/ TPAC: Linux Security Summit Europe (Oct 25-26)
  • Review issues
  • Other business

May 21, 2018

  • Review of minutes from last meeting(s)
  • Review PRs
  • Plugfest/F2F/TPAC Preparation
  • Review issues
  • Other business

May 14, 2018

  • (X) Review of minutes from last meeting(s)
  • Review PRs
    • Privacy
    • Tunneling
  • TD Security Vocabulary
  • Online Test System - Intel
  • Review issues
  • Other business

May 7, 2018

  • (X) Review of minutes from last meeting(s)
  • Review PRs
  • Review issues
  • Other business

Apr 30, 2018

  • Review of minutes from last meeting(s)
  • Events for signaling lifecycle transitions, eg destroying an object
  • Review PRs
  • Review issues
  • Other business

Apr 23, 2018

Apr 16, 2018

  • Review of minutes from last meeting(s)
  • Review topology of plugfest scenarios
  • Review updated security metadata proposal
    • merge PR if appropriate
  • Review issues and other PRs
    • Especially Jason Novak's issues

Apr 9, 2018

  • Review of minutes from last meeting(s)
  • NDSS DISS workshop paper: updates to publication version
  • Updated "security metadata" PR
  • Update master with working
  • Planning: What Next?
    • Lifecycle: overall vs. security-specific
    • Testing and validation: https://github.com/w3c/wot/pull/439
    • Industrial and enterprise use case discussion (ACLs? Roles and profiles? Root of trust? TPMs?)
    • More updates to security metadata: roles, profiles, scopes, other schemes
    • Related IETF WGs:
      • TEEP: Trusted Execution Environments Provisioning
      • SUIT: Software updates for the IoT
    • Requesting security review from W3C Security group
    • Goals for next F2F and plugfest
    • Security review of the scripting API, including metadata and errors
  • Other topics
    • Review issues and other PRs
      • Next time make sure to review Jason Novak's issues

Pending Agenda Items (with Deadlines)

  • Review requirements from prioritized list of IoT systems/protocols
    • OCF, oneM2M, LwM2M, ZWave, AWS IoT/GG, etc

Future Agenda Items

  • New Use Cases
  • Review of IETF-ACE, IIC-SF, CoAP and other security models
  • Discuss use of semantic annotations for security
  • Review existing threat models eg from IIC Security Framework
  • Review of existing security models and mechanisms in target protocols
      • Get that up somewhere for people to provide input
      • Some of the threats depend on the vulnerability of the protocols
    • Review COSE (although still in draft)
    • Use main call to synchronize this activity and gather feedback
    • Create a template so we can consolidate the information
    • Identify people or groups that can look at individual target protocols and mechanisms
  • Review issues and feedback on draft documents
    • Via github issues

Resources

Meeting Minutes

2017

Security and Privacy Questionnaires, Review Forms