IG Security WebConf/2018

Agendas for the WoT Security TF from 2018.

Dec 31, 2018 (New Year's Eve)

No meeting

Dec 24, 2018 (Christmas Eve)

No meeting

Dec 17, 2018

• Review of minutes from previous meetings
  • https://www.w3.org/2018/12/03-wot-sec-minutes.html
• Publication Status
  • Security and Privacy Considerations - published Dec 3
  • New Security and Privacy Considerations section not in published TD spec
    • https://www.w3.org/TR/wot-thing-description/#security-consideration
    • https://w3c.github.io/wot-thing-description/#sec-security-consideration
  • Is PR for Arch document security considerations section
    • Runtime considerations
    • https://github.com/w3c/wot-architecture/pull/63
  • Scripting API PR outstanding
    • https://github.com/w3c/wot-scripting-api/pull/155
    • Runtime considerations to be taken out (IF added to arch...)
• Documentation planning
  • Best practices: w3c/wot-security-best-practices
  • Testing plan: w3c/wot-security-testing-plan
• Implementation Report
  • Security gaps
• Schedule review
  • External reviews?
• Other Issues and PRs

Dec 3, 2018

• Review of minutes from previous meetings
  • https://www.w3.org/2018/11/26-wot-sec-minutes.html
  • https://www.w3.org/2018/11/19-wot-sec-minutes.html
• Publication status
• Implementation Report
• New documents
  • Security Best practices
  • Security Test plan
• Scripting API Considerations
• Runtime Considerations
  • https://github.com/w3c/wot-architecture/pull/63
• Other Issues and PRs

Nov 26, 2018

• Review of minutes from previous meetings
  • https://www.w3.org/2018/11/19-wot-sec-minutes.html
• Publication status
• Testing and Validation
  • Security plan (required deliverable)
• Issues

Nov 19, 2018

• Review of minutes from previous meetings
  • https://www.w3.org/2018/11/12-wot-sec-minutes.html
• Publication status
• Scripting API Security and Privacy Considerations PR (Elena)
  • https://github.com/w3c/wot-scripting-api/pull/155
• Testing and Validation
• Issues

Nov 12, 2018

• Review of minutes from previous meetings
  • https://www.w3.org/2018/11/05-wot-sec-minutes.html
• Update on publication status
• New meeting time: discuss
• Update on pending PRs
  • Security definitions got merged... but not done...
    • Still a problem with strings vs. objects in "security"
  • Other PRs that were ready... did not get merged due to conflicts (fixed)
  • Scopes example updated: regular -> limited
• Candidate for Scripting API security considerations section (Elena)
• Testing

Nov 5, 2018

• Review of minutes from previous meetings
  • https://www.w3.org/2018/10/15-wot-sec-minutes.html
• Update on publication status
• Meeting time
  • Do we have a doodle to see if there is a better time?
• Review of summary presentation at TPAC
  • https://github.com/w3c/wot-security/blob/master/presentations/wot-security-tpac-10-2018.pptx
• New PRs and Issues:
  • TD security considerations
    • new clause for privacy and @context dereferences
    • https://github.com/w3c/wot-thing-description/pull/207
  • cleanup: https://github.com/w3c/wot-thing-description/pull/265
    • Includes making top-level "security" mandatory which somehow never got merged...
  • securityDefinitions: https://github.com/w3c/wot-security/issues/120 and https://github.com/w3c/wot-thing-description/pull/277
    • Pres: https://github.com/w3c/wot-security/blob/master/presentations/wot-security-definitions-11-2018.pptx
  • removal of Url postfixes: https://github.com/w3c/wot-security/issues/119 and https://github.com/w3c/wot-thing-description/pull/268
  • scopes example: https://github.com/w3c/wot-thing-description/issues/217 and https://github.com/w3c/wot-thing-description/pull/269
• CR/PR Requirements
• Testing
  • Functional testing
  • Adversarial testing
• Other topics

Oct 29, 2018

• Cancelled, post-TPAC recovery

Oct 22, 2018

• Online meeting cancelled, at TPAC

Oct 15, 2018

• Review of minutes from last meeting
• Status of W3C Note publication
• TPAC and plugfest planning
• Best practices document
• Object security
  • COSE, JOSE, and OSCORE (Koster)
• Security consideration sections
  • Thing Description (McCool)
  • Scripting API (Reshetova)
• Action item review
• Issue and PR review
• Other issues

Oct 8, 2018

• Review of minutes from last meeting
• Status of W3C Note publication
• Object security
  • COSE, JOSE, and OSCORE (Koster)
• Secure multicast
• Security consideration sections
  • Thing Description (McCool)
  • Scripting API (Reshetova)
• Action item review
• Issue and PR review
• Other issues

Sept 17, 2018

• Review of minutes from last meeting
• Online plugfest
  • Review of test plan and implementations
  • Best practices document review and testing
• Action item review
• Issue and PR review
• Other issues

Sept 10, 2018

• Review of minutes from last meeting
• Security and Privacy Considerations: to resolve if ready to publish
• TD Security and Privacy Considerations
  • Rough draft: TD PR207
• Online plugfest
  • Security call will be held that week as normal; before plugfest starts, technically
  • Best practices document review and testing
• Action item review
• Issue and PR review
• Other issues

Sept 3, 2018

• Review of minutes from last meeting
• Final review of updated Security and Privacy Considerations
  • Small fixes: Sec PR116
• TD Security and Privacy Considerations
  • Rough draft: TD PR207
• Best practice document review
• Issue and PR review
• Other issues

Aug 27, 2018

• Review of minutes from last meeting
• W3C Permissions update: https://github.com/mmccool/w3c-permissions-2018
• English cleanup PR112: https://github.com/w3c/wot-security/pull/112
• Best practices: https://github.com/w3c/wot-security/blob/master/wot-security-best-practices.md
• Other issues

Aug 20, 2018

• Guest: Xiaoru Li, Baidu
  • Reviewed IG patent policy for the record...
• Review of minutes from last meeting
• Extra meetings at TPAC early in the week?
• New DTLS schemes: cert, public
• MQTT Security (wrt DTLS security schemes)
• W3C Permissions: application submitted
• Other issues

Aug 13, 2018

• Review of minutes from last meeting
• Review W3C Permissions application
• PR108 Security Scenarios
• DTLS Security
• Best practices
• Other issues and PRs
• Other business

Aug 6, 2018

• Review of minutes from last meeting
• W3C Permissions Workshop
• TD Update Review
• Testing (Fuzz testing, DTLS)
• Best practices (brainstorming)
• Planning: next steps
• Other issues and PRs
• Other business

July 30, 2018

• Review of minutes from last meeting
• PR 107: Document Restructuring
• Testing plan: security section
• TD Updates (psk and none schemes)
• Making "security" mandatory
• Planning: next steps
• Other issues and PRs
• Other business

July 23, 2018

• Review of minutes from last meeting
• Plugfest and F2F Recap (if necessary)
• Security Definitions Proposal
• PR 107: Document Restructuring
• Review other issues and PRs
• Other business

June 25, 2018

• Review of minutes from last meeting(s)
• Plugfest and F2F Prep
• Next release
• External validation
  • IIC
  • W3C Web Security IG
• Review other issues and PRs
• Other business

June 11, 2018

• Review of minutes from last meeting(s)
• Privacy
  • Review Privacy threat mitigations
• Plugfest/F2F/TPAC Preparation
  • Review Security Plugfest Preparation
• Planning
  • Action items
  • Next release
• Review other issues and PRs
• Other business

June 4, 2018

• Review of minutes from last meeting(s)
  • May 28, 2018
• Review Security Metadata PR for Thing Description
  • Clarify purpose of security metadata
  • Discuss criteria for inclusion of scheme in core vocabulary
• Privacy
  • Review Privacy threat mitigations
• Plugfest/F2F/TPAC Preparation
  • Review Security Plugfest Preparation
• Review other issues and PRs
• Other business

May 28, 2018

• Review of minutes from last meeting(s)
• Review PRs
• Plugfest/F2F/TPAC Preparation
  • Conflicts w/ TPAC: Linux Security Summit Europe (Oct 25-26)
• Review issues
• Other business

May 21, 2018

• Review of minutes from last meeting(s)
• Review PRs
• Plugfest/F2F/TPAC Preparation
• Review issues
• Other business

May 14, 2018

• (X) Review of minutes from last meeting(s)
• Review PRs
  • Privacy
  • Tunneling
• TD Security Vocabulary
• Online Test System - Intel
• Review issues
• Other business

May 7, 2018

• (X) Review of minutes from last meeting(s)
• Review PRs
• Review issues
• Other business

Apr 30, 2018

• Review of minutes from last meeting(s)
• Events for signaling lifecycle transitions, eg destroying an object
• Review PRs
• Review issues
• Other business

Apr 23, 2018

• Review of minutes from last meeting(s)
• PR89: Improving section 6 based on F2F discussions and scenarios
• PR88: Updates to Security Metadata Proposal
• Review other issues
• Other business

Apr 16, 2018

• Review of minutes from last meeting(s)
• Review topology of plugfest scenarios
• Review updated security metadata proposal
  • merge PR if appropriate
• Review issues and other PRs
  • Especially Jason Novak's issues

Apr 9, 2018

• Review of minutes from last meeting(s)
• NDSS DISS workshop paper: updates to publication version
  • Final camera-ready version due April 10 (tomorrow)
  • https://github.com/mmccool/ndss-wot-sec/blob/master/ndss-diss-008.pdf
  • Already uploaded, but have (tiny) window left to make corrections
• Updated "security metadata" PR
  • Simple JSON-LD 1.1 changes
  • Changes to as/ts/rs keywords
  • https://github.com/w3c/wot-security/pull/88
• Update master with working
  • https://github.com/w3c/wot-security/pull/87
• Planning: What Next?
  • Lifecycle: overall vs. security-specific
  • Testing and validation: https://github.com/w3c/wot/pull/439
  • Industrial and enterprise use case discussion (ACLs? Roles and profiles? Root of trust? TPMs?)
  • More updates to security metadata: roles, profiles, scopes, other schemes
  • Related IETF WGs:
    • TEEP: Trusted Execution Environments Provisioning
    • SUIT: Software updates for the IoT
  • Requesting security review from W3C Security group
  • Goals for next F2F and plugfest
  • Security review of the scripting API, including metadata and errors
• Other topics
  • Review issues and other PRs
    • Next time make sure to review Jason Novak's issues