IG Security WebConf/2022

From Web of Things Interest Group

Agendas from WoT Security TF in 2022

19 December 2022

Scribe: Kaz

5 December 2022

Scribe: Jiye

28 November 2022

Scribe: Kaz

21 November 2022

Scribe:

  • Minutes:
  • Publications
    • Architecture - "Trusted Environment" review
  • Updates to S&P Guidelines doc
  • Security Testing
    • Testfest goal?
  • AOB

14 November 2022

CANCELLED - McCool unavailable

7 November 2022

CANCELLED - McCool unavailable

31 October 2022

CANCELLED - Kaz unavailable

24 October 2022

Scribe: Jiye

  • Minutes:
  • Issues
    • Implementation Reports
  • PRs
  • Planning
    • Cancellations
    • S&P Guidelines update
    • Security Testing
  • AOB

17 October 2022

Scribe: Kaz

  • Minutes:
  • Issues
    • Implementation Reports
  • PRs
  • Planning/Logistics
    • McCool unavailable Nov 7-18.
  • AOB

10 October 2022

Scribe: Jan

3 October 2022

CANCELLED - Plugfest

26 September 2022

Scribe: Philipp

  • Minutes:
  • Review issues
  • Planning
    • Publication
    • Testing
  • AOB

22 August 2022

Scribe: Jiye/Philipp

  • Minutes:
  • TAG Review
    • Architecture S&P assertion review
  • AOB

8 August 2022

Scribe: Kaz

  • Minutes:
  • Wide Review
    • Check links below
  • TAG Review
    • Action items - progress
    • Architecture S&P assertion review
  • AOB

1 August 2022

Scribe: Kaz

25 July 2022

Security call cancelled due to testfest.

Please review https://github.com/w3ctag/design-reviews/issues/736 and in particular consider how to modify security and privacy assertions in deliverables to make them more testable (point 4 in response to TAG).

18 July 2022

Scribe: Kaz

11 July 2022

Scribe: Kaz

4 July 2022

Scribe: Philipp

No agenda - wiki was down.

27 June 2022

Scribe: Kaz

20 June 2022

Scribe: Philipp

13 June 2022

Scribe: Kaz

  • Minutes:
  • Discovery and TLS/DTLS
  • Issues & Wide Reviews
  • AOB

30 May 2022

Scribe: Jiye

23 May 2022

Scribe: Jiye

16 May 2022

Scribe: Jan/Kaz

9 May 2022

Scribe: Jan

  • Minutes:
  • Wide Review Responses
    • https://github.com/w3c/wot-thing-description/issues/1490
      • Summary: PING requesting we disallow "nosec" if TD has PII (or has immutable ID, e.g. if required by law)
      • Same issue probably also applies to discovery
      • BUT:
        • non-nosec schemes need transport security (TLS) to actually be effective
        • Not really critical on private networks, and TLS is difficult (but not impossible) on private networks, due to CA/Browsers expecting non-local URLs, disallowing self-signed certs, etc. etc.
        • Might still want non-nosec on private networks without TLS to avoid *causal* access
      • Proposal: context-dependent assertions
        • When TDs contain PII or PII can be inferred from them...
          • Note that in general this would not apply to "development"
        • MUST use (D)TLS/transport security on internet (Things with public URLs), MUST NOT use "nosec" in this case
        • SHOULD ... and SHOULD NOT ... on local (non-public) networks
        • On the public internet not using transport security or authentication is a Bad Idea even for development without PII risk, so maybe there should be a "SHOULD" assertion for this case... or the MUST assertion can just apply to everything, whether or not there is PII at risk.
      • There is an additional problem with "descriptive TDs" e.g. brownfield devices, that may not follow these assertions. We can't fix such issues in existing devices, but we could add an assertion (to Discovery, say) that such TDs MUST NOT be distributed publicly.
      • See https://github.com/w3c/wot-architecture/pull/747
  • Profiles and UUIDs
    • See above
  • Issues
  • AOB

2 May 2022

Scribe: Philipp

25 April 2022

Scribe: Jan

11 April 2022

Scribe: Philipp

4 April 2022

Scribe: Jiye

Future meeting:

28 March 2022

Scribe: Jan

28 February 2022

Scribe: Jan

28 February 2022

Scribe:

21 February 2022

Scribe: Philipp

14 February 2022

Scribe: Jan

7 February 2022

Scribe: Kaz

7 February 2022

Scribe: Kaz

31 January 2022

Scribe: Philipp

24 January 2022

Scribe: Kaz

17 January 2022

Scribe: Jiye

10 January 2022

First meeting of 2022.

Scribe: Jan