W3C

- DRAFT -

WoT Security

07 May 2018

Attendees

Present
Michael_McCool, Michael_Koster, Elena_Reshetova, Soumya_Datta, Nimura_Kazuaki, Barry_Leiba, Tomoaki_Mizushima
Regrets
Kaz
Chair
McCool
Scribe
elena

Contents

<McCool> scribenick: elena

Michael: won't review the minutes from last meeting, will do them next time

McCool: let's review the issues and open PRs
... we accepted two PRs last week: 90 and 91

https://github.com/w3c/wot-security/pull/90

https://github.com/w3c/wot-security/pull/91

McCool: let's discuss open issues for PR 90 and decide if they can be closed

looking at the changes in PR 90

McCool: changes are ok, but we need to create issues for each new editor note we got added

Elena: will do the changes

<Mizushima> https://github.com/w3c/wot-security/issues/71

Mizushima: issue 71 is not ready to be closed, we need to have security recommendations created first

sorry wrong nick poped up

McCool: issue 71 is not ready to be closed, we need to have security
... issue 69 can be closed since Network adversary now covers passive network attacker
... issue 68 also can be closed since configuration data is now clarified in the document
... pr 92 wasn't updated yet
... next let's look at the issues
... new issue 114 by Zoltan

about the end of life signaling and potential security interactions

Elena: denial of service might be the only security implication

The actual issue is 93

https://github.com/w3c/wot-security/issues/93

zkis: the conclusion from scripting side is to do this via best effort TD change notifications

McCool: how do TD changes notifications events protected over network?

zkis: any observe messages can be spoofed

McCool: the actual security protection depends on actual protocol binding being used
... concrete implementations will have to make sure that such events are always authenticated
... I am still working on issues with regards to metadata
... issue 73 looks more like information giving than an issue

we need to cross reference this issue from security metadata PR

actually the issue is already mentioned in the examples

can leave open for now

McCool: issue 72 about identifiers and fingerprinting

we need to write a privacy sections

McCool: need to create a short privacy section with highlights on privacy threats and security recommendations

AR to elena to start on this section

McCool: issue 72 is also about privacy risks, should go to the same section on privacy
... same as issue 70

Summary of Action Items

[ONGOING] ACTION: elena to work on issue 68 (Thing Provider Data Specification) and issue 69 (Passive Observers Risk)
[ONGOING] ACTION: elena/koster to work on terminology
[ONGOING] ACTION: mccool to work on issue 70 (Require Not Exposing Immutable Hardware Identifiers?)
[ONGOING] ACTION: mccool to talk with security guys about testing/validation timeline
[ONGOING] ACTION: mccool to work on tunneling/shadow for the security metadata proposal
[ONGOING] ACTION: mccool to work on PR 90
[ONGOING] ACTION: zkis to create scripting issue for TD life cycle in scripting api
[ONGOING] ACTION: mjkoster/elena to review examples in the security spec
 

Summary of Resolutions

[End of minutes]
Minutes formatted by David Booth's scribe.perl version 1.147 (CVS log)
$Date: 2018/05/21 23:11:44 $