McCool: need to skip plugfest/f2f
review again
... went over proposals
... (updates the agenda with "Testing plan")
... first action is done
... 2nd action, did the 2nd half
... waiting for answer
... carry forward with the 4 last actions
... and new action: "McCool to write PR on TD spec for security
definition"
... any objections to accept the prev minutes?
(none)
McCool: ok. so the minutes has been accepted
<inserted> (Barry joins)
McCool: (goes through the agenda for
today)
... anything else?
(none)
McCool: happy with it
... a few minor fixes
... go ahead with the next step
... nothing major
... go ahead and accept that
... any objection to merge this?
(none)
McCool: ok. will merge it :)
... get action to clean it up
... one more chance to discuss before merging with the main
branch
McCool: follow through the action
from f2f
... drafted a document here
McCool: one thing would ask people to
do
... go through the section on security testing
... limited scope (=list of "NOT do"s)
... lifecycle limitation for point 2
... protocols for point 3
... security best practices for point 4
... should have a separate document for security best
practices
... but later
... MQTT - TODO: details: DTLS testing etc.
... for HTTP, I have SSL testing, etc.
Barry: we might do...
... to use HTTPS, CoAPS, MQTTS
... obvious to use secure version of protocols
McCool: ok
... need to have how to secure MQTT
Barry: need to see core working group document
McCool: create a PR for one paragraph?
Barry: can work on a shot
McCool: if you can send by email, I
can make a PR
... CoAP-based protocol
... e.g., DTLS testing
... regarding HTTP, described web services here
... one of issues
... particular commercial service or tool?
... or standard
... may have political issues
... might have some example
... free/opensource one
... link to OWASP Testing Project
McCool: and penetration testing
... these 2 things should be enough
... please review this section and give comments
... Metasploit is a framework
... thought that was a free one
McCool: PSK and none schemes
https://rawgit.com/w3c/wot-thing-description/TD-JSON-LD-1.1/index.html#security
https://github.com/w3c/wot-thing-description/pull/173
McCool: maybe the rendered version not correctly submitted yet...
<McCool> https://github.com/w3c/wot-thing-description/issues/165
McCool: created a TD issue above
(165)
... Should "security" be mandatory
... can declare security "none" at the top level
... would like to respond to Ben and ask him
clarification
... having nothing vs "none" have a bit different
meanings
... actual implementations can do something if nothing is
specified
... but TD should have explicit information
... would discourage TD to be incomplete
... personally think security should be mandatory
... we could recommend security is mandatory for
machine-to-machine interaction
... would like to see people's opinions
Barry: definitely should be mandatory
McCool: others?
Nimura: should be mandatory
McCool: it is related to binding contract
Mizushima: no questions
McCool: (adds a comment to issue
165)
... discussed this in the security tf and the consensus was to
make "security" mandatory
... also, we felt that the security spec in the TD should be
"binding", e.g., it should be considered an error if the Thing
goes off and does security a different way.
... resolution: yes, make it mandatory. also binding.
McCool: we can remove the first
action (from the prev minutes)
... need to ping IIC
... 3 other things got no progress yet
... new action
<scribe> ACTION: Barry to suggest DTLS testing plan applicable for CoAP/MQTT
<McCool> ACTION: McCool to clean up Security and Privacy Considerations documents for final update to master by next week
McCool: also best practice document
<McCool> ACTION: everyone to generate set of best practices for draft by next week
McCool: no update on the long-term
schedule
... will update people to find out
McCool: leave it open
McCool: any opinions?
... originally raised by Lagally during f2f
... more than form for different mechanisms
... any prioritization?
... any objections to leave out priorities?
Barry: makes sense
(no objections)
McCool: adds a comment to issue
105
... We discussed this in the Security TF and felt that
priorities caused more problems than they would solve and we
should leave them out.
McCool: adds a comment
... We ARE going to have a Best Practices document of some kind
if only to limit the scope of testing. Initially this will just
be a section of the Security and Privacy Considerations
document although we should break it out into a separate
document eventually.
[adjourned]