Meeting minutes
Preliminary
Jiye: Jiye Park from Siemens
… taking over the role from Oliver
<sebastiankaebisch> Hello
McCool: (gives basic instructions)
<McCool> https://
McCool: you can bookmark the URL of the wiki page above
<Jiye> thanks!
McCool: we have 2 documents
… Security and Privacy Guidelines
… and Security Best Practices document
… tell people the best strategy for security and privacy
… currently the document is thin
… need use cases and best practices
… including HTTPS and OAuth
… as discussed during the vF2F, we require authentication
… separate spec for key distribution
… the best practices document is not yet published
<McCool> https://
<McCool> https://
McCool: we use separate GitHub repositories for spec work for easier rendering
… GitHub and HTML rendering for WoT Security and Privacy Guidelines above
<McCool> https://
McCool: the Best Practices document will be changed in the future
… meant to be an appendix
<McCool> https://
<sebastian> sorry, I need to go now. Bye
McCool: we have two large sections for the Security Best Practices document
Jiye: thanks for the summary
Issues related to the Scripting API
McCool: anything to be added to the agenda?
Zoltan: would it make sense to have generic guidelines for exposing/consuming Things?
… there should be different requirements for exposing Thing and consuming Thing
McCool: ok
… let me capture the points within an issue
wot-security-best-practices issue 26 - Use Cases for Exposed and Consumed Things
McCool: and another issue on onboarding and key distribution
wot-security-best-practices issue 27 - Add Onboarding/Key Distribution Section
McCool: keys are needed for TLS
… in a global network, existing CA-based mechanisms can and should be used
… in local and offline networks, a separate key distribution mechanisms is needed in order to use TLS
… this is currently a gap but we should define the requirements here
… iscovery may also be needed
… explain how this relates to WoT Discovry
… bunch of stuff being discussed on onboarding
Zoltan: can give some comments
… to the GitHub Issue
Cristiano: we're also tracking issue for Scripting API
<cris_> https://
Zoltan: should belong to another issue on provisioning
<cris_> (to be more precise we have this issue https://
McCool: (adds that point to the Issue 27)
Issue 27 - Add Onboarding/Key Distribution Section
Cristiano: two links above
… wot-scripting-api issue 298 should be better to use here
McCool: (adds a link for wot-scripting-api issue 298 to wot-security-best-practices issue 27)
McCool: it's a separate issue from key management
… we should look into the library
… (adds comments to wot-scripting-api issue 298)
… we should add exploratory work
… (adds comments to wot issue 978 about the WoT WG renewal)
wot issue 978 - WoT WG renewal 2021
McCool: Management API as a separate API from the Scripting API
… including configuring security schemes and establishing keys
… onboarding process results in a set of "key objects"
updated comments for wot issue 978
Kaz: 2 comments
… we should work with the DAS WG about this point
… also we should have generic issue on onboarding and key management for the wot-security repository as well as the wot-best-practices repository
McCool: yeah
… would consider making the "Security Best Practices" a normative document
… but we'd like to update the document based on the latest best practices
Kaz: in that case, Note would be a better direction
McCool: or might be a evergreen approach
… need to consider how this relates to certification
<McCool> https://
McCool: possibility of Fugu above
AOB
McCool: we had joint discussion on Signature, etc., with the DID WG guys
… they have a mechanism to distribute keys
Zoltan: any idea on offloading by Web Assembly, etc.?
McCool: similar discussion during the breakout by the Web Networks guys
… our own question is do we want to work on that ourselves?
… or would the other group(s) to work on that?
… need to look into Web Workers as well
… let's continue to work on the topics
… will review the prev minutes next week.
[adjourned]