Meeting minutes
Minutes
approved
Issues
TD Issue 1497
TD Issue 1497 - Identifiers don't seem to rotate enough
McCool: still need confirmation to close this
… (adds a label "Propose closing")
… can be closed in the Aug 3 TD call
Discovery Issue 303
Discovery Issue 303 - Personal devices and public/private TDDs
McCool: already closed
… (adds some more comments)
Wide reviews
TAG review
design reviews issue 736 - Web of Things (WoT) Architecture 1.1
kaz: I was suggesting we have a joint meeting with TAG
… probably we don't need to wait until TPAC but have that meeting this month
McCool: good idea
… have you or Sebastian contacted them?
kaz: no, not from me
McCool: agree, the sooner, the better
… but we still need to fix our own action items too
TD Issue 1635 - Adjust Policy-Like Assertions
Security Issue 208 - Remove References to "Security Best Practices"
Security Issue 209 - Update "Security and Privacy Guidelines" prior to PR of other deliverables
McCool: still need to work on policy-like assertions for TD (Issue 1635 above)
… also for Discovery and Architecture as well
TD assertions
McCool: (skims the assertions)
Jiye: it's more deployment information
… could have clearer description, once onboarding/offloading is clearly specified
McCool: right
… in that case, what can we do now?
Jiye: we can remove the assertion itself. maybe?
McCool: opt1. deleting the assertion
… opt2. refine the text
… opt3. clarify it's a policy
… think opt 3 would be the best
… and the question is how to describe that
… (adds some comments about possible rewording)
McCool: need rewording
jr: making the capital SHOULD lower case?
McCool: (generates a proposed text)
… "As a matter of policy, it is suggested that THing Descriptions associated with a personal device be treated as if they contained personally identifiable information, even if this information is not explicit"
jr: sounds good
Jiye: fine
McCool: similar rewording here as well
… "As a matter of policy, it is suggested that strings sourced from TDs either be sanitized using a carefully betted HTML sanitizer that diabls any markup or be inserted into an HTML template using DOM node manipulation APIs that will escape any markup."
McCool: two assertions here
Constrained implementations SHOULD use statically managed and vetted versions of their supported context extensions. Constrained implementations SHOULD NOT follow links to remote contexts.
McCool: then
Supported context extensions on constrained implementations MAY be managed through secure software update mechanisms.
McCool: we could just delete it or make it a feature-at-risk
Jiye: opt 1 is fine for this
kaz: just to make sure, the first two assertions within one sentence remain
… while the last one "Supported..." to be removed
… right?
McCool: right
… suggest option 1 (delete it) for security-update-contexts (Supported context extensions...)
… but fold the idea of "secure" updates into an earlier assertion: "Constrained implementations..."
=> "Constrained implementations SHOULD use vetted versions of their supported context extensios managed statically or as part of a secure update process."
McCool: what do you think?
(no objections)
McCool: will generate a PR for that in time for the TD call on Aug 3
[adjourned]