Meeting minutes
Review Minutes
McCool: Some typos to address
<McCool_> regarding minutes, a few typos
<McCool_> "chater" -> "charter", "sigining" -> "signing", "tls" -> "TLS", then in discussion of "onboarding" I did respond to Kaz saying that I felt we should get started on discussing some of the detailed work planning, but that yes, onboarding does not directly impact the charter
McCool: Consensus on the previous minutes edited?
McCool: Published
Review Architecture Assertion Presentation
<McCool_> Slides on Architecture
Segmented network
<kaz> arch-security-consideration-segmented-network
McCool: This assertion is at risk but also easy to implement
McCool: How can test this assertion?
McCool: Access to trusted environment means access to all the devices
McCool: The assertion is about the whole system, since it is in architecture
Jiye: So it applies to the deployer, not the single device
Jiye: The question was about if the device has to be aware it is in a specific segment
Jiye: How do we check it is implemented
McCool: In this case is the deployer has to confirm
Jiye: Then it should not be at risk
Jiye: Would be a good idea to write down a comment in the document
Jan: Would be a good idea to move this to the best practice section?
McCool: The assertions are about the bare minimum for security
… e.g. guest network vs iot network in a hotel deployment
Kaz: I agree with Jan and Luca, but technically we should, but we cannot do that today
… this assertion is not a requirement for the architecture itself
… those assertions are SHOULD
… and they are useful to point best practices
McCool: This section could be downgraded to informative later
Kaz: if we do not have implementations, we can move them to informative
… we can make an editor's note for those best practices
McCool: As long it is not already included in another section
Using PSK
<McCool_> https://
McCool: Certificates is one way to share pre-shared keys
… there are other ways to share them
McCool: We can add a sentence to say that is not required to use TLS-PSK.
Jiye: Browsers cannot use PSK, if we want to support browsers we have to allow other systems
McCool: <Issue created about it>
McCool: Reword to use Certificate instead of pre-shared-key
<McCool_> w3c/
Communication Platform
<McCool_> https://
Jiye: Ege is not clear on what this assertion is about and I wrote my understanding of it
McCool: it boils down to the definition of Platform
… a weaker bridge cannot be created if the bridged ecosystem requires to have the same level of security (e.g. OCF)
Luca: This is a specification of the basic compatibility requirement
Luca: How to test it though?
McCool: The test would be about the "bridge" more than to the TD, if the "bridge" is compliant, then the TD has only to faithfully describe it
Kaz: we can open an issue to clarify the relationship between "IoT Ecosystem" and "IoT Platform" here.
<kaz> [adjourned]