Meeting minutes
Minutes
McCool: (goes through the minutes)
approved
Logistics
McCool: OK to have the call at this slot?
Mahda: prefer one hour later
McCool: how about you, Kaz?
Kaz: should be OK but there is a possibility the MEIG Chairs call will be held at that time
McCool: let's start that slot (Monday, one hour later) from Aug 8 then
RESOLUTION: WoT Security TF will shift the TF call slot to Monday, one our later than the current slot (=13 UTC) on and after August 8
Planning
McCool: (explains the structure of security-related documents)
… current proposed Charter doesn't have WoT Security as a normative deliverable
… we have to work on bunch of restructuring
… we couldn't finalize testing on DTLS 1.3 for WoT 1.1
… we can look at the resources on GitHub
wot PR 1097 - Security Planning
<McCool> wot/planning/Security
McCool: there is another document on WoT Discovery as well
wot/planning/Discovery/work-items.md
McCool: (goes through the items)
McCool: (going back to the Security planning document)
… (goes through the items)
… Signing, Extensions, Ease of Use
… Onboarding
… (shows wot-wg-2023-details.html)
McCool: (goes through some of the items)
… Discovery JSON Path Query Language
… next thing to come, and important for security and privacy purposes
… Canonicalzation
… one big thing is related to WoT Profile
… that is "Cloud Events Payload Binding"
… believe need to handle security information too
Kaz: those items are very important, and would require detailed description on use cases and system settings
<Mizushima> +1 for kaz
Kaz: so how to describe the use cases would be one of the keys for the next Charter period
McCool: right
… think probably what we should do is clarifying the necessary information including the motivation
McCool: we've not really described necessary mitigations for each possible risk
McCool: (shows the Implementation Report for WoT Thing Description 1.1)
Web of Things (WoT) Thing Description 1.1 Implementation Report
McCool: (then shows the WoT Use Cases document)
WoT Use Cases and Requirements (Editors Draft)
McCool: probably we need to extend the "Security Considerations" section for use case descriptions
McCool: (goes back to wot-wg-2023-details.html)
McCool: we've been mainly working on HTTP
… for the next step, why don't we look into the Use Cases document?
WoT Use Cases and Requirements (Editors Draft)
McCool: (then shows the WoT Security Note)
WoT Security and Privacy Guidelines
McCool: there is some description on possible mitigations within the WoT Discovery spec too
WoT Discovery spec (which includes Mitigations sections)
McCool: would like to update the Use Cases document with updated security consideration descriptions
Kaz: that's good
… but we need to clarify the basic procedure as the whole WoT WG during the main call too
McCool: two possible approaches
… a. adding security considerations to each use case
… b. having a separate section on security consideration
… note that DDos is not listed as a threat yet
… (generate a GitHub Issue on that)
wot-security Issue 221 - DDoS is not listed as a Threat
McCool: ah, but an existing issue already...
… (issue 221 closed)
wot-security Issue 212 - Add DDoS thread
[adjourned]