Meeting minutes
Minutes Review
<kaz> Sep-4
McCool: (goes over the minutes)
… we did a few PRs
… PR #226 was merged
… PR 225 is still open, we will discuss it today
… PR 224 was closed
… without merging
… Kaz, can you add that to the minutes?
Kaz: Will do
<kaz> ("merged" has been added to PR 226)
McCool: Then we discussed TPAC
… looks good besides one spelling mistake, will discuss the PR today
Minutes are approved
PRs
PR 225
<kaz> PR 225 - Add DDoS Threats
McCool: This is in the wot-security repo
… previously, we only had DoS but not DDoS in the document
… I added a threat for that
… and two examples, amplification attacks and takeovers
… we are also discussing this in the discovery document with regard to CoAP
… further down in the document, I added additional text regarding the DDoS threat
… for corporate environments, I simply refer back to scenario 1
… any comments?
McCool: One more thing: Under industrial critical infrastructure, the limiting of outbound connections is discussed
Mahda: Just a stylistic comment: "as well as possible" is not a very clear formulation
McCool: I'll change it to "should be mitigated"
… does that fix it?
Mahda: Yes
McCool: Let's not talk too much about mitigations in this PR, we can still add it later
Jan: Changes looked good to me as well
McCool: Luca also approved it, let's merge it
PR is merged
McCool: I think this also closes an issue
… the issue that is resolved is 212
… (closes the issue)
<McCool> Issue 212 - Add DDoS threat
McCool: We should probably review issues at some point, but not today
TPAC followup
<kaz> Day 1
<kaz> Day 2
McCool: Do you have the minutes of the meeting, Kaz?
Kaz: (posts the links above)
McCool: We can start by looking at the minutes, we discussed security on day 2
… first part is just me walking through the presentation
… should be well documented
… except for comments
… just to review this quickly: we talked about threat models, which are not consistent yet
… there should be a .md file somewhere, let me know if you know where to find it
… then I talked about how we associate features and use cases
… one thing that's been bugging me: features are different from mitigations
… and policies are different than technical features
… technical features support policies, but they are not themselves a feature
… I have a proposal: We could try to find some categories
… and then we can try to align it with the discussion
… a problem is that the discussion took a different path than what's in the presentation
… (adds a link to the security section in the TPAC minutes to the wiki)
McCool: We have two types of notes: the ones from the minutes and the ones I put into the Powerpoint
… we need to consolidate them
Kaz: I can add your summary to the minutes
McCool: I want to extract the actionable information
… we can add a link, but we should extract a summary from the minutes
Kaz: From my understanding, your summary included the most important points from the discussion, right?
McCool: That was my understanding at the time. However, we should create a separate file with a consolidated summary of both kinds of notes
… (pastes the notes from the minutes into a new file in the wot repository)
… I want to summarize this
… (starts adding bullet points with a summary at the top of the file)
… the minutes don't really capture more than one category
McCool: I guess one criticism we can consider is that the threat model talks about mitigations etc. but the overall structure is not reflected. Could be defined in the use cases and requirements document
… one thing that I think was brought up by Ege or Luca were safety-critical features and safety-related ontologies
… Kaz, I want to summarize your points here
Kaz: My point was that many guidelines should be regarded for smart cites, e.g. the Japanese guidelines
… as a follow-up, we can consider the resources that are available with regard to that topic
McCool: Sebastian raised the issue of developer awareness
McCool: A lot of the points were that people did not know about the guidelines document
… they often mentioned links, so I'll add that to the summary as well
McCool: Then we had Modbus or rather existing standards
McCool: I think I am going to summarize David's point by adding points regarding different domains (smart home vs factory, health as an example that I mentioned during the discussion but was not recorded in the minutes)
… (adds a link to the newly created file to the TPAC readme)
… let's take another look at my notes from the slides
… looks like they are different, let's see if we can merge them
… (copies them over to the new file)
… (incorporates new aspects into the summary)
… the two are now merged, looks like the minute taker and I were recording different aspects of the same conversations
Kaz: Do you want the link from the minutes to this Markdown?
McCool: Maybe, let me first save this and copy it to the IRC
… I would put a link to after my slides
… and I would do the same for discovery
… and would ask the others to the same
McCool: So we have some work to do and I have a plan which involves reviewing the existing documents
… I personally need to cut a bit back on WoT activities
… and I think we cannot have security experts do everything
… so I think we need to create a structure to let people do the security assessment easily
… a higher level way of organizing is needed. We should also have other people read the threat models and incorporate that into their document
… regarding the time issue: We need to find more people who want to work on this topic
Mahda: I think it makes sense to have more people on board who are security experts
McCool: Besides Siemens, we also used to have an Intel person on board with regard to security
… we need to identifiy companies who have a high investment in WoT and want to volunteer security experts to work on this
… I want to say Microsoft, but no Microsoft employee is attending the calls regularly
Kaz: Need to discuss that during the chairs/main calls
Issues
Issue 223
<kaz> Issue 223 - Fix ReSpec warning
McCool: Just noticed that this issue can also be closed
<McCool> w3c/
McCool: was resolved by PR 226
Issue is closed
Issue 222
<kaz> Issue 222 - Create Anchors for Threats
McCool: I think this issue can also be closed since we noticed that links are actually being created
… (adds a comment to the issue and closes it)
<McCool> w3c/
McCool: Maybe next meeting we should look through the issues and set up a plan in the issue tracker
… I'll add that to the agenda for next time
[adjourned]