Meeting minutes
Minutes
McCool: looks good
… any objections?
(approved)
Kaz: suggest I send a consolidated email including URLs of draft minutes from the week with URLs of approved minutes from the previous week.
McCool: sounds good
Todo
McCool: use case discussion to be resumed
… (updates the agenda with "Use Cases and Requirements")
… (also adds "Next agenda")
… (then creates an entry for "Oct 2" on the Security agenda wiki)
PRs and Issues
PR 210
PR 210 - Proposed Changes for 2023 Update
McCool: would close this PR 210 for the 2023 planning
Kaz: agree to close it
… what is more important at the moment is resuming the discussion on use cases
Issue 209
Issue 209 - Update "Security and Privacy Guidelines" prior to 2023 PR transitions
McCool: useful comments here
<McCool> this issue has the list of considerations: w3c/
McCool: (goes through the comments on the issue)
… probably we should go through and make some of them separate issues
… (creates another "survey.md" file based on the comments)
<McCool> PR 227 - Create Survey.md
Issue 206
Issue 206 - Add and Update References
McCool: discussion when Lagally was around
… need to think about that
… not just add references but add description on cloud security
… unfortunately, myself don't have enough time at the moment
Kaz: so we need some volunteer to handle this
McCool: good point
… was originally assigned to Jiye
Kaz: could ask Mahda instead?
Mahda: yeah
McCool: probably take something straight forward
Issue 213
<McCool> Issue 213 - Rename "Requirements" section to "Analysis"
McCool: would ask Mahda to take Issue 213 for Jiye
Mahda: ok
Kaz: what about 206?
Issue 206 - revisited
Issue 206 - Add and Update Cloud and Terminology References
McCool: would you mind thinking about this Issue 206 as well, Mahda?
… the question is that cloud security would be a big area
Kaz: probably we should clarify our scope for "WoT security" a bit clearer
… some people might expect "WoT should cover cloud security as well as IoT security"
McCool: that's too broad
Kaz: yeah
… so we should clarify our scope and how WoT developers are encouraged to use WoT with the other security mechanisms as a guideline
McCool: (creates a separate issue on "IoT-Cloud Integration")
Issue 228 - IoT-Cloud Integration Threat Analysis
McCool: (also adds comments to Issue 206)
So probably best to focus this on IoT/Cloud integration, but the above references are about the broader context of cloud security. So we probably want to look for better, more focused references for IoT-Cloud integration. Second we probably want to think about specific threats and risks for cloud integration but that can be a separate issue... #228
Also, I think we should deal with the "Terminology" reference above separately and focus in this issue on finding an including a good reference for IoT-Cloud integration security.
McCool: can reuse some of the existing definitions...
… any thoughts on this, Mahda?
… would like to assign this to you, Mahda
… narrow task is finding a nice reference
Issue 205
Issue 205 - Mapping tuya device
McCool: think this should be moved to TD
Kaz: kind of similar discussion around node-wot was held during the Scripting API call
… I think we as the WoT WG/IG as a whole should have some discussion about how to deal with input from node-wot developers within the WoT WG/IG Task Forces
McCool: yeah
… having duplicated discussions would be confusing
… for example, this issue 205 should be transferred to wot-thing-description repository
… with a label of "Security"
… so that the Security TF are aware them and will review them
Kaz: think that's kind of similar to the mechanism of the Wide Reviews
McCool: yeah
… how about adding reviews for issues with "Security" from wot-thing-description repository to the Security TF agenda?
Kaz: you mean not only for wot-thing-description but also wot-architecture, wot-discovery, etc.?
McCool: right
… wot-scripting-api as well
Kaz: ok
Issue 204
Issue 204 - Review Security Architecture of Home Assistant
McCool: there was discussion by the WoT CG (during TPAC breakouts) on "Home Assistant"
… they use bearer token
… we could close this issue 204 itself
… because I've looked at their approach already
Kaz: closing this issue itself is fine
… but we should clarify some further mechanism by another issue for binding, etc.?
McCool: the bottom line is already done
… further research can be done by another issue
… any objections to close Issue 204 itself?
(no objections)
(closed)
Issue 203
Issue 203 - Consolidate security issues of use cases document
McCool: now, we should discuss use cases document!
Kaz: this is also related to the discussion we had 5 mins ago
… putting "Security" label to the issues from all the WoT spec repositories related to WoT Security
McCool: ok
… let's keep this Issue 203 open
<McCool> w3c/
McCool: (transferred wot-security Issue 203 to wot-usecases Issue 229)
Next agenda
McCool: Next time, let's review issues from other repos related to WoT Security
… e.g., wot-usecases/issues/229
TPAC Followup
McCool: probably we should create a file on our plan
… to update the Use Cases and Requirements document
… create issues in wot-usecases repo to execute security revisions
Kaz: restarting the use cases discussion is great
… but how to deal with the use cases discussion in general is a question
… so if we want to start with the use cases for security during the WoT Security call, we should declare that plan during the main call
McCool: starting initial discussion on security first
… and think about how to update the use cases document
… will mention the plan during the main call on Wednesday
Kaz: ok
McCool: please remind me if I forget :)
[adjourned]