IG Security WebConf/2022
Agendas from WoT Security TF in 2022
19 December 2022
Scribe: Kaz
- Minutes:
- Next Charter
- Publications
- Updates to S&P Guidelines
- Aim to complete reviews and suggested changes (issues/PRs) by Jan 23.
- Testing
- Planning
- Next meeting 23 Jan 2023
- AOB
5 December 2022
Scribe: Jiye
- Minutes:
- Logistics
- Schedule
- Cancelled Dec 12 due to Testfest
- Last Meeting in 2022: Dec 19
- Cancelled Dec 26-Jan 9 (inclusive)
- First Meeting in 2023: Jan 16
- Publications - Wide Reviews
- Testing
- AOB
28 November 2022
Scribe: Kaz
- Minutes:
- Publications - Wide Reviews
- Testing
- Implementation Reports and Gaps
- Updates to S&P Guidelines doc
- AOB
21 November 2022
Scribe:
- Minutes:
- Publications
- Architecture - "Trusted Environment" review
- Updates to S&P Guidelines doc
- Security Testing
- Testfest goal?
- AOB
14 November 2022
CANCELLED - McCool unavailable
7 November 2022
CANCELLED - McCool unavailable
31 October 2022
CANCELLED - Kaz unavailable
24 October 2022
Scribe: Jiye
- Minutes:
- Issues
- Implementation Reports
- PRs
- Planning
- Cancellations
- S&P Guidelines update
- Security Testing
- AOB
17 October 2022
Scribe: Kaz
- Minutes:
- Issues
- Implementation Reports
- PRs
- Planning/Logistics
- McCool unavailable Nov 7-18.
- AOB
10 October 2022
Scribe: Jan
- Minutes:
- Issues
- Implementation Reports
- Most issues still open have to do with security
- Architecture 1.1 (rendered)
- Thing Description 1.1 (rendered)
- Discovery (rendered)
- Profile (rendered)
- Generally look at issues marked to the attention of Security TF in other repos
- This on in TD repo was called out: https://github.com/w3c/wot-thing-description/issues/1670
- Implementation Reports
- AOB
3 October 2022
CANCELLED - Plugfest
26 September 2022
Scribe: Philipp
- Minutes:
- Review issues
- Planning
- Publication
- Testing
- AOB
22 August 2022
Scribe: Jiye/Philipp
- Minutes:
- TAG Review
- Architecture S&P assertion review
- AOB
8 August 2022
Scribe: Kaz
- Minutes:
- Wide Review
- Check links below
- TAG Review
- Action items - progress
- Architecture S&P assertion review
- AOB
1 August 2022
Scribe: Kaz
- Minutes:
- Wide Review
- TAG Feedback
- https://github.com/w3ctag/design-reviews/issues/736
- https://github.com/w3c/wot-thing-description/issues/1635 - Adjust Policy-Like Assertions (TD)
- https://github.com/w3c/wot-security/issues/208 - Remove References to "Security Best Practices" (All)
- https://github.com/w3c/wot-security/issues/209 - Update "Security and Privacy Guidelines" prior to PR of other deliverables
- Other Issues
- AOB
25 July 2022
Security call cancelled due to testfest.
Please review https://github.com/w3ctag/design-reviews/issues/736 and in particular consider how to modify security and privacy assertions in deliverables to make them more testable (point 4 in response to TAG).
18 July 2022
Scribe: Kaz
- Minutes:
- Wide Review
- TAG Feedback
- https://github.com/w3ctag/design-reviews/issues/736
- Some security items need responding to
- Issues
- AOB
11 July 2022
Scribe: Kaz
- Minutes:
- 27 June 2022 - reviewed last week
- 4 July 2022
- Wide Review
- Issues
- Next Charter Topics
- AOB
4 July 2022
Scribe: Philipp
No agenda - wiki was down.
27 June 2022
Scribe: Kaz
- Minutes:
- Recently Merged Updates
- Pending Updates - Review
- Privacy Wide Review - Updates
- AOB
20 June 2022
Scribe: Philipp
- Minutes:
- Updates
- IDs (Wide Review Issues)
- https://github.com/w3c/wot-thing-description/issues/1497
- https://github.com/w3c/wot-discovery/issues/303
- Short-term vs. long-term solutions
- auto
- Negotiation vs. apriori knowledge
- AOB
13 June 2022
Scribe: Kaz
- Minutes:
- Discovery and TLS/DTLS
- Issues & Wide Reviews
- AOB
30 May 2022
Scribe: Jiye
- Minutes:
- Discovery
- Wide Reviews
- Security
- Privacy
- Issue Reviews
- AOB
23 May 2022
Scribe: Jiye
- Minutes:
- TLS Cleanup
- IDs
- Discovery Security Bootstrapping
- Wide Reviews
- Issue Reviews
- AOB
16 May 2022
Scribe: Jan/Kaz
- Minutes:
- Arch Security and Privacy Considerations update
- Discovery Explainer Draft
- ID requirements - TD privacy consideration?
- Wide Reviews
- Issue Reviews
- AOB
9 May 2022
Scribe: Jan
- Minutes:
- Wide Review Responses
- https://github.com/w3c/wot-thing-description/issues/1490
- Summary: PING requesting we disallow "nosec" if TD has PII (or has immutable ID, e.g. if required by law)
- Same issue probably also applies to discovery
- BUT:
- non-nosec schemes need transport security (TLS) to actually be effective
- Not really critical on private networks, and TLS is difficult (but not impossible) on private networks, due to CA/Browsers expecting non-local URLs, disallowing self-signed certs, etc. etc.
- Might still want non-nosec on private networks without TLS to avoid *causal* access
- Proposal: context-dependent assertions
- When TDs contain PII or PII can be inferred from them...
- Note that in general this would not apply to "development"
- MUST use (D)TLS/transport security on internet (Things with public URLs), MUST NOT use "nosec" in this case
- SHOULD ... and SHOULD NOT ... on local (non-public) networks
- On the public internet not using transport security or authentication is a Bad Idea even for development without PII risk, so maybe there should be a "SHOULD" assertion for this case... or the MUST assertion can just apply to everything, whether or not there is PII at risk.
- When TDs contain PII or PII can be inferred from them...
- There is an additional problem with "descriptive TDs" e.g. brownfield devices, that may not follow these assertions. We can't fix such issues in existing devices, but we could add an assertion (to Discovery, say) that such TDs MUST NOT be distributed publicly.
- See https://github.com/w3c/wot-architecture/pull/747
- https://github.com/w3c/wot-thing-description/issues/1490
- Profiles and UUIDs
- See above
- Issues
- AOB
2 May 2022
Scribe: Philipp
- Minutes:
- S&P Considerations
- Best Practices
- Testing
- Issues
- AOB
25 April 2022
Scribe: Jan
- Minutes:
- S&P Considerations
- Best Practices
- Testing
- Issues
- AOB
11 April 2022
Scribe: Philipp
- Minutes:
- S&P Considerations
- Best Practices
- Security in Home Assistant
- Testing
- Issues
- AOB
4 April 2022
Scribe: Jiye
- Minutes:
- Recap: PRs recently merged
- New PRs and Issues
Future meeting:
- Review Use Cases and Requirements
- Security Testing Plan
- Scripting
- https://github.com/w3c/wot-scripting-api/issues/390
- Discuss how to manage credentials both for normal access and for discovery, provide feedback to Scripting API design
- Consider existing Credential API in browser
- Probably should have some suggested assertions - in Architecture, that constrain all implementations (since Scripting API is not normative, but Architecture is)
28 March 2022
Scribe: Jan
- Minutes:
- To do
- Recap
- Security and Privacy Considerations
- Security Testing Plan
- Scripting
- https://github.com/w3c/wot-scripting-api/issues/390
- Discuss how to manage credentials both for normal access and for discovery, provide feedback to Scripting API design
- Consider existing Credential API in browser
- Probably should have some suggested assertions - in Architecture, that constrain all implementations (since Scripting API is not normative, but Architecture is)
- Architecture
- Need to review and update security and privacy considerations in Architecture
- https://github.com/w3c/wot-architecture/issues/726
28 February 2022
Scribe: Jan
- Minutes:
- To do
- Security and Privacy Considerations
- Security Testing Plan
- To Do: Scripting
- https://github.com/w3c/wot-scripting-api/issues/390
- Discuss to manage credentials both for normal access and for discovery, provide feedback to Scripting API design
- Consider existing Credential API in browser
- Probably should have some suggested assertions - in Architecture, that constrain all implementations (since Scripting API is not normative, but Architecture is)
- To Do: Architecture
- Need to review security and privacy considerations in Architecture
- AOB
28 February 2022
Scribe:
- Minutes:
- Pending TD updates
- auto for "in"
- security consideration consolidation -> normative
- Review Security Questionnaire for Wide Review
- Security Testing Plan
21 February 2022
Scribe: Philipp
- Minutes:
- Review Lifecycle PR in Architecture (McCool to do)
- TD security scheme problems: https://github.com/w3c/wot-thing-description/issues/1394#issuecomment-1044655255
- New TD security and privacy considerations: https://github.com/w3c/wot-thing-description/pull/1402
- Review Security Questionnaire for Wide Review
- Security Testing Plan
14 February 2022
Scribe: Jan
- Minutes:
- Review Security Questionnaire for Wide Review
- For each deliverable... or not?
- https://w3ctag.github.io/security-questionnaire/
- Start github issues
- Issues in Other TFs
- TBD
- Discuss/Finalize Existing PRs
- Discovery: https://github.com/w3c/wot-discovery/pull/264
- Architecture: https://github.com/w3c/wot-architecture/pull/679
- Resolves https://github.com/w3c/wot-architecture/issues/672
- New PR: https://github.com/w3c/wot-architecture/pull/686
- Continuation of #679
- "Trusted Environments"
- Discuss New PRs
- Thing Description: https://github.com/w3c/wot-thing-description/pull/1360
- Resolves https://github.com/w3c/wot-thing-description/issues/1348
- Security validation as auditing mitigation
- Thing Description: https://github.com/w3c/wot-thing-description/pull/1360
- AOB
7 February 2022
Scribe: Kaz
- Minutes:
- 24 January 2022 (finalization)
- 31 January 2022
- Review Security Questionnaire for Wide Review
- For each deliverable...
- https://w3ctag.github.io/security-questionnaire/
- Issues in Other TFs
- TBD
- Discuss/Finalize Existing PRs
- Discovery: https://github.com/w3c/wot-discovery/pull/264
- Architecture: https://github.com/w3c/wot-architecture/pull/679
- Resolves https://github.com/w3c/wot-architecture/issues/672
- New PR: https://github.com/w3c/wot-architecture/pull/686
- Continuation of #679
- "Trusted Environments"
- Discuss New PRs
- Thing Description: https://github.com/w3c/wot-thing-description/pull/1360
- Resolves https://github.com/w3c/wot-thing-description/issues/1348
- Security validation as auditing mitigation
- Thing Description: https://github.com/w3c/wot-thing-description/pull/1360
- AOB
7 February 2022
Scribe: Kaz
- Minutes:
- 24 January 2022 (finalization)
- 31 January 2022
- Review Security Questionnaire for Wide Review
- For each deliverable...
- https://w3ctag.github.io/security-questionnaire/
- Issues in Other TFs
- TBD
- Discuss/Finalize Existing PRs
- Discovery: https://github.com/w3c/wot-discovery/pull/264
- Architecture: https://github.com/w3c/wot-architecture/pull/679
- Resolves https://github.com/w3c/wot-architecture/issues/672
- New PR: https://github.com/w3c/wot-architecture/pull/686
- Continuation of #679
- "Trusted Environments"
- Discuss New PRs
- Thing Description: https://github.com/w3c/wot-thing-description/pull/1360
- Resolves https://github.com/w3c/wot-thing-description/issues/1348
- Security validation as auditing mitigation
- Thing Description: https://github.com/w3c/wot-thing-description/pull/1360
- AOB
31 January 2022
Scribe: Philipp
- Minutes:
- Issues in Other TFs
- Remove MD5 from e.g. list for bearer: https://github.com/w3c/wot-thing-description/issues/1362
- Finalize Security and Privacy Consideration Updates
- Discovery: https://github.com/w3c/wot-discovery/pull/264
- Thing Description: https://github.com/w3c/wot-thing-description/pull/1360
- Architecture: https://github.com/w3c/wot-architecture/pull/679
- Resolves https://github.com/w3c/wot-architecture/issues/672
- New PR: https://github.com/w3c/wot-architecture/pull/686
- Continuation of #679
- "Trusted Environments"
- AOB
24 January 2022
Scribe: Kaz
- Minutes:
- Planning
- Review Issues and PRs
- Profiles, self-description, LAN security
- https://github.com/w3c/wot-discovery/issues/254
- https://github.com/w3c/wot-discovery/pull/264
- AOB
17 January 2022
Scribe: Jiye
- Minutes:
- Planning
- Review Issues and PRs
- AOB
10 January 2022
First meeting of 2022.
Scribe: Jan
- Minutes:
- Planning
- Review Issues and PRs
- AOB