09:58:09 RRSAgent has joined #https-local 09:58:09 logging to http://www.w3.org/2016/09/21-https-local-irc 09:58:30 rrsagent, start a new log 09:59:11 rrsagent, make logs public 09:59:27 rrsagent, make minutes 09:59:27 I have made the request to generate http://www.w3.org/2016/09/21-https-local-minutes.html Tomoyuki 10:02:24 kaorumaeda has joined #https-local 10:02:24 junichi-hashimoto has joined #https-local 10:02:47 dajiaji has joined #https-local 10:03:10 matsuo has joined #https-local 10:03:16 Zakim has joined #https-local 10:03:32 mdadas has joined #https-local 10:03:33 takeshi has joined #https-local 10:03:40 Present+ Tomoyuki_Shimizu 10:03:52 ajitomi has joined #https-local 10:04:04 present+ Kaoru_Maeda 10:06:32 kaz has joined #https-local 10:06:48 rrsagent, make log public 10:06:50 rrsagent, draft minutes 10:06:50 I have made the request to generate http://www.w3.org/2016/09/21-https-local-minutes.html kaz 10:07:39 hyojin has joined #https-local 10:07:56 Hiroki has joined #https-local 10:08:35 Tomoyuki_ has joined #https-local 10:08:45 mfoltzgoogle has joined #https-local 10:08:54 annevk has joined #https-local 10:09:00 MikeSmith has joined #https-local 10:09:02 tidoust has joined #https-local 10:09:04 Tomoyuki: Gives intros 10:09:11 gmandyam has joined #https-local 10:09:57 ... Smart TVs, set-top boxes have HTTP services in home networks. 10:10:24 satoshin has joined #https-local 10:10:26 ... HTTP and WebSockets without TLS are considered non-secure and have some problems. 10:10:35 wonsuk_ETRI_ has joined #https-local 10:10:45 tidoust2 has joined #https-local 10:11:08 ... How can we access these in-home servers in HTTPS? 10:11:11 igarashi has joined #https-local 10:11:30 i/Tomoyuki:/scribenick: kaorumaeda/ 10:11:30 ying_ying has joined #https-local 10:12:11 Meeting: HTTPS Migration in Local Network Breakout 10:12:15 ... Goals in this session: Clarify motivation, share difficulties, collect ideas, provision a community group 10:12:19 Agenda: https://www.w3.org/wiki/TPAC2016/SessionIdeas#HTTPS_Migration_in_Local_Network 10:13:19 vivien has joined #https-local 10:13:22 topic: HTTPS Migration in Local Network 10:13:27 Junichi presents HTTPS Migration in Local Network 10:13:31 kiyoshi has joined #https-local 10:13:32 https://www.w3.org/wiki/images/4/43/Http-migration-in-local-network.pdf 10:13:34 kajimoto has joined #https-local 10:14:00 mkwst has joined #https-local 10:14:05 Junichi: related sessions 2014 WoT devices, 2015 ?? 10:15:02 ... Use case: vehicle API exposes car signals (speeds, rpm, etc.) 10:15:16 urata_access has joined #https-local 10:15:17 hamid has joined #https-local 10:15:47 ... Introducing local server to provide APIs. Easier implementation and access control 10:16:33 kotakagi has joined #https-local 10:17:36 ... Use case 2: Local video storage. A web page from a cloud service wants to access local video storage. This is a cross origin access. Problems with TLS and DNS lookup arise 10:19:16 ... PLEX's solution: Local server announces it's local IP address to cloud application server. Application server tells the local server URL (with embedded IP address) to the browser. Browser looks up DNS that in turn returns local IP address 10:19:57 ... Local server has a cert whose CN is *.id.example.com 10:20:39 ... CA/Browser forum guidance deprecates local IP like 192.168.*.* as Common Name. 10:21:14 Pen has joined #https-local 10:21:24 ohsumi has joined #https-local 10:21:58 ... PLEX's solution has a public DNS that returns local IP address. 10:22:48 @@: This would be acceptable by the guidance. Common Name looks like a public address. 10:22:59 s/@@:/Brad:/ 10:23:28 Karima has joined #https-local 10:23:53 Hiroki_ has joined #https-local 10:24:17 FINDIX has joined #https-local 10:25:11 Brad: The point of the guide is when looking up 'mail' that returns different certs in different environment. 10:25:57 Joe: Think which of public PKI and private CA case? 10:26:12 Junichi: both, but for this session public. 10:26:51 Junichi: So far we don't have enough support for local device certificates. 10:27:25 ... We want better solution than PLEX's. For privacy, discovery, and management purposes. 10:28:44 present+ 10:28:48 q+ 10:29:07 ... Different stakeholders take care of different subsets of the participants in Internet to private network picture. 10:30:46 @@: You can have trusted association between local devices and private certs can work 10:31:20 nunoken1 has joined #https-local 10:31:48 Junichi: I don't reject that. We want simpler solution. 10:32:22 Tatsuya: We introduced the problem and want as many solutions. 10:32:28 q- 10:33:37 topic: Local Network Discovery and HTTPS 10:33:37 Tatsuya: Addresses problem of discovery of local device 10:33:50 https://www.w3.org/wiki/images/6/6c/TPAC2016_Local_Discovery_and_HTTPS.pdf 10:33:56 s/@@/Giridhar/ 10:34:18 ... UA can have local CA's certificates (or self-signed) if well-managed locally. 10:34:44 ... However W3C standards like CORS doesn't like Mixed Contents or self-signed certs. 10:34:55 (FWIW, CORS doesn't require HTTPS, but the point he made stands.) 10:35:03 ... Local network traffic should be encrypted as well. 10:35:38 ... Straw Man solution. Use TLS server certs with FQDN and public DNS for LAN devices. 10:36:34 ... The idea as that the local device registers LAN address FQDN to a dynamic DNS server 10:37:33 ... local mDNS respond CNAME to the (public) dynamic DNS server 10:39:53 ... Use case local media server page can be displayed in WebView. EME in Secure Context is possible. 10:40:33 ... Use case 2: Presentation API discovery is possible. 10:41:38 kaz has joined #https-local 10:41:49 rrsagent, draft minutes 10:41:49 I have made the request to generate http://www.w3.org/2016/09/21-https-local-minutes.html kaz 10:42:41 Chair: Tomoyuki_Shimizu 10:42:51 present+ Kaz_Ashimura(W3C), Kaoru_Maeda(Lepidum), Junichi_Ajitomi(Toshiba), Tomoyuki_Shimizu(KDDI), Giri_Mandyam(Qualcomm), Tatsuya_Igarashi(Sony), Tomohiro_Yamada(NTT), Kiyoshi_Tanaka(NTT) 10:42:58 present+ Matsuo_Suzuki(SoftBank), YounJae_Shin(SoftBank), Hamid_Amir_Alikhani(Panasonic), Licheng_Yin(Qihoo360), Francois_Daoust(W3C), Yves_Lafon(W3C), Mike_West(Google), Mike_Smith(W3C), Brad_Hill(Facebook), Jiajia_Li(Alibaba), Rouslan_Solomakhin(Google) 10:43:04 present+ Joe_Hall(Center_for_Democracy_and_Technology), Mohammed_Dadas(Orange), Jin_Peng(China_Mobile), Yingying_Chen(W3C), Olive_Xu(W3C), Kazuhiro_Hoya(J-BA) 10:43:49 Brad: CNAME approach could be problematic because trust between DNS servers is not enough 10:44:10 @@: mDNS in public Wifi can be easily spoofed 10:44:19 s/@@/Cullen/ 10:44:53 topic: “.local” Server Certificate for HTTPS migration on local network 10:45:01 https://www.w3.org/wiki/images/3/37/2016.w3c.breakout_session.dot-local-server-cert.p.pdf 10:45:08 Daisuke presents ".local" server certificate 10:46:44 Daisuke: Use case: local media cache server. VoD service offers local media cache for the browser. 10:47:13 present+ Claes_Nilsson(Sony), Jatinder_Mann(Microsoft), Yoshiaki_Ohsumi(Panasonic), Kazuo_Kajimoto(Panasonic), Takeshi_Kanai(Sony), Cullen_Jennings(Cisco), Ari_Keranen(Ericsson), Carsten_Bormann(TZI), Toshihiko_Yamakami(ACCESS) 10:47:49 ... Problem: it's mixed content. Can't issue valid server certificates to local devices. 10:47:53 rrsagent, draft minutes 10:47:53 I have made the request to generate http://www.w3.org/2016/09/21-https-local-minutes.html Tomoyuki 10:48:45 ... User cannot have an opportunity to authorize local server access to the origin. User cannot judge whether the origin is evil or not. 10:49:23 ... Candidate solution: ".local" server certs allowed only on user+UA grants. 10:50:19 present+ Natashi_Rooney(GSMA), Vivien_Lacourba(W3C), Osamu_Nakamura(W3C), Adam_Roach(Mozilla), Koichi_Takagi(KDDI), J.C._Jones(Mozilla), Rik_Cabanier(Adobe), Mark_Foltz(Google), Hyojin_Song(LGE), Kenichi_Nunokawa(Keio), Satoshi_Nishimura(NHK) 10:50:38 ... UA provides a new API that allows secure origin to access local devices by issuing .local server certificates. 10:51:38 ... IoT devices' CSR with attestation key is sent to CA via UA's API. 10:52:14 q? 10:54:29 ... PoC impl on Web Bluetooth API. BLE can be a promising proximity transport. But we lack certs installation API. 10:55:12 ... Does ".local server certificates" sound practical? 10:55:42 present+ Anne_van_Kesteren(Mozilla), James_Graham(Mozilla) 10:55:47 rrsagent, draft minutes 10:55:47 I have made the request to generate http://www.w3.org/2016/09/21-https-local-minutes.html kaz 10:56:07 Anne: Focus with user consent is good. Tap on the device could approve establishing secure connections. 10:56:43 present+ Wonsuk_Lee(ETRI) 10:56:46 rrsagent, draft minutes 10:56:46 I have made the request to generate http://www.w3.org/2016/09/21-https-local-minutes.html kaz 10:57:14 mkwst: Host name + hash of public key might be one way to achieve this. 10:57:29 kazho has joined #https-local 10:58:45 Cullen: If we assume dynamic DNS, nothing stops that the device decides it's unique host name. 10:59:28 Anne: Local IP address disclosure is different between these solutions. 11:01:33 Tatsuya: Randomized DNS name could be a similar approach in IPv6 local link address. 11:01:56 q+ 11:02:06 ... When mDNS cannot be trusted, HTTPS neither. There is no additional risk. 11:03:14 Joe: Privacy problem exists in Mitsubishi cars' identities that can be tracked location 11:03:32 Tatsuya: Domain name can be rotated. 11:03:53 Cullen: Hardest part is to decide what privacy properties you want to protect. 11:04:17 tidoust2 has joined #https-local 11:06:07 @@@: ??? 11:06:20 s/@@@:/Giri:/ 11:07:44 Tomoyuki: Next steps: continue discussions but where? 11:08:19 kaz: please continue the discussion about how to proceed :) 11:08:29 [ adjourned ] 11:08:34 rrsagent, draft minutes 11:08:34 I have made the request to generate http://www.w3.org/2016/09/21-https-local-minutes.html kaz 11:18:01 kotakagi has joined #https-local 11:27:38 kaz has joined #https-local 11:45:33 mfoltzgoogle has joined #https-local 11:54:22 Hiroki has joined #https-local 12:01:38 satoshin has joined #https-local 12:06:50 kaorumaeda has joined #https-local 12:08:56 Karima has joined #https-local 12:12:05 tidoust has joined #https-local 12:12:40 Hiroki has joined #https-local 12:13:31 vivien has left #https-local 12:14:12 Tomoyuki has joined #https-local 12:21:13 tidoust has left #https-local 12:37:17 Hiroki has left #https-local 12:40:41 Hiroki has joined #https-local 12:40:47 Hiroki has left #https-local 12:58:07 Tomoyuki has joined #https-local 13:02:23 kaorumaeda has joined #https-local 13:04:41 Karima has joined #https-local 13:07:02 takeshi has joined #https-local 13:07:16 takeshi has left #https-local 13:09:50 Tomoyuki has left #https-local 13:10:08 Zakim has left #https-local 13:39:04 MikeSmith has left #https-local 14:29:08 Karima has joined #https-local 14:31:11 kaorumaeda has joined #https-local 14:32:17 satoshin has joined #https-local 14:33:01 satoshin has left #https-local 14:33:46 kotakagi has joined #https-local 14:38:51 Karima has joined #https-local 14:45:19 Karima has joined #https-local 14:50:16 mfoltzgoogle has joined #https-local 14:58:04 Karima has joined #https-local 15:37:32 kotakagi has joined #https-local 15:38:13 kaorumaeda has joined #https-local 15:41:26 Karima has joined #https-local 15:48:37 Karima has joined #https-local 16:08:15 Karima has joined #https-local 17:22:26 Karima has joined #https-local 17:53:01 kotakagi has joined #https-local 20:37:20 Karima has joined #https-local 21:58:09 kaorumaeda has joined #https-local 22:28:34 kaorumaeda has joined #https-local 22:35:28 kaorumaeda_ has joined #https-local