22:00:15 RRSAgent has joined #httpslocal 22:00:15 logging to https://www.w3.org/2017/11/08-httpslocal-irc 22:01:09 rrsagent, make minutes public 22:01:09 I'm logging. I don't understand 'make minutes public', tomoyuki. Try /msg RRSAgent help 22:02:06 rrsagent, make minutes 22:02:06 I have made the request to generate https://www.w3.org/2017/11/08-httpslocal-minutes.html tomoyuki 22:02:23 RRSAgent, make minutes v2 22:02:23 I have made the request to generate https://www.w3.org/2017/11/08-httpslocal-minutes.html tomoyuki 22:02:54 RRSAgent, set minutes public 22:02:54 I'm logging. I don't understand 'set minutes public', tomoyuki. Try /msg RRSAgent help 22:04:00 minami has joined #httpslocal 22:04:31 komasshu has joined #httpslocal 22:04:52 urata_ has joined #httpslocal 22:04:57 Tomoyuki started the session. 22:04:59 igarashi has joined #httpslocal 22:05:31 gmandyam has joined #httpslocal 22:05:47 In this session, we want to discuss about how to deploy https in local network. 22:06:19 Magnus has joined #httpslocal 22:06:29 vincentK has joined #httpslocal 22:06:35 present+ 22:06:57 Goal: To connect various devices/browsers to local network with https. 22:07:08 Geun_Hyung has joined #httpslocal 22:07:27 present+ Geun_Hyung 22:07:48 Issues: Browsers requires secure context, but devices provide mixed content. 22:07:57 present+ 22:08:05 wooLim has joined #httpslocal 22:08:10 Kyosuke has joined #httpslocal 22:08:58 Let's Encrypt requires internet connectivity, so it is not applicable to local network. 22:09:23 How can we do for local network devices? 22:09:50 HTTPS in Local Network CG is focusing the issue. 22:10:30 The CG is discussing use cases for this several months. 22:10:58 Home network, automotive, IoTs are in scope. 22:11:16 The CG is also discussing requirements. 22:11:35 Hexcles_ has joined #httpslocal 22:12:51 First, device discovery and identification. 22:13:01 Second, how to grant certificates. 22:13:27 Third, certificate validation. 22:14:27 We need secure, safe and easy mechanisms to use valid certificates in local network. 22:14:52 RRSAgent: draft minutes 22:14:52 I have made the request to generate https://www.w3.org/2017/11/08-httpslocal-minutes.html Hexcles_ 22:15:35 Today's presentations are for raising discussion, so they are not limited the use cases or situations. 22:16:47 Kyosuke__ has joined #httpslocal 22:17:09 Comment: If devices have other access methods, it should be considered. 22:17:25 horo has joined #httpslocal 22:17:26 Daisuke started presentation. 22:17:29 snishimura has joined #httpslocal 22:18:00 A) Public CA Certificate 22:18:08 rrsagent: make log public 22:18:13 B) Private CA Certificate. 22:18:29 C) Self signed Certificate. 22:18:40 s/Comment:/komasshu/ 22:19:36 jdai has joined #httpslocal 22:19:46 Example of Public CA Certificate, PLEX's solution. 22:19:47 tomoyuki has joined #httpslocal 22:19:58 RRSAgent, set logs world-visible 22:20:11 RRSAgent, make minutes v2 22:20:11 I have made the request to generate https://www.w3.org/2017/11/08-httpslocal-minutes.html tomoyuki 22:20:45 Present+ Tomoyuki_Shimizu 22:21:07 Pros: no need to extend UA implementation. 22:21:53 Present+ Daisuke_Ajitomi, Tatsuya_Igarashi 22:22:19 Cons: UA can't access the device when the internet is down, domain names and IP addresses are disclosed globally, Billions of TLS-capable IoTs have to registered to DNS. 22:22:30 Chair: tomoyuki 22:23:08 Private CA Certificate case, Pros: UA can access device even if the internret is down. 22:23:13 Agenda: https://www.w3.org/wiki/TPAC/2017/SessionIdeas#HTTPS_in_Local_Network 22:23:21 Cons: This kind of certificate is not permitted by UA. 22:23:34 Meeting: HTTPS in Local Network breakout 22:23:53 Private CA certificate example, ACME's OoB challange for TLS servers in local network. 22:24:39 ACME is generalized protocol for Let's Encrypt. 22:26:38 In this case, Private CA doesn't need device discovery because it knows the device name by OAuth authorization. 22:26:55 Self signed Certificate. 22:27:41 Pros: UA can access the device even if the internet is down. 22:27:50 Cons: (sorry missed). 22:28:34 Cons: There is no trust in the certificate, there is no way to revoke the certificate when the device is imperiled. 22:29:16 for A) we need some improvements on DNS. 22:29:30 for B) we need some strict conditions. 22:29:44 for C) we should eliminate this idea. 22:30:05 Topic: discussions about different trust levels of server certificates 22:31:03 ? Is ACME's Out-of-Band an extended protocol? 22:31:15 Daisuke: Yes. 22:32:15 Another idea is to use QR code for OoB challange. 22:33:05 ?: IoT devices needs this solution. 22:33:30 ?: Is this solution only applicable to UA to machine? 22:33:53 Daisuke: IMO, this is not applicable to M2M. 22:35:52 ?: Do you have discovery registry mechanism? 22:36:34 Smart TV is one of the case. 22:37:10 ?: The discovery mechanism have to have trust. 22:38:21 Tatsuya: mDNS does not provide trust, currently no mechanism to provide trust. 22:39:17 ?: (off-line environment). 22:40:01 Tatsuya: on line enviromnent is required only for Certificate issurance. 22:41:33 ?: If WebRTC or such kind of APIs are provided, it would be work for this issue. 22:42:33 Tatsuya: WebSocket and/or TLS need this mechanism. 22:44:30 Tatsuya: We'd like to challenge local devices be part of network. 22:44:42 Tatsuya started presentaion. 22:45:06 HTTPS in localnetwork featuring STAR. 22:45:09 tomoyuki_ has joined #httpslocal 22:45:15 Topic: HTTPS in Local Network featuring STAR 22:45:45 STAR: proposal to extend ACME protocol. 22:46:21 FYI: ACME STAR I-D: https://tools.ietf.org/html/draft-ietf-acme-star-00 22:46:22 Short-Term, Automatically-Renewed (STAR) Certificates. 22:47:21 tantek has joined #httpslocal 22:47:22 Main use case of STAR is CDN. 22:48:40 komasshu has joined #httpslocal 22:49:02 An idea to use STAR in local network. 22:49:53 STAR client (NDC) is in local network, which can connect STAR Proxy (DNO) on the internet. 22:50:31 STAR Proxy would be device ventors. 22:50:46 s/ventors/vendors/ 22:51:15 The issue is the UA side. 22:51:39 UA should support some discovery mechanism. 22:53:29 A scenario is to verify CNAME and SNI matching. 22:54:33 Not to connect malicious IoT, use content is required. 22:55:26 Similar discussion was occured at Let's Encrypt community. 22:57:14 RRSAgent, make minutes v2 22:57:14 I have made the request to generate https://www.w3.org/2017/11/08-httpslocal-minutes.html tomoyuki_ 22:57:15 Example of device selection, pre-flight succession appears green on the user pop-up dialog. 22:57:54 ?: pre-flight TLS is q regular TLS mechanism. 22:59:15 Tatsuya: even for M2M connection, initial confirmation is required. 22:59:51 ?: Local DNS configuration with DANE may be useful. 23:00:35 Tatsuya: Public CA is important to trust local web servers. 23:01:32 ?: In TLS1.3, SNI is encrypted. 23:02:12 Osamu: What is next step of this activity? 23:02:31 Tatsuya: facilitate more discussion in W3C. 23:03:04 Osamu: This discussion seems protocol definition, isn't it IETF work? 23:03:41 Tatsuya: collaboration between W3C and IETF is needed. 23:05:28 Tomoyuki: We need more help :-) 23:05:37 (sorry for poor scribing) 23:08:24 RRSAgent, make minutes v2 23:08:24 I have made the request to generate https://www.w3.org/2017/11/08-httpslocal-minutes.html tomoyuki_ 23:08:41 RRSAgent, bye 23:08:41 I see no action items