15:03:28 RRSAgent has joined #wot-discovery 15:03:28 logging to https://www.w3.org/2021/02/01-wot-discovery-irc 15:03:38 Meeting: WoT Discovery 15:04:08 cperey has joined #wot-discovery 15:04:20 present+ Kaz_Ashimura, Michael_McCool, Christian_Glomb, Farshid_Tavakolizadeh, Kunihiko_Toumura 15:04:30 present+ Andrea_Cimmino 15:04:41 present+ Christine_Perey 15:07:45 present+ Tomoaki_Mizushima 15:08:10 Agenda: https://www.w3.org/WoT/IG/wiki/WG_WoT_Discovery_WebConf#1_February_2021 15:08:19 scribenick: cperey 15:08:28 cris has joined #wot-discovery 15:08:41 mm: review minutes of January 25 meeting 15:08:41 zakim, who is on the call? 15:08:41 Present: Kaz_Ashimura, Michael_McCool, Christian_Glomb, Farshid_Tavakolizadeh, Kunihiko_Toumura, Andrea_Cimmino, Christine_Perey, Tomoaki_Mizushima 15:09:07 present+ Cristiano_Aguzzi 15:09:16 i/review/topic: Previous minutes/ 15:09:17 mccool: we haven't done anything to follow up on last week's actions 15:09:22 dezell has joined #wot-discovery 15:09:28 mccool: asks Kaz if reached out to liaison 15:09:35 present+ David_Ezell 15:09:37 kaz: yes, just starting on liaison stuff 15:09:47 mccool: we looked at PDRs 15:10:15 mccool: probably take care of some these open items today and we did talk about some of these things during security meeting 15:10:16 i|review minutes of|-> https://www.w3.org/2021/01/25-wot-discovery-minutes.html Jan-25| 15:10:27 s/PDRs/PRs/ 15:10:28 mccool: any objections to approving minutes? hearing none, they are published 15:10:50 mccool: quick updates: nothing in particular. Liaison still in progress 15:11:10 mccool: maybe one thing to consider: if we did a geospatial ontology were required for WOT discvoery 15:11:25 mccool: might make sense to make that a joint standard with OGC. Might be useful 15:11:30 mccool: start floating that idea? 15:11:39 kaz: start with liaison 15:11:49 kaz: if needed, we can switch with memorandum 15:12:09 mccool: OK. Let's arrange a meeting with OGC people, once we've written the strawman 15:12:28 kaz: existing vocabulary and ontology would be best, we just refer to it 15:12:34 mccool: ok let's table for now 15:12:41 s/with liaison/with simple liaison/ 15:12:44 mccool: any other quick updates? 15:13:02 mccool: where are we with implementations: path but not SPARQL 15:13:12 mccool: andreas was working on one with SPARQL 15:13:36 FarshidT has joined #wot-discovery 15:13:37 ft: we also need ??? 15:13:58 s/???/implementations/ 15:13:59 mccool: timeline for impleentation is running behind but we need to get done by end of summer 15:14:15 andreas: Implementation we are wroking on covers JSON and SQARQL path 15:14:30 mccool: will you implement implemtation? 15:14:41 sorry... 15:14:50 will not implement SPARQL 15:15:02 andreas: we will focus on 15:15:32 from Siemens: internally, we're discussing and will report next week 15:15:33 i/quick updates:/topic: Quick updates/ 15:15:52 Cglomb: we are working on a SPARQL implemetnation but not getting back from LDF 15:16:10 s/andreas/andrea/g 15:16:11 cglomb: we have a student working on this and wasn't able to resolve the problem. 15:16:29 andrea: we are giving back LD but there is a blocking issue 15:16:45 mccool: let's check to see if already captured this as an issue... checking 15:16:59 mccool: looks like it is issue #1015 15:17:03 https://github.com/w3c/wot-thing-description/issues/1015 15:17:22 mccool: Going to label this one 15:17:30 mccool: ... as discovery 15:17:40 ... and raise its importance 15:17:53 mccool: label called "blocker" 15:18:09 i/any other quick/topic: Implementations/ 15:18:18 mccool: I'll try to make sure that we have this in the discussions 15:18:31 mccool: Seimens will do SPARQL and assuming also doing A-Frame 15:18:47 mccool: Add the issue number 15:19:20 mccool: anything else about implementation status? 15:19:34 mccool: want to track implementations more clearly in the future 15:19:36 s/https/-> https/ 15:19:52 mccool: where should we track? in discovery under testing? 15:20:06 s/1015/1015 wot-thing-description Issue 1015 - Problems translating TDs from JSON-LD 1.1 to RDF and back/ 15:20:15 mccool: where to describe implementations? in the readme.md I think we want to add implementations section 15:20:36 rrsagent, make log public 15:20:44 rrsagent, draft minutes 15:20:44 I have made the request to generate https://www.w3.org/2021/02/01-wot-discovery-minutes.html kaz 15:21:08 @kaz: can u please correct Seimens (should be Siemens)mccool: adding implementation 15:21:32 mccool: there will be 3 implementations. A short paragraph about each. Don't want to clutter up the Readme or have too much 15:21:46 ft: there is a directory called "prior work" 15:21:54 mccool: an imlementaiton must follow the spec 15:21:54 s/Seimens/Siemens/g 15:22:01 ft: right but transfer that over 15:22:09 Chair: McCool 15:22:56 mccool: what we should do is create new directory called "Readme" and have in it the names 15:23:12 mccool: Fraunhofer linkSmart, and put URL, copy later 15:23:12 rrsagent, draft minutes 15:23:12 I have made the request to generate https://www.w3.org/2021/02/01-wot-discovery-minutes.html kaz 15:23:14 s/Cglomb: we are working/cris: we are working/ 15:23:33 mccool: Univ of Madrid implementation 15:23:38 s/ cglomb: we have a student/cris: we have a student/ 15:24:18 andrea: UPM 15:24:25 acimmino has joined #wot-discovery 15:24:30 andrea: 15:24:36 s/UPM/UPM OEG/ 15:24:37 andrea cimmino, Universidad Politecnica de Madrid (UPM, OEG 15:24:40 mccool: has JSON, X-path and SPARQL 15:24:51 mccool: finally another one from Siemens 15:25:10 mccool: is it OK to write in here. Do you intend to support the full standard, including all three? 15:25:23 cglomb: JSON for sure, and SPARQL 15:25:27 mccool: more than good enough 15:25:52 mccool: later we can create other files to link to different things, LinkSmart, UMP OEG, 15:25:59 mccool: do you have a name for implementation yet? 15:26:02 andrea: not yet 15:26:20 cglomb: do the implementations be made publicly available? or enough if internal 15:26:25 -> https://github.com/w3c/wot-discovery/blob/master/implementations/README.md WoT Discovery implementation page 15:26:27 mccool: doesn't have to be open source or anything 15:26:40 mccool: doesn't have to be open source or anything just for adoption 15:26:51 mccool: ideally, we need one full implementation for open source 15:27:00 mccool: right now the only one is UPM 15:27:29 andrea: do we want to include othr things in the implemetnation (more than only search, also management implementation which we may or may not do) 15:27:38 mccool: end of the day we need two of everything 15:27:54 mccool: doesn't have to be super performant, but for adoption purposes. Open source is not a requirement 15:28:06 mccool: if available, people could use open source code 15:28:20 mccool: but if you include a feature that's only useful in a factory setting, that's OK too 15:28:32 mccool: leave up to the rest of you to do PRs, and the rest 15:28:54 Toumura: We should also track introduction mechanism 15:29:13 mccool: right, so what we should do is look at current spec... implementations of directories 15:29:32 mccool: in addition, the following introduction mechanisms are supported 15:29:45 mccool: we have DNS-SD, SD under MDNS 15:29:53 mccool: and we should have a description of each of those 15:29:59 mccool: Apache 15:30:09 mccool: in this case, we have to demonstrate each of them 15:30:29 mccool: direct URL support as well 15:30:40 mccool: so we'll have to fill this out 15:30:51 mccool: Link to over to WoT testing 15:31:04 mccool: could also be external page, as long as can be found internally 15:31:12 andrea: would it be nice to have a table? 15:31:34 mccool: trouble is that gets very detailed. let's just add detailed table of features in implementations TBD 15:32:04 q+ 15:32:11 andrea: the implementation may have additional faetures, that are not exactly the standard? or the implemetnation must ONY be in the standard? 15:32:25 andrea: for example, mechanism to automatically fetch and translate the data? 15:32:38 mccool: implementation won't cover those. could be under proposals 15:32:53 mccool: ... or list it in the Readme, or in your documentation 15:33:15 Kaz: andrea, the main purpose of implemetnation report is to check on implementability of the specification itself 15:33:40 kaz: just define the features in spec, and check if implemented in the actual implementations. Need to cover all the features, twice. 15:33:51 kaz: at least more than one implementation 15:34:05 mccool: I just did this to get head around, we will at least cover teh query part. 15:34:20 mccool: let's talk about interesting PRs 15:34:28 mccool: one in security, leads to new requirement 15:34:41 s/teh/the/ 15:34:42 mccool: we have PR, that updates the DDS attach 15:35:00 mccool: attack 15:35:11 mccool: however, there were other possible privacy considerations that we brainstormed 15:35:23 mccool: major blocking issue that came up was around personal information tracking 15:36:00 mccool: going to be major issue, made a list, actually... it's even worse when dealing with geoinformation. the mere fact that a WoT talks with tings in a limited range 15:36:27 mccool: so why see a thing in a certain range, I know the thing is in the directory, and if in use for a car, then could know if people are home or not 15:36:30 i/let's talk/topic: wot-security issue 196 - Consider security issues in Discovery/ 15:36:46 mccool: similarly, public service, say a parking garage. if register car with parkting garage TD 15:36:59 i|let's talk|-> https://github.com/w3c/wot-security/issues/196 wot-security issue 196| 15:37:03 mccool: I don't own the device and trust the device with my data. Some guy could track me 15:37:13 mccool: Mitigations in a list 15:37:23 mccool: simply not use registration (don't use WoT discovery) 15:37:32 mccool: w could alternatively encrypt the TD 15:37:38 mccool: problem is how do you find it? 15:37:46 mccool: maybe encrypt all but the Di 15:37:48 ID 15:38:04 mccool: problem with the solution is need to find a reference for it. Don't know if anyone has patented this or not 15:38:30 mccool: is to use a rotating ID based on code generator. Encrypt a quantum of time, then the device has a reasonably acdurate clock 15:38:48 mccool: encrypt it with private key and then update an encrypted TD with a crypto generated ID 15:39:02 mccool: user wants to access, knows the time. Generate the ID and seaerch for it 15:39:14 mccool: anyone else who sees the ID, only sees a random string of characters 15:39:29 mccool: update every few minutes, that's the duration can be tracked, then goes awa 15:39:44 mccool: raises a requirment: we have to support encrypted TDs with visible IDs 15:40:02 mccool: it's the encrypted TD part... we have visible IDs taken care of 15:40:08 mccool: thoughts? 15:40:13 q+ 15:40:25 mccool: if encrypted, the query would not work. 15:40:31 mccool: would have to know the ID to find it 15:40:58 kaz: this is very important, during the security call, I already mentioned that the DID WG had disussions about this during T-PAC 15:41:14 kaz: they use public key encryption, but the DID itself might not be encrypted 15:41:21 mccool: in our scheme, IDs are used as introductions 15:41:40 mccool: this is just the directory, could still link to it, link to the ID but only good for a certain (short) lenthg of tie 15:41:41 time 15:41:56 mccool: should be stricter about how the link is encrypted 15:42:03 mccool: signed Java Script object 15:42:10 s/, during the/as I mentioned during the/ 15:42:12 mccool: shold have a flag (boolean) in the meta data 15:42:20 mccool: the diretory needs to store for each TD 15:42:27 mccool: the actual object or a binary blob 15:42:33 mccool: or a .... 15:42:42 s/I already mentioned/Also I've just remembered/ 15:42:48 s/T-PAC/TPAC/ 15:42:49 mccool: could encode inside another JSOn object, but whould have to enhance the scheme 15:42:51 schema 15:42:55 mccool: any comments? 15:42:59 s/about this/about privacy issues like this/ 15:43:08 mccool: need implementers to comment, at least two need to comit to doing it 15:43:19 s/DID itself/DID document itself/ 15:43:26 andrea: not sure what the use case would be. We could allow annonymous 15:43:46 andrea: we would lose all the directory feature set, we can't use RDF data bases any more, use a data store 15:43:49 mccool: what are teh use cases? 15:43:51 s/in our scheme/right. in our scheme/ 15:44:07 mccool: query is for finding things you already know about but to access what you don't already know 15:44:18 s/as introductions/as introductions, so it might not be encrypted./ 15:44:32 s/JSOn/JSON/ 15:44:35 mccool: the case of the own devices, I don't know their current IP addrss, let's say, so I would publish a current TD 15:44:43 mccool: want to find and check my car 15:44:52 mccool: ALready know the ID (rotating code gen) 15:44:53 s/the scheme/the schema/ 15:45:00 s/ALready/Already/ 15:45:04 mccool: ALready know the ID (rotating code gen) 15:45:10 s/ALready/Already/ 15:45:16 mccool: queries are mainly for information I don't already know 15:45:25 andrea: we lose a lot... 15:45:35 andrea: we don't need anything beyond that 15:45:51 s/andrea:/farshid:/ 15:45:52 s/andrea:/farshid:/ 15:46:00 mccool: let's capture this discussion in issue 15:46:33 q+ andrea 15:46:36 ack a 15:46:38 q- 15:46:45 andrea: make not attribute to these IDs, if in tripple score, you won't be able to retrieve by ID 15:47:06 mccool: requirement: we need to think about how to support one feature: retreiival by ID 15:47:29 mccool: wouldn't support notifications, could still get notice that encrypted TD is updated, but not from properties 15:47:39 Farshid: but you cna't track it, another issue 15:47:50 mccool: someone could track, but would need to disable that 15:48:00 mccool: when update ID, you delete the old TD and create a new one 15:48:20 s/cna't/can't/ 15:48:23 farshid: so if deletion, closed, .... 15:48:41 mccool: someone could track/follow and guess that the one that's newly created is the same thing 15:48:48 farshid: correct 15:49:33 mccool: this assumes that the tracker is the person (owner) of the directory 15:49:46 mccool: owner of the information 15:50:10 mccool: what does it actually offer? car in garage, registers, with cryptograpihcally generated ID 15:50:23 mccool: now, parking garage knows only that the thing is there, until it leaves 15:50:34 mccool: but would not associate with a device, type of device or person 15:50:43 farshid: but you could fuse with other information 15:50:55 farshid: there may be other devices in the home that would be updated at same time 15:51:06 mccool: so still a fingerprinting risk from fusion with other information 15:51:42 mccool: look at DHCP logs, granting IPs 15:51:54 Farshid: logs of the proxy or the directory itself 15:52:10 mccool: directory seems communication from a particular IP address that is updating a new TD 15:52:57 mccool: getting back to DHCP, a new device with known MAC address. Assume person knows MAC address, they get the IP address 15:53:34 mccool: that might be one way to track you, but still need to know the MAC address of the car. so question is do we completely eliminate risk or just make it really annoying to track 15:53:58 mccool: similar risk with phones on public networks 15:54:12 mccool: e.g, generating MAC address 15:54:40 andrea: what is the use case where we need to use a public directory but cannot provide this info ? is this useful? why not put in private directory? 15:55:11 mccool: two broad use cases: in institutions (factories, smart cities) and the other is 15:55:17 mccool: publishing public services 15:55:34 mccool: there's also private (personal use). services that user wants available from remote locations 15:55:47 mccool: e.g., access to car in parking garage from elsewhere 15:56:03 mccool: electric car is charging,and I want to know the status of charging 15:56:22 andrea: understand, but why not use private registries? no need to encrypt? 15:56:32 s/andrea:/farshid:/ 15:56:32 s/andrea:/farshid:/ 15:56:33 mccool: gets back to mitigation. Don't use WoT for this 15:56:43 mccool: limit WoT to first use case 15:56:57 mccool: make it only user has access keys to the directory. Add this as an alternative 15:57:36 mccool: Idea here is that register personal devices only to directories that the user and only the user have access rights to 15:58:10 mccool: imagine this being hosted in personal home gateway. Could have a home computer, running a local service. PRovides directory service. 15:58:25 mccool: go there to find the TD. Car would periodically register it's IP address 15:58:43 mccool: we'll have to decide if encrypted TDs make sense 15:58:54 mccool: there's implementation effort involved 15:59:11 mccool: last issue would address some use cases, but put more of an onus on user to have personal directory 15:59:15 https://github.com/w3c/wot-security/issues/196 15:59:18 mccool: reposting issue in the IRC 15:59:31 mccool: final things: two PRs 15:59:52 mccool: merge this and add to it 16:00:02 https://github.com/w3c/wot-discovery/pull/107 16:00:11 mccool: any objections? none heard so went ahead and merged 16:00:22 mccool: do another PR on top with other mitigations 16:00:48 i|final things|-> https://github.com/w3c/wot-security/issues/196#issuecomment-770961494 McCool's comments for wot-security issue 196| 16:00:48 mccool: Farshid has a PR for information modeling. At this point... 16:01:04 Farshid: there's a bunch of changes. Diagram doesn't show in preview 16:01:20 andrea: I was reviewing and agree. We should merge the PR and then work on top of it 16:01:33 mccool: you didn't click on review and accept 16:01:42 mccool: why don't you accept and I will merge after meeting 16:01:50 mccool: we can do delta's against it 16:01:55 comment in next two hours 16:01:56 i|final things|PR 107 - Update SPARQL DDoS ed note| 16:02:03 mccool: out of time! 16:02:47 Information model PR: https://github.com/w3c/wot-discovery/pull/112 16:03:02 rrsagent, make log public 16:03:07 rrsagent, draft minutes 16:03:07 I have made the request to generate https://www.w3.org/2021/02/01-wot-discovery-minutes.html kaz 16:04:26 s|PR 107 - Update SPARQL DDoS ed note|topic: PR 107 - Update SPARQL DDoS ed note| 16:04:27 rrsagent, draft minutes 16:04:27 I have made the request to generate https://www.w3.org/2021/02/01-wot-discovery-minutes.html kaz 16:05:32 i/do another PR/topic: PR 112 - Describe the information model/ 16:05:33 rrsagent, draft minutes 16:05:33 I have made the request to generate https://www.w3.org/2021/02/01-wot-discovery-minutes.html kaz 17:59:56 Zakim has left #wot-discovery 19:50:45 zkis has joined #wot-discovery