13:05:10 <RRSAgent> RRSAgent has joined #wot-sec
13:05:10 <RRSAgent> logging to https://www.w3.org/2021/02/01-wot-sec-irc
13:05:17 <kaz> Meeting: WoT Security
13:05:31 <kaz> present+ Kaz_Ashimura, Michael_McCool, Oliver_Pfaff
13:05:43 <kaz> regrets+ Elena_Reshetova
13:06:48 <kaz> topic: Prev minutes
13:07:10 <kaz> -> https://www.w3.org/2021/01/25-wot-sec-minutes.html Jan-25
13:07:27 <kaz> mm: would be better to add titles for issues/PRs...
13:08:46 <kaz> @@@kaz will add titles
13:09:17 <kaz> Agenda: https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#1_February_2021
13:11:22 <kaz> mm: (goes through the sections on apikeys from the editor's draft)
13:11:43 <kaz> present+ Cristiano_Aguzzi
13:11:45 <kaz> present+ Tomoaki_Mizushima
13:11:57 <cris__> cris__ has joined #wot-sec
13:12:09 <kaz> topic: WIP: add URI template location for security scheme parameters #1032
13:12:21 <kaz> -> https://github.com/w3c/wot-thing-description/pull/1032 PR 1032
13:12:31 <kaz> mm: (explains the points)
13:13:03 <kaz> -> https://github.com/w3c/wot-thing-description/pull/1032#issuecomment-766835622 McCool's comments
13:13:27 <kaz> [[
13:13:29 <kaz> "securityDefinitions": {
13:13:29 <kaz>    "template": {
13:13:29 <kaz>       "scheme": "uri",
13:13:29 <kaz>       "uriVariables": {
13:13:29 <kaz>                 "ID" : { "type": "string", "@type": "SecurityID" },
13:13:30 <kaz>                 "KEY" : { "type": "string", "@type": "SecurityKey" }
13:13:32 <kaz>             }
13:13:34 <kaz>       }
13:13:36 <kaz> }
13:13:38 <kaz> ]]
13:13:42 <kaz> (example above)
13:14:16 <kaz> mm: (adds some more comments in response to the comments from Cristiano and Ege)
13:20:23 <kaz> ... (put a "uri_key" entry, a "uri_id" entry and a combo entry to a new example)
13:21:27 <Mizushima_> Mizushima_ has joined #wot-sec
13:21:49 <kaz> s/editor's draft/editor's draft of the Thing Description spec/
13:23:08 <kaz> mm: (shoes the ED of the TD spec again)
13:23:32 <kaz> -> https://w3c.github.io/wot-thing-description/#apikeysecurityscheme Thing Description Editor's Draft - 5.3.3.6 APIKeySecurityScheme
13:24:30 <kaz> -> https://github.com/w3c/wot-thing-description/pull/1032#issuecomment-770853792 McCool's updated comments including the new example of the combo security
13:24:51 <kaz> mm: go with the "name" option
13:26:01 <kaz> topic: Consider security issues in Discovery #196
13:26:11 <kaz> -> https://github.com/w3c/wot-security/issues/196 Issue 196
13:27:16 <kaz> -> https://github.com/w3c/wot-discovery/pull/107 related PR - Update SPARQL DDoS ed note #107
13:27:51 <kaz> s/relate PR/relate PR for wot-discovery/
13:28:26 <kaz> -> https://pr-preview.s3.amazonaws.com/w3c/wot-discovery/pull/107.html#security-considerations Section 7. Security and Privacy Considerations
13:29:08 <kaz> mm: (shows the related PR 107 for WoT Discovery and its preview)
13:29:21 <kaz> ... (and then goes back to the Issue 196 itself)
13:29:32 <kaz> ... (adds comments)
13:29:43 <kaz> ... location may be implicit
13:30:17 <kaz> ... if a TD simply *appears* in a directory, then we know the Thing is in range (e.g. of WiFi) so it can register with the TDD
13:41:24 <kaz> ... (adds some more comments)
13:44:48 <kaz> ... in general, "disabling" geolocation for personal devices may be necessary, although it still is useful for institutional use cases
13:45:53 <kaz> ... another option would be to use a "code generator" to generate IDs (perhaps in combination with encrypted TDs) that is synchronized between the device and another application available to the user
13:45:55 <kaz> q+
13:47:54 <kaz> ... so, for example, a user could use an app on their laptop to generate the current ID and then do a discovery search to find the location of their car, which had registered an encrypted TD with tat (rotating) ID with a discovery service.
13:48:14 <kaz> kaz: yeah, this discussion is very important for security purposes
13:48:42 <kaz> ... note that we should be get ready for the privacy review at some point (within 6 months)
13:48:46 <kaz> mm: yeah
13:48:51 <kaz> ... we need to work on this
13:49:24 <kaz> ... probably we need to allow "nosec" although it's probably a very bad idea except for development use cases.
13:51:02 <kaz> ... we could perhaps add an assertion that "if a TDD service is available to anyone other than the developer and supports registration of third-party TDs then it MUST NOT use the "nosec" scheme
13:51:18 <kaz> s/"if/[[if/
13:51:25 <kaz> s/scheme/scheme]]/
13:52:05 <kaz> topi: AOB
13:52:08 <kaz> mm: aob?
13:52:10 <kaz> (none)
13:52:14 <kaz> q?
13:52:14 <McCool> q?
13:52:15 <kaz> q-
13:52:24 <kaz> [adjourned]
13:52:29 <kaz> rrsagent, make log public
13:52:36 <kaz> rrsagent, draft minutes
13:52:36 <RRSAgent> I have made the request to generate https://www.w3.org/2021/02/01-wot-sec-minutes.html kaz
16:01:35 <Zakim> Zakim has left #wot-sec