12:02:21 <RRSAgent> RRSAgent has joined #wot-sec
12:02:21 <RRSAgent> logging to https://www.w3.org/2021/04/19-wot-sec-irc
12:02:28 <kaz> meeting: WoT Security
12:02:51 <kaz> present+ Kaz_Ashimura, Michael_McCool, Philipp_Blum, Zoltan_Kis
12:03:31 <zkis> https://github.com/w3c/wot-scripting-api/issues/315
12:03:49 <zkis> https://github.com/w3c/wot-scripting-api/issues/314
12:08:49 <citrullin> present+ Tomoaki_Mizushima
12:09:22 <citrullin> Zakim, who is here?
12:09:22 <Zakim> Present: Kaz_Ashimura, Michael_McCool, Philipp_Blum, Zoltan_Kis, Tomoaki_Mizushima
12:09:25 <Zakim> On IRC I see RRSAgent, Zakim, Mizushima, citrullin, McCool, zkis, kaz
12:10:07 <kaz> present- Zoltan_Kis
12:12:43 <kaz> scribenick: citrullin
12:13:14 <citrullin> topic: Joint call with scripting
12:13:47 <citrullin> mm: We could have a joint call for two hours. But let's take a look into the topics first.
12:14:03 <citrullin> Security TaskForce related issues -> https://github.com/w3c/wot-scripting-api/issues/315
12:14:18 <citrullin> Discovery TaskForce related issues -> https://github.com/w3c/wot-scripting-api/issues/314
12:15:55 <citrullin> mm: I guess we should comment on the issue what we have to deal with.
12:16:53 <citrullin> mm adds a note into the security wiki. Logistics still under discussion.
12:18:19 <citrullin> topic: Cannonicalization and signing
12:18:54 <citrullin> mm: The problem with cannonicalization are default values.
12:19:33 <citrullin> ... the preprocessor may filled in the default values, if they are not given.
12:21:58 <citrullin> ... The solution: Limiting proof.
12:25:38 <citrullin> mm adds a comment to the wiki regarding this issue.
12:27:20 <citrullin> pb: There should be an issue for it, so that we can think about it more in detail.
12:29:08 <citrullin> topic: Object security
12:29:33 <citrullin> Consider how to support object security -> https://github.com/w3c/wot-security/issues/185
12:30:10 <citrullin> mm: .local domain are problematic to secure.
12:31:11 <citrullin> ... there are still information which can get leaked, even if the body is encrypted. Query parameter for example.
12:33:28 <citrullin> pb: We may can use DIDs here and store the related keys etc. attached to the DID in a DLT.
12:33:51 <McCool> https://tools.ietf.org/html/rfc7165
12:33:53 <citrullin> mm: We don't have experience with that and it probably takes too much time to get this experience.
12:33:55 <kaz> q+
12:35:26 <citrullin> Kaz: I agree that we might want to use DID for that. But I agree that it takes too much.
12:37:04 <citrullin> mm: There is a way to distribute keys via DID. But this goes beyond IoT.
12:39:15 <citrullin> pb: Newer versions of HTTP allow encryption of headers. Not sure about queries though.
12:40:05 <citrullin> mm: TLS relies on global domains. And that doesn't work in .local.
12:40:53 <citrullin> ... for now we have to allow http for discovery.
12:43:37 <citrullin> pb: So the might have to say in the best-practices, if you want to have object security you should put the queries into the body.
12:45:43 <citrullin> mm: Problem is that discovery supports queries in the URL and therefore they cannot get encrypted. SparkQL on the other hand allows the queries in the body.
12:46:35 <McCool> https://krellian.com/
12:47:48 <citrullin> topic: OAuth2 flows
12:49:22 <citrullin> pb: I think we can remove the submitter etc.
12:49:34 <citrullin> mm: Yes, there are some things which can get simplified and removed.
12:50:27 <citrullin> ... have you made a PR for the use-case document?
12:51:01 <citrullin> pb: No, I haven't. We should talk with Michael Legally first, I think.
12:55:25 <citrullin> oAuth2 flow issue -> https://github.com/w3c/wot-security/issues/194
12:55:43 <citrullin> oAuth 2 flow PR -> https://github.com/w3c/wot-security-best-practices/pull/10
12:56:03 <kaz> -> https://github.com/w3c/wot-security-best-practices/pull/10 wot-security-best-practices PR 10 - Move oAuth2 flow from usecases to security-best-practices
12:56:19 <kaz> q+
12:58:07 <kaz> ack k
12:58:54 <kaz> kaz: please note the default branch for the wot-security-best-practices repo has been also rename to "main"
12:59:13 <kaz> s/oAuth 2/OAuth2/
12:59:44 <kaz> i/please/scribenick: kaz/
12:59:56 <kaz> [adjourned]
13:00:10 <kaz> rrsagent, draft minutes
13:00:10 <RRSAgent> I have made the request to generate https://www.w3.org/2021/04/19-wot-sec-minutes.html kaz
13:00:36 <kaz> rrsagent, make log public
13:00:37 <kaz> rrsagent, draft minutes
13:00:37 <RRSAgent> I have made the request to generate https://www.w3.org/2021/04/19-wot-sec-minutes.html kaz
13:00:55 <kaz> Chair: McCool
13:00:56 <kaz> rrsagent, draft minutes
13:00:56 <RRSAgent> I have made the request to generate https://www.w3.org/2021/04/19-wot-sec-minutes.html kaz