12:04:42 <RRSAgent> RRSAgent has joined #wot-sec
12:04:42 <RRSAgent> logging to https://www.w3.org/2021/05/03-wot-sec-irc
12:04:51 <kaz> meeting: WoT Security
12:05:16 <kaz> present+ Kaz_Ashimura, Cristiano_Aguzzi, Michael_McCool, Oliver_Pfaff, Philipp_Blum
12:06:19 <Oliver> Oliver has joined #wot-sec
12:06:59 <McCool> McCool has joined #wot-sec
12:07:08 <Citrullin> Citrullin has joined #wot-sec
12:07:25 <Mizushima> Mizushima has joined #wot-sec
12:07:56 <cris_> topic: agenda
12:08:08 <cris_> mc: I would discuss about singing requirements
12:08:10 <kaz> scribenick: cris_
12:08:20 <kaz> s/singing/signing/
12:09:24 <cris_> kaz: same problems with w3c server, it is very slow
12:09:45 <cris_> mc: ok let's skip the minutes review and do it next time
12:09:53 <cris_> topic: td signing
12:10:08 <kaz> present+ Tomoaki_Mizushima
12:10:20 <cris_> philipp: I have the wiki opened
12:10:32 <cris_> mc: do we need anything from it?
12:10:57 <cris_> mc: ok skipping
12:12:04 <cris_> mc: The signing mechanism that I have in my does not heavily rely on canonicalization. it uses just for stability
12:12:11 <kaz> i/same/some/
12:12:22 <kaz> i/problems with/topic: minutes/
12:12:33 <cris_> ... #943 is based on obsolete information. we should close it
12:12:47 <cris_> ... I would like to gather some requirements from people
12:12:54 <cris_> ... and start working from them
12:13:21 <kaz> s/in my does/in my PR does/
12:14:14 <cris_> kaz: btw w3c is now live again.
12:14:26 <cris_> mc: ok then let's review the minutes in the last 10 minutes
12:14:31 <kaz> s/w3c is/W3C server/
12:14:37 <kaz> s/server/server is/
12:14:47 <cris_> mc: a signed td is object security
12:15:36 <cris_> ... we do not know about any system using object security
12:15:51 <kaz> rrsagent, make log public
12:15:51 <cris_> ... so we lack implementation information and we need to figure it out
12:15:54 <kaz> rrsagent, draft minutes
12:15:54 <RRSAgent> I have made the request to generate https://www.w3.org/2021/05/03-wot-sec-minutes.html kaz
12:16:29 <kaz> Chair: McCool
12:16:40 <cris_> ... another point is that TDDs want to add metadata to a TD. This creates a problem cause it changes its signature.
12:17:09 <cris_> ... but most metadata is easly recognizable cause it will use its tdd namespace
12:18:01 <cris_> ... the problem is that id could be added by TDDs
12:18:26 <cris_> ... and it's no easy to recognize this condition
12:19:23 <kaz> -> https://github.com/w3c/wot-thing-description/issues wot-thing-description Issue 940 - Add optional proof section to TDs
12:19:33 <Citrullin> q+
12:20:11 <kaz> i|#943 is|-> https://github.com/w3c/wot-thing-description/pull/943 wot-thing-description PR 943 - WIP: Add proof and proofChain sections|
12:20:12 <cris_> mc: I would follow the ld proof pattern
12:20:15 <Citrullin> q-
12:20:16 <kaz> rrsagent, draft minutes
12:20:16 <RRSAgent> I have made the request to generate https://www.w3.org/2021/05/03-wot-sec-minutes.html kaz
12:20:49 <cris_> ... so that each proof is in a chain and the latest contain the previous ones
12:22:04 <cris_> mc: finally there is the issue about canonical form.
12:23:23 <cris_> ... I am afraid that we missed little different serialization details that could lead to different strings breaking signinig
12:23:52 <cris_> ... in the end we need a key value store to return the original string
12:24:16 <cris_> ... kinda a fallback plan if something breaks the signature
12:25:04 <Citrullin> q+
12:25:32 <cris_> ... the canonical form just make signing more robust but with the current proposal is orthogonal to signing.
12:26:31 <cris_> mc: about algorithm I would use something based on JWS
12:26:33 <kaz> ack cit
12:26:55 <cris_> ... we should pickone
12:27:22 <cris_> <philipp proposing a alogrithm>
12:27:55 <kaz> s/a al/an al/
12:27:58 <cris_> mc: I am think a single chain
12:28:11 <cris_> s/think/thinking/
12:28:15 <kaz> rrsagent, draft minutes
12:28:15 <RRSAgent> I have made the request to generate https://www.w3.org/2021/05/03-wot-sec-minutes.html kaz
12:28:37 <cris_> philipp: you could make an hash tree, signature every property
12:29:06 <cris_> ... so you could check which affordance has changed
12:29:18 <cris_> mc: I am not sure how it's different from a single chain
12:31:06 <cris_> oliver: are we looking at json web signature?
12:31:08 <cris_> mc: yes
12:31:20 <cris_> oliver: there's also xml signature
12:31:30 <cris_> ... it has some flexible feature
12:32:02 <cris_> mc: yeah JWS is very simple
12:32:56 <cris_> oliver: I think the signature format we have xml signature or COSE signature
12:33:43 <cris_> s/ I think the signature format we have xml signature or COSE signature/ We have different options for signature formats: JSON, XML and COSE/
12:33:55 <cris_> mc: I think we should go for a concrete proposal
12:35:12 <cris_> mccool writing a proposal in 940
12:36:52 <cris_> mc: with the proposal we could keep track of the used vocabularies and sign metadata
12:37:14 <zkis2> zkis2 has joined #wot-sec
12:37:39 <cris_> ... furthermore we could create a chain of different signing pass (e.g., td<- thing description directory)
12:38:20 <cris_> cris: in context are we using urls or just prefixes?
12:38:29 <cris_> mc: good point
12:38:47 <cris_> ... the TD would have prefixes and it might be safe
12:39:18 <cris_> ... rdf database preserve prefixes
12:39:30 <cris_> s/database/databases/
12:39:43 <cris_> ... we could have both
12:40:12 <Citrullin> q+
12:40:52 <cris_> mc: then we can have another simpler method
12:41:36 <cris_> ... the signing order is give by the appearance in the list.
12:43:28 <cris_> ... this second proposal is similar to ld-proof
12:44:47 <cris_> oliver: I think it is a good proposal considering that jws is lacking feature that we need (like signing pieces of information)
12:45:51 <cris_> ... in xml signature first you hash each object and then you sign over the hashes. It's one document - one hash - than hashes with signatures
12:46:28 <cris_> mc: we could use json pointers but data may move and it's not robust
12:48:58 <cris_> ... so the xml strategy is to have a manifest with parts and then sign each part
12:49:00 <cris_> oliver: right
12:49:09 <cris_> mc: we could do the same in the proposal
12:50:28 <kaz> q+ to ping for minutes review
12:51:29 <cris_> philipp: your proposal embeds the signature inside the TD, there might be usecases where the signature is pointing to a TD or part of it
12:51:55 <cris_> mc: if the signatures are named is simply to refer it
12:52:13 <cris_> ... but with pointers we could use array indexes
12:52:33 <kaz> ack cit
12:52:38 <cris_> ... however it might be a problem cause indices might chages
12:52:56 <cris_> philipp: I was thinking about putting the signature on a chain
12:53:02 <cris_> ... and pointing back to a TD
12:54:09 <cris_> mc: I noted down the point, plus how this would relate wiht DID?
12:54:30 <kaz> s/wiht/to/
12:54:44 <kaz> s/DID?/DID and VC?/
12:55:22 <kaz> ack k
12:55:22 <Zakim> kaz, you wanted to ping for minutes review
12:55:31 <cris_> topic: minutes review
12:55:34 <kaz> -> https://www.w3.org/2021/04/12-wot-sec-minutes.html Apr-12
12:55:43 <kaz> -> https://www.w3.org/2021/04/19-wot-sec-minutes.html Apr-19
12:56:24 <cris_> mc: there's a typo in the title is canonicalization
12:56:48 <cris_> ... I don't understand one line attributed to me, please delete it
13:00:51 <cris_> ... are we ok with these minutes?
13:02:07 <cris_> ... ok minutes approved
13:02:23 <cris_> mc: adjourned
13:02:29 <kaz> [Apr-19 minutes approve; Apr-12 ones to be reviewed next week]
13:02:34 <kaz> [adjourned]
13:02:39 <kaz> rrsagent, draft minutes
13:02:39 <RRSAgent> I have made the request to generate https://www.w3.org/2021/05/03-wot-sec-minutes.html kaz
13:35:09 <Mizushima> Mizushima has left #wot-sec
14:03:17 <zkis> zkis has joined #wot-sec
15:02:37 <Zakim> Zakim has left #wot-sec
15:46:53 <zkis2> zkis2 has joined #wot-sec