12:00:42 RRSAgent has joined #wot-sec 12:00:42 logging to https://www.w3.org/2021/09/06-wot-sec-irc 12:01:18 meeting: WoT Security 12:01:38 present+ Kaz_Ashimura, Michael_McCool, Oliver_Pfaff, Philipp_Blum 12:05:38 present+ Tomoaki_Mizushima 12:06:26 Agenda: https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#6_September_2021 12:06:45 scribenick: kaz 12:06:52 topic: Minutes 12:07:03 -> https://www.w3.org/2021/08/30-wot-sec-minutes.html Aug-30 12:08:32 mm: minutes looks OK 12:09:06 kaz: will just fix the style (because we forgot to specify the scribenick for citrullin) 12:09:19 topic: Signatures 12:11:07 -> https://github.com/w3c/wot-thing-description/pull/1151 wot-thing-description PR 1151 - WIP: TD Signatures 12:11:17 mm: (describes the summary) 12:11:43 ... discussion on the relationship with XML Signature 12:12:30 -> https://github.com/w3c/wot-thing-description/pull/1151#issuecomment-909073912 Oliver's comments 12:12:48 mm: would like to summarize the points maybe using a table 12:14:41 ... a concern is what IETF is doing recently 12:15:39 ... don't know people think what kind of strategy 12:15:53 op: good summary 12:16:00 ... 3 actions to do here 12:16:13 ... work on description 12:16:33 ... need for interoperable implementations 12:16:45 ... clarifying IETF's approach 12:16:58 ... there is a gap in JWS 12:17:12 s/work on/1. work on/ 12:17:17 s/need/2. need/ 12:17:25 s/clari/3. clari/ 12:17:48 ... Plugfest could be used to check the interoperability 12:17:57 ... and we could give some suggestion to IETF 12:18:21 mm: one possible thing 12:18:32 ... signature as an experimental extention 12:18:42 s/extention/extension/ 12:18:58 ... then later on, could change it based on IETF's work 12:20:04 op: IETF JOSE is a closed WG but COSE WG is still open 12:20:12 ... it's working on CBOR, though 12:20:23 mm: COSE is mandate for CBOR 12:20:47 ... not necessarily correct for JOSE 12:21:11 .... my feeling is we need much modularity 12:21:39 ... if we did it as an extension, push off the feature till the next spec 12:21:51 ... we could write a context file which use it 12:22:05 ... recommend some method to handle the signature 12:22:13 ... not MUST but simply recommend 12:22:29 ... and for the next Charter we'll make commitment 12:22:44 op: people would like to focus on the signature part 12:22:52 ... regardless of the TD part 12:23:41 pb: make sense to describe that within the Security Best Practices document? 12:23:45 mm: would make sense 12:23:47 q? 12:23:49 q+ 12:24:02 ack k 12:24:20 kaz: would agree with that direction for this Charter period 12:24:25 mm: ok 12:24:34 ... (describes updated actions) 12:24:50 ... extract the current spec for signatures and put it in a separate document 12:26:11 kaz: where to put that? 12:26:19 mm: maybe under my private repo? 12:26:26 kaz: maybe a bit confusing 12:26:40 ... would be better to create yet another repo for that purpose 12:26:48 s/repo/dedicated repo/ 12:26:53 mm: ok 12:26:59 ... what would be a good name? 12:27:58 kaz: simply a subdirectory of wot-security, e.g., signature? 12:28:08 mm: would have trouble with HTML rendering... 12:29:33 (some more discussion on the possible name for the repo) 12:32:42 kaz: btw, we should have some more discussion with the TAG and the Security groups too 12:33:26 mm: yeah, the question here is when we want to use it 12:34:03 -> https://www.w3.org/TR/2015/NOTE-xmldsig-core2-20150723/ fyi, XML Signature Syntax and Processing Version 2.0 REC 12:34:47 kaz: think we should start with discussion with PLH and Ralph 12:36:00 mm: (adds some more comments on expected actions) 12:36:21 ... we need to collaborate with IETF too 12:36:28 ... when is there next meeting? 12:37:18 -> https://www.ietf.org/how/meetings/upcoming/ IETF meetings 12:37:52 mm: IETF 112 will be held Nov 6-12 12:38:12 kaz: technically, we can invite somebody from IETF to our vF2F during TPAC 12:38:19 mm: yeah, we can do that too 12:38:52 ... e.g., Carsten Bormann 12:40:32 ... we need at least one implementation for IETF, and two if we want to make it a W3C REC 12:42:36 ... wondering if we want to include this into our next WoT WG Charter 12:43:29 ... not critical if it becomes an IETF RFC and we simply cite it 12:43:49 s/it/it for TD 2.0./ 12:44:19 ... for TD 1.x, it would be optional/experimental and invokable by using an extension vocabulary. 12:46:32 -> https://github.com/w3c/wot-thing-description/pull/1151#issuecomment-913621245 McCool's updated comments 12:47:24 topic: Security Best Practices 12:47:39 subtopic: Issue 16 12:47:58 -> https://github.com/w3c/wot-security-best-practices/issues/16 Issue 16 - Expand Acknowledgements 12:48:06 mm: need to check who made contributions 12:52:52 ... (checks the GitHub repository) 12:54:18 -> https://github.com/w3c/wot-security-best-practices/issues/16#issuecomment-913626699 McCool's comments 12:54:42 subtopic: Issue 14 12:54:52 -> https://github.com/w3c/wot-security-best-practices/issues/14 Issue 14 - TD Signatures, Key Management, and Object Security 12:55:04 https://github.com/w3c/wot-thing-description/pull/1151 12:55:29 s/https/-> https/ 12:56:02 s/1151/1151 related PR 1151 on the wot-thing-description repo 12:56:15 rrssagent, make log public 12:56:26 s/rrssagent, make log public// 12:56:30 rrsagent, make log public 12:56:35 rrsagent, draft minutes 12:56:35 I have made the request to generate https://www.w3.org/2021/09/06-wot-sec-minutes.html kaz 12:57:11 -> https://github.com/w3c/wot-security-best-practices/issues/14#issuecomment-913628134 McCool's comments to Issue 14 12:58:06 -> https://github.com/w3c/wot-security-best-practices/issues/14#issuecomment-913628134 also anothr comment to TD PR 1151 12:58:41 s/anothr/another/ 12:59:12 s|https://github.com/w3c/wot-security-best-practices/issues/14#issuecomment-913628134|https://github.com/w3c/wot-thing-description/pull/1151#issuecomment-913628939| 12:59:19 [adjourned] 12:59:31 rrsagent, draft minutes 12:59:31 I have made the request to generate https://www.w3.org/2021/09/06-wot-sec-minutes.html kaz 14:24:50 Zakim has left #wot-sec