12:05:08 <RRSAgent> RRSAgent has joined #wot-sec
12:05:08 <RRSAgent> logging to https://www.w3.org/2021/11/01-wot-sec-irc
12:05:39 <kaz> present+ Kaz_Ashimura, Michael_McCool, Philipp_Blum, Tomoaki_Mizushima
12:06:06 <kaz> chair: McCool
12:09:23 <kaz> topic: Minutes review
12:09:30 <kaz> mm: Oct 18
12:09:35 <kaz> ... also IETF meeting
12:10:16 <kaz> -> https://www.w3.org/2021/10/20-wot-sec-minutes.html
12:10:21 <kaz> -> https://www.w3.org/2021/10/28-wot-minutes.html
12:11:05 <kaz> s/IETF/joint meeting with IRTF T2TRG and DID/
12:11:28 <kaz> s| https://www.w3.org/2021/10/28-wot-minutes.html| https://www.w3.org/2021/10/28-wot-minutes.html Oct 28|
12:11:55 <kaz> s|https://www.w3.org/2021/10/20-wot-sec-minutes.html|https://www.w3.org/2021/10/20-wot-sec-minutes.html Oct 8|
12:12:02 <kaz> rrsagent, make log public
12:12:06 <kaz> rrsagent, draft mintues
12:12:06 <RRSAgent> I'm logging. I don't understand 'draft mintues', kaz.  Try /msg RRSAgent help
12:12:24 <kaz> mm: (goes through the minutes from Oct 28 meeting)
12:20:16 <kaz> kaz: (fixes typos, etc.)
12:34:23 <kaz> (some discussion on IDs within local environment)
12:34:36 <kaz> mm: (adds a comment to the GitHub Issue)
12:35:03 <kaz> -> https://github.com/w3c/wot-security-best-practices/issues/14 wot-security-best-practices issue 14 - TD Signatures, Key Management, and Object Security
12:36:11 <kaz> mm: suggested actions
12:36:55 <kaz> ... 1. best WoT practice should be to use TLS for all WoT Things when using HTTP. Otherwise almost all other security measures are broken.
12:37:20 <kaz> pb: TLS works well without your own key management system
12:37:36 <kaz> mm: (adds clarification)
12:38:05 <kaz> ... TLS does work locally, as long as an identity can be confirmed for an endpoint
12:38:18 <kaz> ... regular DNS is fine
12:39:15 <kaz> ... a public URL (using DNS, which avoids duplicate registrations) does this but a hardware key and a derived ID could also be used on a LAN
12:39:47 <kaz> ... mDNS (e.g., .local names) do not sine they can be easily spoofed.
12:41:03 <kaz> ... To do: check BREWSKI; there might be a means to combine mDNS, hardware keys, and encryption to generate unspoofable names
12:42:11 <kaz> -> https://datatracker.ietf.org/doc/html/rfc8995 RFC8995 - Bootstrapping Remote Secure Key Infrastructure (BRSKI)
12:42:59 <kaz> pb: not only for HTTP but also CoAP?
12:43:59 <kaz> mm: (adds DTLS for CoAP/UDP in addition to HTTP/TCP)
12:44:09 <kaz> ... suggested action 2
12:44:58 <kaz> ... for non-browsers operating on a LAN, e.g., hubs talking to devices, they can use an onboarding process or some other mechanism to establish device identities and set up secure connections.
12:45:22 <kaz> ... To Do: consider some specific recommendations for this case, e.g., BRSKI
12:46:24 <kaz> ... suggested action 3
12:46:41 <kaz> ... for browser access, they will (currently) have to use a public URL
12:47:43 <kaz> ... e.g., via a clod proxy or a URL exposed thourhg the ISP and firewall using STUN/TURN and/or DyDNS.
12:48:14 <kaz> ... ohwever this should be limited to a small number of "remote access points", e.g., to a hub dashboard.
12:48:45 <kaz> pb: we should have some recommendation
12:49:04 <kaz> ... but should not limit the possible methods to it
12:49:23 <kaz> mm: we should clarify best practices
12:49:25 <kaz> pb: ok
12:50:14 <kaz> mm: suggested action 4
12:50:28 <kaz> ... add a recommendation that the number of public URLs should be minimized.
12:50:52 <kaz> q?
12:50:55 <kaz> q+
12:52:20 <kaz> ack k
12:53:53 <kaz> kaz: technically, we should say "for systems that don't support secure local access, e.g., browsers currently" instead of "browsers have to..."
12:54:03 <kaz> mm: (adds the modification)
12:55:50 <kaz> ... my question here is that regular IoT devices don't be regularly updated
12:56:47 <kaz> pb: update is a good point
12:57:33 <kaz> mm: should have a best practice to have mechanism to support secure updates. To Do: look at SUIT.
12:58:19 <kaz> q?
12:58:22 <kaz> q+
12:58:52 <kaz> ack k
13:00:31 <kaz> mm: regarding the minutes for item 6 from vF2F Day 5
13:00:43 <kaz> ... and item 7
13:00:58 <kaz> ... item 6 and 7 to be merged, I think
13:01:20 <kaz> ... objections to approve those sections?
13:01:24 <kaz> (none)
13:01:28 <kaz> (approved)
13:02:34 <kaz> i|regarding|-> https://github.com/w3c/wot-security-best-practices/issues/14#issuecomment-956210818 McCool's comments for Issue 14 based on the discussion today|
13:03:26 <kaz> i|regarding|-> https://github.com/w3c/wot-security-best-practices/issues/13#issuecomment-956212304 added one line comment to see the above comments to Issue 13 as well|
13:03:32 <kaz> [adjourned]
13:03:38 <kaz> rrsagent, make log public
13:03:42 <kaz> rrsagent, draft minutes
13:03:42 <RRSAgent> I have made the request to generate https://www.w3.org/2021/11/01-wot-sec-minutes.html kaz
15:00:20 <Zakim> Zakim has left #wot-sec
19:07:36 <zkis> zkis has joined #wot-sec
20:33:06 <zkis> zkis has joined #wot-sec
20:49:35 <zkis> zkis has joined #wot-sec
23:51:00 <kaz> kaz has joined #wot-sec