13:02:15 <RRSAgent> RRSAgent has joined #wot-sec
13:02:15 <RRSAgent> logging to https://www.w3.org/2021/11/08-wot-sec-irc
13:02:31 <cris_> cris_ has joined #wot-sec
13:03:00 <kaz> meeting: WoT Security
13:03:38 <kaz> present+ Kaz_Ashimura, Cristiano_Aguzzi
13:04:19 <kaz> present+ Jiye_Park, Michael_McCool, Sebastian_Kaebisch
13:04:35 <Mizushima> Mizushima has joined #wot-sec
13:05:16 <kaz> present+ Zoltan_Kis
13:05:37 <McCool> McCool has joined #wot-sec
13:05:40 <kaz> topic: Preliminary
13:05:52 <kaz> jp: Jiye Park from Siemens
13:06:14 <kaz> ... taking over the role from Oliver
13:06:22 <kaz> present+ Tomoaki_Mizushima
13:06:54 <sebastiankaebisch> Hello
13:06:54 <kaz> rrsagent, make log public
13:06:57 <Jiye> Jiye has joined #wot-sec
13:08:55 <kaz> mm: (gives basic instructions)
13:09:25 <McCool> https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#8_November_2021
13:09:36 <kaz> mm: you can bookmark the URL of the wiki page above
13:09:39 <sebastian_> sebastian_ has joined #wot-sec
13:09:44 <Jiye> thanks!
13:09:52 <sebastian> sebastian has joined #wot-sec
13:10:00 <kaz> agenda: https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#8_November_2021
13:10:13 <kaz> mm: we have 2 documents
13:10:23 <kaz> ... Security and Privacy Guidelines
13:10:41 <kaz> ... and Security Best Practices document
13:11:12 <kaz> ... tell people the best strategy for security and privacy
13:11:23 <kaz> ... currently the document is thin
13:11:45 <kaz> ... need use cases and best practices
13:11:52 <kaz> ... including HTTPS ant OAuth
13:12:13 <kaz> ... as discussed during the vF2F, we require authentication
13:12:28 <kaz> ... separate spec for key distribution
13:13:11 <kaz> ... the best practices document is not yet published
13:13:26 <McCool> https://github.com/w3c/wot-security
13:14:00 <McCool> https://w3c.github.io/wot-security/
13:14:00 <kaz> mm: we use separate GitHub repositories for spec work for easier rendering
13:14:27 <kaz> ... GitHub and HTML rendering for WoT Security and Privacy Guidelines above
13:14:56 <McCool> https://github.com/w3c/wot-security-best-practices
13:15:13 <kaz> mm: the Best Practices document will be changed in the future
13:15:24 <zkis> q+
13:15:28 <kaz> ... meant to be an appendix
13:15:40 <McCool> https://w3c.github.io/wot-security-best-practices/
13:16:18 <sebastian> sorry, I need to go now. Bye
13:17:09 <kaz> mm: we have two large sections fr the Security Best Practices document
13:17:47 <kaz> s/fr /for /
13:18:33 <kaz> jp: thanks for the summary
13:18:42 <kaz> topic: Agenda
13:18:43 <kaz> q?
13:18:48 <kaz> ack z
13:18:53 <kaz> mm: anything to be added to the agenda?
13:19:27 <kaz> zk: would it make sense to have generic guidelines for exposing/consuming Things?
13:19:58 <kaz> ... there should be different requirements for exposing Thing and consuming Thing
13:20:24 <kaz> mm: ok
13:20:34 <kaz> ... let me capture the points within an issue
13:21:04 <kaz> q?
13:21:32 <kaz> q+
13:21:51 <kaz> -> https://github.com/w3c/wot-security-best-practices/issues/26 wot-security-best-practices issue 26 - Use Cases for Exposed and Consumed Things
13:22:11 <kaz> mm: and another issue on onboarding and key distribution
13:22:58 <kaz> -> https://github.com/w3c/wot-security-best-practices/issues/26 wot-security-best-practices issue 27 - Add Onboarding/Key Distribution Section
13:23:52 <kaz> mm: keys are needed for TLS
13:24:17 <kaz> ... in a global network, existing CA-based mechanisms can and should be used
13:24:38 <kaz> ... in local and offline networks, a separate key distribution mechanisms is needed in order to use TLS
13:24:54 <kaz> ... this is currently a gap but we should define the requirements here
13:25:00 <kaz> ... iscovery may also be needed
13:25:10 <kaz> ... explain how this relates to WoT Discovry
13:27:14 <kaz> ... bunch of stuff being discussed on onboarding
13:28:02 <kaz> zk: can give some comments
13:28:12 <kaz> ... to the GitHub Issue
13:29:17 <kaz> q?
13:29:35 <kaz> ca: we're also tracking issue for Scripting API
13:29:53 <cris_> https://github.com/w3c/wot-scripting-api/issues/315
13:30:04 <kaz> zk: should belong to another issue on provisioning
13:30:25 <cris_> (to be more precise we have this issue https://github.com/w3c/wot-scripting-api/issues/298)
13:30:27 <kaz> mm: (adds that point to the Issue 27)
13:30:39 <kaz> -> https://github.com/w3c/wot-security-best-practices/issues/27 Issue 27 - Add Onboarding/Key Distribution Section
13:30:57 <kaz> ca: two links above
13:31:32 <kaz> ... wot-scripting-api issue 298 should be better to use here
13:31:57 <kaz> mm: (adds a link for wot-scripting-api issue 298 to wot-security-best-practices issue 27)
13:32:19 <kaz> -> https://github.com/w3c/wot-security-best-practices/issues/27#issue-1047450206 updated comments for Issue 27
13:32:47 <kaz> mm: it's a separate issue from key management
13:32:59 <kaz> ... we should look into the library
13:33:59 <kaz> ... (adds comments to wot-scripting-api issue 298)
13:36:28 <kaz> ... we should add exploratory work
13:37:39 <kaz> ... (adds comments to wot issue 978 about the WoT WG renewal)
13:37:51 <kaz> -> https://github.com/w3c/wot/issues/978 wot issue 978 - WoT WG renewal 2021
13:39:27 <kaz> mm: Management API as a separate API from the Scripting API
13:39:43 <kaz> ... including configuring security schemes and establishing keys
13:40:09 <kaz> ... onboarding process results in a set of "key objects"
13:41:27 <kaz> -> https://github.com/w3c/wot/issues/978#issuecomment-963160698 updated comments for wot issue 978
13:43:01 <kaz> q?
13:45:51 <kaz> kaz: 2 comments
13:46:00 <kaz> ... we should work with the DAS WG about this point
13:46:53 <kaz> ... also we should have generic issue on onboarding and key management for the wot-security repository as well as the wot-best-practices repository
13:47:59 <kaz> mm: yeah
13:48:30 <kaz> ... woud consider making the "Security Best Practices" a normative document
13:49:50 <kaz> ... but we'd like to update the document based on the latest best practices
13:50:00 <kaz> kaz: in that case, Note would be a better direction
13:50:18 <kaz> mm: or might be a ever-green approach
13:50:30 <kaz> s/ever-green/evergreen/
13:51:48 <kaz> ... need to consider how this relates to certification
13:53:38 <McCool> https://www.chromium.org/teams/web-capabilities-fugu
13:54:58 <kaz> mm: possibility of Fugu above
13:55:00 <kaz> topic: AOB
13:55:18 <kaz> mm: we had joint discussion on Signature, etc., with the DID WG guys
13:55:27 <kaz> ... they have a mechanism to distribute keys
13:56:41 <kaz> zk: any idea on offloading by Web Assembly, etc.?
13:57:27 <kaz> mm: similar discussion during the breakout by the Web Networks guys
13:57:49 <kaz> ... our own question is do we want to work on that ourselves?
13:58:01 <kaz> ... or would the other group(s) to work on that?
13:59:58 <kaz> ... need to look into Web Workers as well
14:00:09 <kaz> ... will continue to work on the topics
14:00:42 <kaz> ... will review the prev minutes next week.
14:00:51 <kaz> [adjourned]
14:00:52 <kaz> rrsagent, make log public
14:00:56 <kaz> rrsagent, draft minutes
14:00:58 <RRSAgent> I have made the request to generate https://www.w3.org/2021/11/08-wot-sec-minutes.html kaz
14:01:44 <kaz> s/will continue/let's continue/
14:01:57 <kaz> rrsagent, draft minutes
14:01:57 <RRSAgent> I have made the request to generate https://www.w3.org/2021/11/08-wot-sec-minutes.html kaz
16:03:15 <Zakim> Zakim has left #wot-sec
16:15:34 <zkis> zkis has joined #wot-sec
18:23:43 <sebastian> sebastian has joined #wot-sec
19:47:53 <sebastian> sebastian has joined #wot-sec
19:48:16 <sebastian> sebastian has joined #wot-sec
20:27:19 <sebastian> sebastian has joined #wot-sec
20:27:43 <sebastian> sebastian has joined #wot-sec