13:02:31 <RRSAgent> RRSAgent has joined #wot-sec
13:02:31 <RRSAgent> logging to https://www.w3.org/2021/11/15-wot-sec-irc
13:02:39 <kaz> meeting: WoT Security
13:02:53 <kaz> present+ Kaz_Ashimura, Michael_McCool, Jiye_Park
13:03:23 <Jiye> Jiye has joined #wot-sec
13:06:28 <McCool> McCool has joined #wot-sec
13:07:21 <kaz> present+ Tomoaki_Mizushima
13:08:56 <kaz> topic: Minutes
13:09:12 <kaz> -> https://www.w3.org/2021/11/08-wot-sec-minutes.html Nov-8
13:09:31 <kaz> mm: think the requirements for the possible management API is for the next Charter period
13:09:35 <kaz> kaz: agree
13:10:27 <kaz> mm: (adds note on wot-scripting issue 298 to the wot-security-best-practices draft)
13:10:49 <kaz> -> https://github.com/w3c/wot-scripting-api/issues/298 wot-scripting-api issue 298
13:11:31 <kaz> jp: wondering about the draft
13:11:44 <kaz> mm: need to create an actual Pullrequest later
13:12:55 <kaz> ... think the minutes themselves are OK
13:13:02 <kaz> (approved)
13:13:09 <kaz> topic: PRs
13:13:28 <McCool> https://github.com/w3c/wot-security-best-practices/pull/28
13:13:33 <kaz> s/PRs/PR and Issue/
13:14:01 <kaz> mm: related to issue 27 and 13
13:14:19 <kaz> s/28/28 PR 28 - Local transport and secure onboarding/
13:14:22 <kaz> s/https/-> https/
13:14:33 <kaz> ... issue 13 is about local transport
13:15:14 <kaz> -> https://github.com/w3c/wot-security-best-practices/issues/13 issue 13 - Update Secure Local Transport
13:15:38 <kaz> mm: the easiest to handle those two issues at once
13:16:03 <kaz> ... give you a general idea and ask you for opinions
13:16:16 <kaz> ... not directly merged today
13:16:54 <kaz> -> https://pr-preview.s3.amazonaws.com/mmccool/wot-security-best-practices/pull/28.html#secure-transport Preview - 2. Secure Transport
13:17:03 <kaz> mm: extended the section 2
13:17:30 <kaz> ... we have to revisit the description, e.g., about TLS 1.3
13:17:42 <kaz> ... then two sections
13:17:53 <kaz> ... 2.1 Global Networks
13:17:56 <kaz> ... and
13:18:02 <kaz> ... 2.2 Offline and Local Networks
13:18:10 <kaz> ... pretty straightforward
13:18:22 <kaz> ... how to deal with offline networks is the question
13:18:43 <kaz> ... no connection with the Internet
13:18:49 <kaz> ... like a factory network
13:19:09 <kaz> ... or partial connection like home networks
13:19:32 <kaz> ... need to establish keys
13:19:41 <kaz> ... missing part is onboarding process
13:20:00 <kaz> ... then another paragraph here
13:20:21 <kaz> ... about onboarding practice
13:20:40 <kaz> ... then 2nd option
13:21:04 <kaz> s/practice/practice as a first option/
13:22:03 <kaz> ... exposing a limited number of secure endpoints
13:22:12 <kaz> ... 2nd option would be better, I think
13:22:21 <kaz> ... then "3. Onboarding"
13:23:38 <kaz> ... need to look into IETF draft on bootstrapping
13:24:45 <kaz> ... the bottom line is that we need to know something about onboarding
13:25:17 <kaz> jp: any kind of assumption for WoT devices?
13:25:37 <kaz> mm: we don't have all the control
13:26:21 <kaz> ... probably need to divide the spec into two pieces, brownfield devices and greenfield devices
13:27:15 <kaz> ... e.g., we can't control devices conforming to the other standards like ECHONET
13:27:58 <kaz> ... (adds references to the "3. Onboarding" section)
13:29:32 <kaz> @@@links here
13:34:09 <McCool> https://datatracker.ietf.org/doc/html/draft-sarikaya-t2trg-sbootstrapping-11
13:34:17 <kaz> s/@@@links here//
13:34:25 <McCool> https://datatracker.ietf.org/doc/draft-lear-brski-pop/
13:34:43 <McCool> https://datatracker.ietf.org/doc/html/rfc8572
13:35:52 <McCool> https://datatracker.ietf.org/doc/html/rfc8995
13:36:55 <McCool> https://datatracker.ietf.org/doc/html/draft-irtf-t2trg-secure-bootstrapping
13:37:31 <kaz> mm: please make comments on the PR
13:38:08 <kaz> -> https://github.com/w3c/wot-security-best-practices/pull/28 PR 28 - Local transport and secure onboarding
13:38:35 <kaz> mm: we need to look into issue 13, 14 and 27
13:39:35 <kaz> ... would start with 13 and 27
13:40:07 <kaz> -> https://github.com/w3c/wot-security-best-practices/issues/13 issue 13 - Update Secure Local Transport
13:40:33 <kaz> -> https://github.com/w3c/wot-security-best-practices/issues/27 issue 27 - Add Onboarding/Key Distribution Section
13:41:51 <kaz> mm: (adds "BRSKI, DID/VC, Anima" as well)
13:42:31 <kaz> ... regarding "4. Authentication and Access Control"
13:42:41 <kaz> ... we only have OAuth
13:43:15 <kaz> ... need to go through "psk, public, or cert security schemes" again
13:43:38 <kaz> ... section "6. Object Security" has the same issue
13:43:48 <kaz> jp: will go through the PR
13:44:04 <kaz> mm: yes, please look at it in detail
13:44:29 <kaz> ... will fix the style as well
13:44:32 <kaz> [adjourned]
13:44:37 <kaz> rrsagent, make log public
13:44:41 <kaz> rrsagent, draft minutes
13:44:41 <RRSAgent> I have made the request to generate https://www.w3.org/2021/11/15-wot-sec-minutes.html kaz
15:08:07 <Zakim> Zakim has left #wot-sec