WoT Security

Minutes

Nov-8

McCool: think the requirements for the possible management API is for the next Charter period

Kaz: agree

McCool: (adds note on wot-scripting issue 298 to the wot-security-best-practices draft)

wot-scripting-api issue 298

Jiye: wondering about the draft

McCool: need to create an actual Pullrequest later
… think the minutes themselves are OK

(approved)

PR and Issue

<McCool> PR 28 - Local transport and secure onboarding

McCool: related to issue 27 and 13
… issue 13 is about local transport

issue 13 - Update Secure Local Transport

McCool: the easiest to handle those two issues at once
… give you a general idea and ask you for opinions
… not directly merged today

Preview - 2. Secure Transport

McCool: extended the section 2
… we have to revisit the description, e.g., about TLS 1.3
… then two sections
… 2.1 Global Networks
… and
… 2.2 Offline and Local Networks
… pretty straightforward
… how to deal with offline networks is the question
… no connection with the Internet
… like a factory network
… or partial connection like home networks
… need to establish keys
… missing part is onboarding process
… then another paragraph here
… about onboarding practice as a first option
… then 2nd option
… exposing a limited number of secure endpoints
… 2nd option would be better, I think
… then "3. Onboarding"
… need to look into IETF draft on bootstrapping
… the bottom line is that we need to know something about onboarding

Jiye: any kind of assumption for WoT devices?

McCool: we don't have all the control
… probably need to divide the spec into two pieces, brownfield devices and greenfield devices
… e.g., we can't control devices conforming to the other standards like ECHONET
… (adds references to the "3. Onboarding" section)

<McCool> https://datatracker.ietf.org/doc/html/draft-sarikaya-t2trg-sbootstrapping-11

<McCool> https://datatracker.ietf.org/doc/draft-lear-brski-pop/

<McCool> https://datatracker.ietf.org/doc/html/rfc8572

<McCool> https://datatracker.ietf.org/doc/html/rfc8995

<McCool> https://datatracker.ietf.org/doc/html/draft-irtf-t2trg-secure-bootstrapping

McCool: please make comments on the PR

PR 28 - Local transport and secure onboarding

McCool: we need to look into issue 13, 14 and 27
… would start with 13 and 27

issue 13 - Update Secure Local Transport

issue 27 - Add Onboarding/Key Distribution Section

McCool: (adds "BRSKI, DID/VC, Anima" as well)
… regarding "4. Authentication and Access Control"
… we only have OAuth
… need to go through "psk, public, or cert security schemes" again
… section "6. Object Security" has the same issue

Jiye: will go through the PR

McCool: yes, please look at it in detail
… will fix the style as well

[adjourned]