12:59:45 <RRSAgent> RRSAgent has joined #wot-sec
12:59:45 <RRSAgent> logging to https://www.w3.org/2021/11/22-wot-sec-irc
13:02:04 <kaz> meeting: WoT Security
13:02:13 <kaz> present+ Kaz_Ashimura, Jiye_Park
13:05:07 <kaz> present+ Michael_McCool, Philipp_Blum, Tomoaki_Mizushima
13:06:38 <kaz> rrsagent, make log public
13:06:45 <kaz> rrsagent, draft minutes
13:06:45 <RRSAgent> I have made the request to generate https://www.w3.org/2021/11/22-wot-sec-minutes.html kaz
13:07:14 <kaz> chair: McCool
13:08:16 <citrullin> citrullin has joined #wot-sec
13:08:53 <kaz> scribenick: citrullin
13:09:41 <citrullin> topic: Minutes review
13:10:04 <Jiye> Jiye has joined #wot-sec
13:11:14 <McCool> McCool has joined #wot-sec
13:11:16 <McCool> https://www.w3.org/2021/11/15-wot-sec-minutes.html
13:13:10 <citrullin> mm: I looked into several IETF documents.
13:13:31 <citrullin> ...having some thoughts how to proceed with it.
13:13:41 <citrullin> mm: Anyone having objections?
13:13:44 <citrullin> no objections.
13:15:32 <citrullin> topic: Local transport and secure onboarding
13:15:44 <citrullin> -> https://github.com/w3c/wot-security-best-practices/pull/28
13:16:40 <citrullin> mm: I read the IETF specification and added a PR for the security-best-practices accordingly.
13:18:07 <citrullin> mm: Problem is that TLS 1.3 has been released, but DTLS 1.3 hasn't been released yet.
13:21:36 <citrullin> jp: For TLS1.3 this privacy expose risk is not happening?
13:21:49 <citrullin> mm: I don't know if that is a problem in TLS1.3.
13:24:34 <citrullin> mm: Offline and local networks are different. Local networks only have a NAT, while offline networks don't have a connection to the Internet at all. We should split that up in different sections.
13:24:49 <kaz> rrsagent, draft minutes
13:24:49 <RRSAgent> I have made the request to generate https://www.w3.org/2021/11/22-wot-sec-minutes.html kaz
13:30:05 <McCool> https://datatracker.ietf.org/doc/html/draft-ietf-ace-oauth-authz
13:32:29 <citrullin> s/http/-> http/
13:41:04 <citrullin> jp: I wanted to talk about the onboarding stuff.
13:42:02 <citrullin> mm added a comment to PR #28
13:42:11 <citrullin> -> https://github.com/w3c/wot-security-best-practices/pull/28#issuecomment-975534690
13:42:49 <citrullin> mm: I think the terminology is confusing.
13:43:25 <citrullin> jp: I agree. What is the onboarding, config, certificates? We should clarify the context.
13:44:44 <citrullin> mm: The context should be WoT. We can assume that the certificates situation is solved.
13:45:32 <citrullin> jp: In order to setup the device we may want to use a mobile phone.
13:48:09 <citrullin> mm: We have a life-cycle section. It is a bit contradicting and too short anyways.
13:48:37 <citrullin> s/life-cycle/lifecycle section in the architecture/
13:49:43 <citrullin> mm: We have the problem that the term "onboarding" is used for a lot of things in the industry.
13:51:20 <citrullin> mm: There is also a discussion about group keys.
13:52:31 <citrullin> mm: In general groups keys are problematic and have holes in them. They are also difficult to update.
13:53:40 <citrullin> mm adds a comment to #28
13:53:41 <citrullin> -> https://github.com/w3c/wot-security-best-practices/pull/28#issuecomment-975547662
13:54:31 <citrullin> mm: I need to re-read the specification. I am going to add all the references when I find them to the comments.
13:55:56 <citrullin> action: Separate local and offline sections.
13:56:08 <citrullin> action: deal with TLS1.3 and DTLS1.3
13:57:28 <citrullin> action: finish reading DID, VC, SZTP, BRSKI, Authz, EST
13:59:59 <citrullin> action: Also should look at MUDs to document trust relationships
14:01:17 <kaz> [adjourned]
14:01:20 <kaz> rrsagent, draft minutes
14:01:20 <RRSAgent> I have made the request to generate https://www.w3.org/2021/11/22-wot-sec-minutes.html kaz
15:31:49 <Zakim> Zakim has left #wot-sec
15:41:22 <Mizushima> Mizushima has left #wot-sec