13:02:19 <RRSAgent> RRSAgent has joined #wot-sec
13:02:19 <RRSAgent> logging to https://www.w3.org/2022/01/24-wot-sec-irc
13:02:56 <kaz> meeting: WoT Security
13:03:38 <kaz> present+ Kaz_Ashimura, Jiye_Park, Michael_McCool
13:03:43 <kaz> chair: McCool
13:07:58 <kaz> present+ Tomoaki_Mizushima
13:08:46 <kaz> agenda: https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#24_January_2022
13:09:08 <kaz> topic: Minutes
13:09:17 <kaz> -> https://www.w3.org/2022/01/17-wot-sec-minutes.html Jan-17
13:12:52 <kaz> approved
13:12:59 <kaz> topic: Issues
13:13:04 <kaz> subtopic: Discovery
13:13:44 <kaz> -> https://github.com/w3c/wot-discovery/issues/263 wot-discovery issue 263 - Profile needs a simple self descriptive mechanism without huge implementation demands
13:15:37 <kaz> mm: we were planning to make onboarding out of scope, but it seems we need it
13:16:07 <kaz> ... for example, habs talking with devices
13:16:58 <kaz> ... any thoughts?
13:17:07 <kaz> jp: not looked at it yet
13:17:17 <kaz> ... will see it after this call
13:18:05 <kaz> mm: (adds comments)
13:18:32 <kaz> ... disallow self-description under plain HTTP
13:18:43 <kaz> ... (would essentially disallow it on LANS)
13:21:44 <kaz> s/LANS/LANs unless some other mechanism, not described in the profile or discovery specs, was used to assign certs to devices)
13:22:03 <kaz> ... this basically converts the SHOULD in the Discovery spec to a MUST.
13:24:03 <kaz> ... in practice, it means an on-boarding process needs to be used but is not
13:24:40 <kaz> jp: browsers may reject the self-signed certs. right?
13:24:44 <kaz> mm: yeah
13:24:54 <kaz> s/is not/is not.../
13:25:17 <kaz> ... (modifies the comments a bit)
13:25:33 <kaz> ... on a LAN, raw public keys should be use din place of certs
13:27:45 <kaz> jp: based on the connection between the server and the client
13:27:51 <kaz> ... need to check, though
13:27:59 <kaz> mm: ok
13:28:28 <kaz> s/certs/certs to set up HTTPS/
13:28:40 <kaz> jp: we can check the pre-shared key
13:28:53 <kaz> mm: we can check the HTTPS spec
13:29:33 <kaz> jp: please share the resource too
13:29:41 <kaz> mm: need to check later
13:29:56 <kaz> ... possibly empty cert can be used
13:31:10 <jiye> jiye has joined #wot-sec
13:31:11 <jiye> https://datatracker.ietf.org/doc/html/rfc5246
13:31:15 <kaz> jp: looking at RFC5246
13:31:21 <McCool> McCool has joined #wot-sec
13:31:31 <jiye> https://datatracker.ietf.org/doc/html/rfc5246
13:33:10 <kaz> s|https://datatracker.ietf.org/doc/html/rfc5246||
13:33:24 <kaz> mm: (goes through the RFC 5246)
13:34:25 <jiye> https://datatracker.ietf.org/doc/html/rfc4279
13:34:47 <jiye> TLS_RSA_PSK_WITH_RC4_128_SHA       RSA_PSK       RC4_128       SHA       TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA  RSA_PSK       3DES_EDE_CBC  SHA       TLS_RSA_PSK_WITH_AES_128_CBC_SHA   RSA_PSK       AES_128_CBC   SHA       TLS_RSA_PSK_WITH_AES_256_CBC_SHA   RSA_PSK       AES_256_CBC   SHA
13:35:55 <kaz> jy: another RFC (4279) about PSK Ciphersuites for TLS
13:36:35 <kaz> ... can be used with TLS 1.2
13:40:38 <kaz> mm: (updates the comments based on the discussion)
13:41:06 <kaz> ... not essential to define an onboarding process in Profiles
13:41:33 <kaz> s/Profiles/Profiles (due to time limitation)/
13:41:57 <kaz> ... but let's take care of the basics before even considering whether we should do so
13:42:40 <kaz> ... (copy part of the comments to wot-discovery issue 254)
13:44:41 <kaz> -> https://github.com/w3c/wot-discovery/issues/254 wot-discovery issue 254 - Review Security and Privacy Considerations
13:45:02 <kaz> mm: on a LAN, recommend that pre-shared keys be used in place of certs
13:45:20 <kaz> ... see RFC4279 for cipher suites that can be used with TLS 1.2.
13:45:34 <kaz> ... see linked issue #263 for discussion
13:45:56 <kaz> ... The other mitigation is to NOT support self-discovery if security cannot be established.
13:52:34 <kaz> ... note that passwords, etc., still need to be used since different passwords/tokes/etc. may provide different access levels to different users.
13:52:47 <kaz> ... the PSK should not be the only access control.
13:53:02 <kaz> ... in particular, do not use 'nosec' even with PSK.
13:53:28 <kaz> ... ALso, the PSK should be unique to the device pair and not used for any other purpose.
13:53:48 <kaz> ... if the PSK is derived from the id of the Thing (or encodes it somehow).
13:56:00 <kaz> ... the PSK may be derived from internal device identity but this is separate from the "id" used in the Thing.
13:56:19 <kaz> ... the Thing should NOT be revealing its internal identity
13:56:34 <McCool> https://github.com/w3c/wot-discovery/issues/254
13:56:42 <McCool> please commend on this issue for followup
13:56:54 <kaz> i/https/... however, we do need a separate recommendation somewhere (profile? or TD?)/
13:57:50 <kaz> mm: would start with generating a PR
13:58:11 <kaz> s/PR/PR for wot-discovery/
14:00:08 <McCool> https://github.com/w3c/wot-discovery/pull/264
14:00:20 <kaz> s|https|-> https|
14:00:35 <kaz> s|264|264 PR 264 - Update Security and Privacy Considerations|
14:00:42 <kaz> mm: will add you to reviewers
14:00:44 <kaz> jp: ok
14:02:13 <kaz> [adjourned]
14:02:20 <kaz> rrsagent, make log public
14:02:22 <kaz> rrsagent, draft minutes
14:02:22 <RRSAgent> I have made the request to generate https://www.w3.org/2022/01/24-wot-sec-minutes.html kaz
15:02:47 <Mizushima> Mizushima has left #wot-sec
15:30:36 <Zakim> Zakim has left #wot-sec