13:01:28 <RRSAgent> RRSAgent has joined #wot-sec
13:01:28 <RRSAgent> logging to https://www.w3.org/2022/02/07-wot-sec-irc
13:01:33 <kaz> meeting: WoT Security
13:01:41 <kaz> present+ Kaz_Ashimura, Michael_McCool
13:03:38 <kaz> present+ Jiye_Park
13:04:55 <McCool> McCool has joined #wot-sec
13:05:13 <jiye> jiye has joined #wot-sec
13:07:44 <kaz> topic: Minutes
13:08:05 <kaz> -> https://www.w3.org/2022/01/24-wot-sec-minutes.html Jan-24
13:08:16 <kaz> approved
13:08:21 <kaz> -> https://www.w3.org/2022/01/31-wot-sec-minutes.html Jan-31
13:08:31 <kaz> mm: (goes through the minutes)
13:08:50 <kaz> present+ Tomoaki_Mizushima
13:10:10 <kaz> approved
13:11:38 <kaz> topic: Wide reviews
13:11:59 <kaz> -> https://w3ctag.github.io/security-questionnaire/ Security questionnaire
13:13:41 <kaz> present+ Tomoaki_Mizushima
13:15:20 <kaz> -> https://github.com/w3ctag/design-reviews design review repository
13:15:46 <kaz> -> https://github.com/w3ctag/design-reviews/issues?q=is%3Aissue+wot WoT issues
13:16:20 <kaz> s/WoT issues/previous WoT issues/
13:16:42 <kaz> mm: we created issues above for our previous version specs
13:20:14 <McCool> https://github.com/w3c/wot-architecture/blob/main/proposals/security_and_privacy.md
13:20:25 <kaz> s/http/-> https/
13:20:41 <kaz> s/md/md self-review assessment/
13:24:21 <kaz> mm: seems question 2.1 and 2.2 have been added
13:24:34 <kaz> ... 2.8 also
13:25:49 <kaz> -> https://www.w3.org/TR/security-privacy-questionnaire/ dated version (16 December 2021)
13:26:10 <kaz> kaz: probably we should use the dated version questionnaire as tthe basis
13:26:39 <kaz> mm: yeah
13:26:58 <kaz> ... we need to go through the latest questions
13:27:15 <kaz> ... could reuse some of the previous answers, though
13:27:33 <kaz> ... need to work on the questions and answers offline
13:31:14 <kaz> ... would like to generate a dedicated MD to manage the content
13:31:50 <kaz> ... (copies the content of the MD under the wot-thing-description repository)
13:34:29 <kaz> -> https://github.com/w3c/wot-thing-description/issues/1382 wot-thing-description PR 1382 - Create Security and Privacy Questionnaire Answers for Ver 1.1 CR Process
13:34:52 <kaz> i/https/... (and creates a PR for that)/
13:37:06 <kaz> mm: (adds checklists for the next steps to the PR too)
13:38:35 <kaz> ... last time I did the questionnaire, so this time somebody else should also go through the questions
13:39:00 <kaz> ... Jiye, could you go through them?
13:39:05 <kaz> jp: yes
13:39:31 <kaz> mm: also possibly Philipp
13:39:43 <McCool> https://github.com/w3c/wot-thing-description/pull/1382
13:39:44 <kaz> ... (adds Jiye and Philipp to the Assignees of the PR)
13:41:00 <kaz> rrsagent, draft minutes
13:41:00 <RRSAgent> I have made the request to generate https://www.w3.org/2022/02/07-wot-sec-minutes.html kaz
13:41:05 <kaz> rrsagent, make log public
13:41:06 <kaz> rrsagent, draft minutes
13:41:06 <RRSAgent> I have made the request to generate https://www.w3.org/2022/02/07-wot-sec-minutes.html kaz
13:41:11 <kaz> topic: PR 264
13:41:50 <kaz> s/PR/Discovery PR/
13:42:13 <kaz> -> https://github.com/w3c/wot-discovery/pull/264 wot-discovery PR 264 - Update Security and Privacy Considerations
13:42:27 <kaz> mm: added new Security section separately
13:42:56 <kaz> ... both the security issues and privacy issues point to the Security and Privacy Note
13:43:50 <kaz> -> https://pr-preview.s3.amazonaws.com/w3c/wot-discovery/pull/264.html#security-considerations 7. Security Considerations
13:44:28 <kaz> -> https://pr-preview.s3.amazonaws.com/w3c/wot-discovery/pull/264.html#privacy-considerations 8. Privacy Considerations
13:44:58 <kaz> jp: good to have those sections separately
13:46:00 <kaz> ... but wondering if "7.2 Limited Duration Accesses" really should belong to this WoT Discovery spec
13:46:20 <kaz> ... it's rather generic issue depending on use cases
13:46:33 <kaz> mm: yeah
13:47:02 <kaz> ... (adds comments about that)
13:47:17 <kaz> ... "limited duration access" may not belog nere
13:47:47 <kaz> ... move it to he TD spec's security considerations section
13:48:37 <kaz> ... also probably need a generic security consideration aroud mitigating all OWASP top 10 security issues in Directory implementations
13:49:21 <kaz> ... we've not yet considered replay attacks (but already included in the OWASP top 10?)
13:50:40 <kaz> -> https://owasp.org/Top10/ OWASP Top 10 - 2021
13:51:17 <kaz> mm: those are largest percent of the security issues
13:52:41 <kaz> ... seems "replay" is not included there
13:53:12 <kaz> ...maybe we could another one
13:54:03 <kaz> ... if you think any other issues are important, we should certainly added them
13:54:28 <kaz> ... (add some more comments)
13:54:41 <kaz> ... if here is a longer list of security concerns, we can add it as well
13:55:04 <kaz> ... but my htought is that mitigating the OWASP Top 10 should be a minimal requirement
13:56:37 <kaz> -> https://github.com/w3c/wot-discovery/issues/254#issuecomment-1031493462 updated comment for wot-discovery issue 254 - Review Security and Privacy Considerations
13:57:19 <kaz> topic: TD PR 1360
13:57:47 <kaz> -> https://github.com/w3c/wot-thing-description/pull/1360 wot-thing-description PR 1360 - Update Security and Privacy Consideration
13:58:00 <kaz> s/Consideration/Considerations/
13:58:19 <kaz> -> https://github.com/w3c/wot-thing-description/pull/1360#issuecomment-1031316718 Jiye's comment
13:59:38 <kaz> jiye: mutual authentication doesn't help mitigate MITM attack
13:59:59 <kaz> mm: should consider bootstrapping secure connection
14:00:10 <kaz> ... need to reed the text again
14:01:13 <kaz> jiye: if needed, please let me know so that we can have some more dedicated discussion offline
14:01:15 <kaz> mm: ok
14:01:18 <kaz> [adjourned]
14:01:27 <kaz> rrsagent, make log public
14:01:29 <kaz> rrsagent, draft minutes
14:01:29 <RRSAgent> I have made the request to generate https://www.w3.org/2022/02/07-wot-sec-minutes.html kaz
15:31:19 <Zakim> Zakim has left #wot-sec