13:03:30 RRSAgent has joined #wot-sec 13:03:30 logging to https://www.w3.org/2022/02/14-wot-sec-irc 13:03:35 meeting: WoT Security 13:05:02 JKRhb has joined #wot-sec 13:06:05 agenda: https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#14_February_2022 13:06:15 present+ Kaz_Ashimura, Jan_Romann 13:06:56 present+ Michael_McCool 13:07:04 chair: McCool 13:08:59 present+ Philipp_Blum 13:09:38 citrullin has joined #wot-sec 13:10:50 sribenick: JKRhb 13:11:05 topic: Minutes Review 13:11:33 mm goes over the minutes 13:14:29 mm: There are a number of typos which need to be fixed. 13:14:55 ... some points discussed in last week's meeting still need to be addressed 13:15:06 kaz: (Fixes the typos) 13:15:32 There are no objections against publishing the minutes, they are published 13:15:37 topic: PRs 13:15:50 McCool has joined #wot-sec 13:15:54 https://github.com/w3c/wot-thing-description/pull/1382 13:16:01 subtopic: TD PR 1382 13:16:19 pb: I added some comments to the PR 13:17:06 ... regarding possible vulnerabilities due to titles and descriptions (e. g. XSS attacks) 13:17:26 ... if they are displayed in a UI 13:18:18 mm: Yes, this kind of vulnerabilities need to be addressed 13:18:45 s|https|-> https| 13:18:53 ... could lead to malicious script execution, for example 13:19:00 q+ 13:20:03 jr: Should something like sanitization be added? 13:21:12 mm: We could specify that, for example, all HTML markup needs to be removed, but this might have negative impact 13:21:30 ... Concerns every string field 13:21:43 s|pull/1382|pull/1382 wot-thing-description PR 1382 - Create Security and Privacy Questionnaire Answers for Ver 1.1 CR Process| 13:21:52 pb: True, but I thought titles and descriptions are probably going to be exploited first 13:21:57 s/subtopic: TD PR 1382// 13:22:06 i|pull/1382|subtopic: TD PR 1382| 13:22:22 rrsagent, make log public 13:22:24 rrsagent, draft minutes 13:22:24 I have made the request to generate https://www.w3.org/2022/02/14-wot-sec-minutes.html kaz 13:23:54 topic: Security and Privacy Questionnaire 13:26:06 mm: There needs to be an issue for each deliverable in the security repository 13:26:15 https://github.com/w3ctag/design-reviews 13:27:27 s/security repository/w3ctag design review repository/ 13:27:57 s/https/-> https/ 13:28:10 mm: (Starts a TAG review issue for the TD repository) 13:28:12 s/design-reviews/design-reviews design-reviews repo/ 13:29:07 ... should this be the editor's version or a Working Draft, kaz? 13:29:24 kaz: Usually I provide a static HTML file 13:29:42 mm: We can provide a link to the new WD once it's ready 13:30:07 ... for now I'll mark it as "Work in Progress" 13:31:00 ... I also mark it as "Security Review" 13:31:23 -> https://github.com/w3ctag/design-reviews/issues/357 prev issue for TD 1.0 13:31:47 kaz: You could also look at the previous TAG review issue as an example 13:32:16 mm: Problem is that they sometimes change the issue format 13:32:37 ... old issue used the Editor's Draft 13:33:04 ... the implementation report URL can be reused 13:33:29 ... as well as the link to the wot-testing repository 13:34:04 ... "User research" is new 13:34:12 ... could point to our use case study 13:36:40 ... (Adds the TD Self-Review PR 1382 (see above) to the form) 13:38:29 ... I'll complete the list of Primary Contacts/Editors offline 13:43:55 ... (Adds links to the other documents that are going to be reviewed) 13:44:25 ... Are we doing Binding Templates as well, Kaz? 13:44:38 kaz: Informative documents are not really important 13:44:51 mm: This also applies to the Use Case document 13:45:16 s/important/important from the viewpoint of normative spec generation process/ 13:45:54 s/Use Case document/Use Cases document/ 13:51:20 mm: For now the Specification does not point anywhere, will be up to Sebastian or the task force to update. Linking an Editor's Draft is a bit too dangerous 13:51:28 ... (Submits the issue) 13:51:57 ... Even though done in security, there a lot of items in the form that are not security related and need to be done elsewhere 13:52:41 ... I'll create an issue in the TD repository linking to the TAG review request 13:53:54 ... there needs to be a privacy review as well 13:54:30 pb: I've added another comment to the questionnaire issue 13:54:45 mm: We need to have a plan to finish the questionnaire 13:55:04 ... I created a separate branch for the review 13:56:16 ... (Shows the Markdown file containing the questionnaire as well as the old Questions and Answers) 13:57:05 ... we need to assign people to the new questions and clarify who is answering which question 13:58:11 present+ Jiye_Park 13:58:20 rrsagent, draft minutes 13:58:20 I have made the request to generate https://www.w3.org/2022/02/14-wot-sec-minutes.html kaz 13:59:01 present+ Tomoaki_Mizushima 13:59:02 rrsagent, draft minutes 13:59:02 I have made the request to generate https://www.w3.org/2022/02/14-wot-sec-minutes.html kaz 13:59:39 ... we'll sort out the actual assignment in the comments of the PR 14:00:23 s/sribenick:/scribenick:/ 14:00:25 rrsagent, draft minutes 14:00:25 I have made the request to generate https://www.w3.org/2022/02/14-wot-sec-minutes.html kaz 14:00:57 ... if you are working on a question please indicate this in the comments 14:03:08 (McCool added 3 comments to the wot-thing-description PR 1382) 14:03:25 -> https://github.com/w3c/wot-thing-description/pull/1382#issuecomment-1039079915 McCool's comments 14:03:27 [adjourned] 14:03:35 rrsagent, draft minutes 14:03:35 I have made the request to generate https://www.w3.org/2022/02/14-wot-sec-minutes.html kaz 14:50:29 jkrhb_ has joined #wot-sec 15:46:23 Mizushima has left #wot-sec 16:02:24 Zakim has left #wot-sec 17:04:20 kaz has joined #wot-sec