11:57:27 RRSAgent has joined #wot-sec 11:57:27 logging to https://www.w3.org/2022/03/21-wot-sec-irc 11:57:33 meeting: WoT Security 11:59:47 McCool has joined #wot-sec 12:01:36 meeting: WoT Security 12:02:24 present+ Kaz_Ashimura, Michael_McCool 12:03:31 regrets+ Jiye 12:05:09 Mizushima has joined #wot-sec 12:05:22 JKRhb has joined #wot-sec 12:06:12 sebastia_ has joined #wot-sec 12:06:22 Mizushima_ has joined #wot-sec 12:06:22 present+ Jan_Romann, Tomoaki_Mizushima 12:07:26 sebastia_ has joined #wot-sec 12:08:03 sebasti__ has joined #wot-sec 12:09:05 scribenick: JKRhb 12:09:13 topic: Previous Minutes 12:10:10 -> https://www.w3.org/2022/03/07-wot-sec-minutes.html Mar-7 12:10:47 mm: (goes over the last meeting's minutes) 12:11:23 https://github.com/w3c/wot-thing-description/pull/1421 12:12:12 mm: We should discuss fixups of the security schemes and the possible addition of an AutoSecurityScheme 12:12:27 ... any objections to the previous minutes? 12:13:28 There are no objections to the minutes of the last meeting 12:14:27 mm: There is also a spelling problem in the minutes of the meeting before the last one 12:15:07 kaz: I will fix the spelling issue 12:15:14 topic: PRs 12:15:20 s/before the last one/on Feb 28/ 12:15:28 s/will fix/have just fixed/ 12:15:53 subtopic: TD PR 1421 12:17:04 The PR contains a possible new AutoSecurityScheme that can be used to indicate that there is some security but it is negotioted between a Consumer and a Thing 12:18:30 i|The PR|-> https://github.com/w3c/wot-thing-description/pull/1421 wot-thing-description PR 1421 - feat: Add AutoSecurityScheme| 12:18:31 mm: Should be the same as NoSecurity 12:22:21 ... the PR should be ready by wednesday so that it can go into the CR 12:22:51 topic: Security Considerations 12:23:10 subtopic: Discovery PR #287 12:23:51 mm: (Presents the changes contained in the PR) 12:25:47 mm: There is a comment raised by Philipp in the PR that is not very specific. I will ask him to clarify. 12:26:13 i|Presents|-> https://github.com/w3c/wot-discovery/pull/287 wot-discovery PR 287 - Cleanup of Security Considerations 12:26:20 rrsagent, make log public 12:26:24 rrsagent, draft minutes 12:26:24 I have made the request to generate https://www.w3.org/2022/03/21-wot-sec-minutes.html kaz 12:26:28 subtopic: Discovery PR #286 12:27:24 mm: I made some clarifications regarding DoS and DDoS attacks 12:28:35 ... addresses a couple of possible amplification attacks possible with CoAP, were a topic at the T2TRG meeting 12:29:11 ... a number of possible mitigations are also added 12:29:39 ... we will discuss making them assertions in the Discovery call 12:32:09 i|I made|-> https://github.com/w3c/wot-discovery/pull/286 wot-discovery PR 286 - Add Amplification DDOS Security Consideration and Mitigations| 12:32:34 ... this PR can have a little more time, I want to merge #287 as quickly as possible as it simply addresses issues we have already discussed 12:35:02 mm: (adds another comment with the next steps to PR #287) 12:35:12 subtopic: TD PR #1428 12:35:23 mm: There is a lot in this PR 12:37:17 ... Security Considerations are now turned into assertions, a number of assertions from Discovery are also included 12:37:37 ... tried to make assertions consistent with IANA, for example with regard to caching 12:38:29 ... and also to context fetching in constrained environments 12:39:11 ... we should probably wait until Jiye 12:39:18 i|There is a lot|-> https://github.com/w3c/wot-thing-description/pull/1428 wot-thing-description PR 1428 - Cleanup Security, Privacy, and IANA Considerations| 12:39:59 mm: There also buffer overflow related JSON-LD security considerations that are addressed 12:40:51 mm: The TM part could probably be moved into a separate PR 12:41:02 mm: (Requests reviews from Jiye and Jan 12:41:09 topic: Security Testing Plan 12:41:51 The Security Testing Plan was recently merged into the wot-testing repository 12:42:22 s/The Security Testing Plan/mm: The Security Testing Plan/ 12:43:08 mm: (Goes over the current version of the Testing Plan document) 12:43:09 i|The Security|-> https://w3c.github.io/wot-security-testing-plan/ WoT Security Testing Plan| 12:43:27 ... not too bad, but we need to add a few things 12:43:38 ... we could open an issue in testing 12:47:08 mm: (opens the issue regarding the possible updates to the document/a migration to an external document, addressing the 2022 deliverables) 12:47:19 https://github.com/w3c/wot-testing/issues/283 12:48:25 mm: This document was not actually published, we could mention the deliverables and do so 12:48:36 kaz: It can be published as a Group Note 12:49:36 mm: (Creates an issue with the steps required for publishing) 12:50:19 ... it would be an IG Note 12:51:02 ... we should discuss it in the main call 12:51:18 https://github.com/w3c/wot-security-testing-plan/issues/7 12:52:32 https://github.com/w3c/wot-scripting-api/issues/390 12:53:01 i/390/topic: AOB?/ 12:53:39 s/https/-> https/ 12:54:09 s/390/390 wot-scripting-api Issue 390 - Passing Credentials to Discovery Methods| 12:54:12 rrsagent, make log public 12:54:19 rrsagent, draft minutes 12:54:19 I have made the request to generate https://www.w3.org/2022/03/21-wot-sec-minutes.html kaz 12:55:30 mm: There is a general issue regarding the storing of credentials, we might need some assertions on how to deal with this 12:55:58 ... Scripting API is not normative, so this should be included in the Architecture 12:56:13 ... in general, secrets should be stored in vaults 12:56:27 ... scripts should never have access 12:57:25 ... we need to review the security considerations in architecture 12:59:26 jr: Maybe Credential Management API could be reused 12:59:51 mm: Could be possible, but we need to review it carefully 13:00:21 [adjourned] 13:00:27 rrsagent, draft minutes 13:00:27 I have made the request to generate https://www.w3.org/2022/03/21-wot-sec-minutes.html kaz 14:02:33 Mizushima_ has left #wot-sec 14:29:35 Zakim has left #wot-sec