Meeting minutes
Previous Minutes
McCool: (Reviews the previous minutes)
… I don't see any problems with the minutes, apart from one formulation with regard to the structure of the new AutoSecurityScheme in relation to the NoSecurityScheme
… apart from that, any objections?
There are none, kaz fixes the issue and publishes the minutes
PRs
TD PR 1421
<kaz> PR 1421 - feat: Add AutoSecurityScheme
McCool: There was a sentence indicating that Consumers should prompt users for credentials which is also true for other Schemes, therefore it should be removed
Jan: I just removed it
McCool: I was thinking about Security Considerations in this context
… related to vulnerability scanning
… (it seems if it this not in the document, yet)
… the AutoSecurityScheme could be a mitigation for vulnerabilities in this regard
… change is technically normative, but it should be trivial to implement as HTTP is already negotiating security
… PR should be merged in the TD call on wednesday
Discovery PR 287
<kaz> PR 287 - Cleanup of Security Considerations
Was merged, there was a comment by Philipp that hasn't been resolved, yet, he should create an issue for that
Discovery PR 286
<kaz> PR 286 - Add Amplification DDOS Security Consideration and Mitigations
McCool: PR differentiates between DoS and DDoS attacks
… also considers amplification attacks
… (shows the current state of the rendered document)
… hope we will discuss this PR in the Discovery call
… maybe Jiye can review it, then we can merge it the Discovery call
McCool: PR deals with application attacks, especially in the context of CoAP
… were discussed in a IETF call
… advice is disabling Observe and Multicast in discovery
… annoying as Multicast can be useful
… Multicast is currently only used by CoRE RD and DID
McCool: Sending a multicast GET request to .well-known is technically an exploration mechanism, requires authentication
… might also concern HTTP
Jiye: I will review the PR
McCool: I might be able to defer by one week
TD PR 1428
McCool: Very large PR, moves all normative security considerations to the Security Considerations section
<kaz> PR 1428 - Cleanup Security, Privacy, and IANA Considerations
McCool: another issue that broke the diff was that the Thing Model was inbetween Security and Privacy Considerations
… also, some rewording was required due to conflicting or contradicting assertions
… an example is caching behavior.
… a number of assertions regarding, for example, the expansion of JSON-LD or the execution of JavaScript code using eval() were added
… please review, I would like to merge it soon, technically the assertions should also be tested
Jan: I already left a couple of review comments
McCool: (goes over the review and adds comments)
McCool: Seems like a bit of work, but should be able to get done by wednesday
Jan: maybe the section reordering can be done in another PR
McCool: Yeah, would clean up the diffs
Security Testing Plan
McCool: Would be great if Jiye could have a look on it
McCool: (Edits the testing_2022.md file in the wot-testing repository and adds a link to the WoT Security Testing Guidelines)
Issues
WoT Architecture Issue 726
<kaz> wot-architecture Issue 726 - Review and Update Security and Privacy Considerations
McCool: Security and Privacy Considerations overlap with other documents
… Architecture document contains subsections for each document
… Discovery is not mentioned at all
… need to avoid duplication
… added a Trusted Environment Risks section, needs to be revisited
… issue of missing Discovery section was also raised by Michael Legally
… will make a PR addressing this
… in the meantime, feel free to add comments to the issue
Normative Security and Privacy Considerations
McCool: Should we make the considerations normative in all documents?
Jiye: If we can, why not?
McCool: I agree, is also a bit annoying to avoid using assertions in formulations
… will upgrade such statements to assertions
… (opens an issue related to this in the Discovery Repository)
wot-discovery 293 - Upgrade Security and Privacy Considerations to Normative Sections
Jan: Should we make a resolution of this?
McCool: We will do that next time
<kaz> [adjourned]