12:02:24 <RRSAgent> RRSAgent has joined #wot-sec
12:02:24 <RRSAgent> logging to https://www.w3.org/2022/04/25-wot-sec-irc
12:03:26 <jiye> jiye has joined #wot-sec
12:03:36 <kaz> meeting: WoT Security
12:03:43 <citrullin> citrullin has joined #wot-sec
12:04:02 <kaz> present+ Kaz_Ashimura, Jan_Romann, Jiye_Park, Philipp_Blum, Tomoaki_Mizushima
12:05:04 <kaz> present+ Micheal_McCool
12:06:58 <JKRhb> scribenick: JKRhb
12:07:05 <JKRhb> topic: Minutes Review
12:08:07 <JKRhb> mm: Security and Privacy Considerations for Discovery were merged, but for Architecture the PR is still open
12:08:28 <JKRhb> ... there are minor spelling issues
12:09:03 <JKRhb> ... (mentions the progress on a number of PRs)
12:09:14 <kaz> i|Security and|-> https://www.w3.org/2022/04/11-wot-sec-minutes.html Apr-11|
12:09:20 <JKRhb> kaz: The typo is fixed now
12:09:30 <JKRhb> mm: Propose to publish these. Any objections?
12:09:39 <JKRhb> There are none, minutes are published
12:10:12 <JKRhb> topic: PRs
12:10:40 <JKRhb> subtopic: Discovery PR #295
12:10:51 <JKRhb> mm: Got merged in the Discovery call
12:11:02 <JKRhb> ... issue #293 got closed by it
12:11:25 <JKRhb> ... if you have any concerns regarding discovery, raise new issues otherwise we can consider it done
12:11:44 <JKRhb> subtopic: Architecture PR #734
12:11:51 <JKRhb> mm: This one is still open
12:12:01 <JKRhb> ... did not manage to continue working on it
12:12:21 <JKRhb> ... no significant edits regarding normative changes, with the exception of assertions
12:12:43 <JKRhb> ... as we discussed last time, there is a serious problem with the document structure
12:12:58 <JKRhb> ... One aspect is the structuring by deliverables
12:13:16 <JKRhb> ... another one is the mix of problem descriptions and mitigations
12:13:41 <kaz> i|This one is still|-> https://github.com/w3c/wot-architecture/pull/734 wot-architecture PR 734 - Make Security and Privacy Considerations Normative #734|
12:13:59 <JKRhb> ... a third one is related to public security information in TDs
12:14:09 <JKRhb> ... we currently don't allow public keys in TDs
12:14:29 <JKRhb> pb: One question: Didn't DID also contain public keys?
12:14:46 <JKRhb> mm: DID does, but they also contain information for validating
12:15:21 <kaz> q+
12:15:23 <JKRhb> ... DID is currently opposed, 50 different mechanisms for resolution but some are not secure
12:15:57 <JKRhb> ... can be secure but it is not guaranteed
12:16:12 <JKRhb> ... in my opinion
12:16:41 <JKRhb> ... to summarize, public security data should not include public keys
12:16:56 <JKRhb> ... I'll try to get it done by the next architecture call
12:17:08 <JKRhb> ... then there will be a feature freeze by May 6
12:17:42 <JKRhb> ... we can do a review in the next call and then merge on May 5
12:18:04 <JKRhb> ... are there any more points that should be addressed here?
12:18:24 <JKRhb> kaz: I generally agree with you, Michael, but public keys can be public
12:19:34 <JKRhb> mm: They would theoretically be okay in a TD
12:19:56 <JKRhb> ... not allowing public keys is not normative, yet
12:20:01 <kaz> s/can be public/can be public. Also TD doesn't need to handle the public key directly but it can refer to an external DID document for that purpose. So we should at least think about how a TD should refer to an external DID./
12:20:26 <JKRhb> ... we could delete the sentence
12:20:41 <JKRhb> kaz: How are DIDs related to TDs?
12:20:58 <JKRhb> mm: We don't mention them in the TD spec, yet
12:21:20 <JKRhb> ... we are currently in the clean up phase
12:21:40 <JKRhb> ... we could say that public keys are only allowed in signed TDs
12:22:54 <JKRhb> ... should be addressed in the next version, where we should be able to adopt JSON-LDs signing mechanism
12:23:14 <JKRhb> ... we could also refer to other documents with public keys, as Kaz mentioned before
12:23:31 <JKRhb> ... DID would be an option but they are not normative, yet
12:23:52 <JKRhb> pb: DIDs could also be changed in a TD, so there is a similar problem
12:24:22 <kaz> s/How are DIDs related to TDs?/How TDs should rfer to DIDs should be documented at least. Maybe not for 1.1 specs but for 2.0 specs, though./
12:24:55 <JKRhb> mm: At this point we should not open "cans of worms" in order to not be inconsistent
12:25:50 <JKRhb> mm: Is there anything else we should consider regarding S&P considerations?
12:26:51 <JKRhb> i|mm: Is there anything else|topic: S&P considerations for Profiles|
12:27:15 <JKRhb> ... there is no section for S&P considerations in the profile document yet
12:27:51 <JKRhb> rrsagent, draft minutes
12:27:51 <RRSAgent> I have made the request to generate https://www.w3.org/2022/04/25-wot-sec-minutes.html JKRhb
12:27:54 <JKRhb> rrsagent, make log public
12:28:11 <JKRhb> ... there is a mentioning of security
12:28:59 <JKRhb> ... we still have the problem with security in that local networks
12:29:10 <JKRhb> ... could be added, but might be a bit redundant
12:29:59 <JKRhb> pb: I wrote you an email regarding security in local networks, should I open a PR with that?
12:30:27 <JKRhb> jp: Could you summarize?
12:31:30 <JKRhb> pb: Especially with IPv6 you can let nodes change IP addresses to avoid attacks on DNS entries(?)
12:31:45 <JKRhb> mm: You describe an onboarding mechanism
12:32:02 <JKRhb> ... there are a lot of points that need to be figured out here
12:32:19 <JKRhb> ... we should open an issue and put it in the next charter
12:32:25 <JKRhb> pb: I'll create an issue
12:33:04 <JKRhb> mm: Defining a mechanism normatively might not be possible, unfortunately
12:33:18 <JKRhb> ... there is a lot of ongoing discussion
12:33:46 <JKRhb> s/topic: PRs/topic: Security and Privacy Considerations
12:35:33 <kaz> rrsagent, make log publicc
12:35:39 <kaz> rrsagent, make log public
12:35:48 <kaz> s/rrsagent, make log publicc//
12:35:50 <kaz> rrsagent, draft minutes
12:35:50 <RRSAgent> I have made the request to generate https://www.w3.org/2022/04/25-wot-sec-minutes.html kaz
12:36:35 <McCool> https://github.com/w3c/wot/issues/978
12:37:12 <JKRhb> mm: Onboarding is already mentioned in the issue for the next charter
12:37:34 <JKRhb> ... can you add your points regarding onboarding here, Philipp?
12:37:47 <JKRhb> ... You can also create an issue and link it here
12:37:51 <JKRhb> pb: Will do
12:38:57 <JKRhb> mm: I just noticed that there is already an issue for S&P cosiderations in the Profile repository
12:39:04 <McCool> https://github.com/w3c/wot-profile/issues/182
12:39:24 <JKRhb> ... also another one
12:39:38 <JKRhb> https://github.com/w3c/wot-profile/issues/183
12:39:59 <JKRhb> s/ is already an issue for S&P cosiderations/ is already an issue for security cosiderations
12:40:09 <McCool> https://github.com/w3c/wot-profile/issues/183
12:40:21 <JKRhb> s/... also another one/... and also one for privacy considerations
12:40:47 <JKRhb> https://github.com/w3c/wot-thing-description/pull/1474
12:41:53 <kaz> rrsagent, draft minutes
12:41:53 <RRSAgent> I have made the request to generate https://www.w3.org/2022/04/25-wot-sec-minutes.html kaz
12:41:59 <kaz> chair: McCool
12:42:00 <kaz> rrsagent, draft minutes
12:42:01 <RRSAgent> I have made the request to generate https://www.w3.org/2022/04/25-wot-sec-minutes.html kaz
12:42:31 <JKRhb> topic: Additional Security Schemes
12:42:41 <McCool> https://github.com/w3c/wot-thing-description/pull/1474
12:42:53 <JKRhb> jr: Extensions are currently not allowed by the JSON schema
12:43:12 <JKRhb> mm: We should probably change the document and schema to allow extensions again
12:43:24 <JKRhb> ... additional requirements are needed
12:43:48 <kaz> i|Got merged in the|-> https://github.com/w3c/wot-discovery/pull/295 wot-discovery PR 295 - Make Security and Privacy Considerations Normative|
12:43:53 <kaz> rrsagent, draft minutes
12:43:53 <RRSAgent> I have made the request to generate https://www.w3.org/2022/04/25-wot-sec-minutes.html kaz
12:44:47 <JKRhb> ... One possibility would be to do nothing and simply allow extensions
12:45:17 <JKRhb> ... we should focus on bug fixes for now, not add additional normative statements
12:45:27 <JKRhb> ... a broken example certainly is a bug
12:45:48 <JKRhb> ... (adds a comment to the PR)
12:48:11 <JKRhb> ... we should rather refrain from adjusting the JSON Schema
12:48:32 <McCool> https://w3c.github.io/wot-thing-description/#adding-security-schemes
12:48:48 <JKRhb> ... current specification is consistent as it says "oneOf" instead of "e. g." for the values of scheme
12:49:06 <McCool> above is inconsistent with "one of" used in https://w3c.github.io/wot-thing-description/#securityscheme
12:49:15 <JKRhb> pb: 1.0 also says e.g. not oneOf
12:49:34 <McCool> also, TD 1.0 uses "e.g.", so using "one of" also breaks compatibility.
12:49:38 <JKRhb> ... saying oneOf in 1.1 would break compatability with 1.0
12:51:23 <JKRhb> mm: Change to oneOf was a breaking change, should be reverted
12:51:47 <JKRhb> topic: Matter Specification
12:52:04 <JKRhb> mm: Took a first look into the Matter specification
12:52:13 <JKRhb> ... looks interesting with regard to onboarding
12:52:22 <JKRhb> ... should align our process with Matter's
12:52:58 <JKRhb> rrsagent, draft minutes
12:52:58 <RRSAgent> I have made the request to generate https://www.w3.org/2022/04/25-wot-sec-minutes.html JKRhb
12:54:32 <kaz> i|Took a first|-> https://csa-iot.org/all-solutions/matter/ Matter site (CSA  IoT)|
12:54:37 <kaz> [adjourned]
12:54:42 <kaz> rrsagent, draft minutes
12:54:42 <RRSAgent> I have made the request to generate https://www.w3.org/2022/04/25-wot-sec-minutes.html kaz
13:05:16 <Mizushima> Mizushima has left #wot-sec
14:32:35 <Zakim> Zakim has left #wot-sec
15:08:42 <JKRhb> JKRhb has joined #wot-sec
15:32:45 <JKRhb> JKRhb has joined #wot-sec