12:00:21 <RRSAgent> RRSAgent has joined #wot-sec
12:00:21 <RRSAgent> logging to https://www.w3.org/2022/05/02-wot-sec-irc
12:00:26 <kaz> meeting: WoT Security
12:00:35 <kaz> present+ Kaz_Ashimura, Jan_Romann
12:01:53 <Mizushima> Mizushima has joined #wot-sec
12:03:19 <citrullin> citrullin has joined #wot-sec
12:05:10 <kaz> present+ Michael_McCool, Philipp_Blum, Tomoaki_Mizushima
12:08:58 <citrullin> scribenick: Philipp_Blum
12:09:25 <citrullin> s/Philipp_Blum/citrullin/
12:09:38 <citrullin> topic: review minutes
12:11:46 <citrullin> mm: Any objections to publish the minutes? No objections.
12:13:17 <citrullin> topic: S&P Considerations
12:13:38 <citrullin> Make Security and Privacy Considerations Normative -> https://github.com/w3c/wot-architecture/pull/734/
12:13:50 <McCool> McCool has joined #wot-sec
12:14:27 <McCool> https://github.com/w3c/wot-architecture/pull/734/files - line 3984 - moved assertions to mitigations
12:14:52 <McCool> https://github.com/w3c/wot-architecture/pull/734/files#diff-0eb547304658805aad788d320f10bf1f292797b5e6d745a3bf617584da017051R3984
12:15:16 <citrullin> mm: Just for information. It already got merged.
12:16:29 <citrullin> mm: We had a dublication in public metadata. I moved one of it out.
12:16:58 <citrullin> mm: It didn't had a mention of discovery. I added it.
12:18:23 <kaz> s/had a/have a/
12:18:44 <citrullin> mm: There was a consideration about PII I added an assertion to.
12:19:01 <kaz> i|Any objec|-> https://www.w3.org/2022/04/25-wot-sec-minutes.html Apr-25|
12:19:09 <kaz> rrsagent, make log public
12:19:11 <kaz> rrsagent, draft minutes
12:19:11 <RRSAgent> I have made the request to generate https://www.w3.org/2022/05/02-wot-sec-minutes.html kaz
12:21:08 <citrullin> mm: Philipp, can you have a look over it, until Thursday?
12:21:11 <citrullin> pb: Will do.
12:21:43 <citrullin> topic: Profiles
12:21:59 <citrullin> mm: There are some troubling things in the new draft.
12:22:26 <citrullin> mm: There are 14 open PRs. So, there will probably be a lot of changes.
12:23:16 <citrullin> mm: There are some things in Profiles that we didn't reach consensus in the TD spec. Some include implications for security, especially privacy.
12:23:38 <citrullin> mm: For example this ID.
12:24:15 <citrullin> mm: In the end we took out globally unique IDs.
12:25:48 <citrullin> mm: I am not worrying about for the moment, until we have a draft though.
12:26:06 <citrullin> topic: Additional security schemes
12:26:42 <citrullin> allow definition of additional security schemes -> https://github.com/w3c/wot-thing-description/pull/1474
12:27:05 <citrullin> jr: While dealing with json schema, I noticed there are some issues in the document itself.
12:28:45 <citrullin> jr: Scheme is optional in 1.1, but mandotory in 1.0. The type changed from string to any type.
12:29:12 <citrullin> mm: any type was there, because we also had to allow URIs beside strings.
12:32:56 <citrullin> Some discussion between jre and mm.
12:33:07 <citrullin> mm: Okay, I think we make it mandatory.
12:33:28 <citrullin> s/mandotory/mandatory/
12:34:29 <citrullin> jr: The changed example is just an realignment with the current document.
12:34:59 <citrullin> mm: Unfortunately, the renderer doesn't wrap lines.
12:35:37 <citrullin> mm: I guess we will see what happens when we discuss this in the call. This shouldn't break anything if we leave it out, right?
12:37:17 <citrullin> jr: Actually, in example 49, this isn't a valid thing description.
12:37:38 <citrullin> mm: Right, your chain would allow it, right?
12:37:39 <citrullin> jr: yes.
12:38:01 <citrullin> mm: We don't have a way to validate extensions.
12:38:19 <citrullin> mm: It's a bigger topic. We had a discussion 2 years ago about this.
12:41:36 <citrullin> mm: We will go in the TD call and discuss it there.
12:42:29 <McCool> https://github.com/w3c/wot-security/issues/206
12:43:06 <citrullin> topic: References for best practises
12:43:20 <citrullin> Add References -> https://github.com/w3c/wot-security/issues/206
12:44:37 <citrullin> mm: the ncsc reference doesn't look like a specification document. I am little bit concerned.
12:44:44 <citrullin> jr: There is a version number on the side though.
12:48:20 <citrullin> mm adds a comment to the issue.
12:50:15 <citrullin> mm: The documents are focused on web, but not IoT. There is a NIST security guidelines for IoT.
12:50:35 <citrullin> pb: That would be something I am also more concerned about.
12:51:21 <citrullin> jr: Wouldn't it be better to reference international organizations, instead of national ones?
12:51:33 <citrullin> mm: Yes, if possible.
12:51:40 <citrullin> mm adds a comment.
12:52:10 <JKRhb> https://www.iso.org/standard/44373.html
12:54:24 <citrullin> https://github.com/w3c/wot-security/issues/206#issuecomment-1114812282
12:54:54 <kaz> rrsagent, make log public
12:54:58 <kaz> rrsagent, draft minutes
12:54:59 <RRSAgent> I have made the request to generate https://www.w3.org/2022/05/02-wot-sec-minutes.html kaz
12:58:12 <kaz> chair: McCool
12:59:56 <kaz> -> https://w3c.github.io/wot-security-best-practices/ Web of Things (WoT) Security Best Practices (Editor's Draft)
14:02:41 <zkis> zkis has joined #wot-sec
14:20:40 <Zakim> Zakim has left #wot-sec
15:06:50 <JKRhb> JKRhb has joined #wot-sec