12:01:13 RRSAgent has joined #wot-sec 12:01:13 logging to https://www.w3.org/2022/05/09-wot-sec-irc 12:01:47 meeting: WoT Security 12:02:00 present+ Kaz_Ashimura, Jan_Romann, Michael_McCool 12:02:16 chair: McCool 12:05:56 scribenick: JKRhb 12:06:00 topic: Minutes Review 12:06:19 present+ Tomoaki_Mizushima 12:06:20 mm: (Goes over last week's minutes) 12:06:34 i|Goes|-> https://www.w3.org/2022/05/02-wot-sec-minutes.html May-2| 12:07:05 ... I brought up the topic of global IDs which should now be resolved in Profiles. 12:07:09 ... There are a number of new PRs 12:07:42 ... in the minutes there is a confusing line that says "ID" instead of "UUID". Can you delete it, kaz? 12:07:50 kaz: Will do. 12:07:59 ... (removes the line) 12:08:09 ... The line has just been removed. 12:08:28 mm: I don't see any other issues. Any objections to publishing? 12:08:42 zkis has joined #wot-sec 12:08:43 There are no objections, minutes will be published. 12:08:59 topic: Wide Review Responses 12:09:19 subtopic: TD Issue #1490 12:09:58 mm: There came up this issue, that asks for prohibiting unique IDs in TDs when nosec is being used 12:10:00 https://github.com/w3c/wot-thing-description/issues/1490 12:10:06 ... There is a related issue in discovery 12:10:10 https://github.com/w3c/wot-discovery/issues/299 12:10:35 ... the issue is by Ben Francis, he also mentions problems regarding TLS 12:10:42 7.2.2 Directory Service API The HTTP API MUST be exposed over HTTPS (HTTP Over TLS). 12:11:18 ... this was a problem that he noted, which is currently in the discovery spec. Using TLS locally is not really possible at the moment, though 12:11:22 https://github.com/w3c/wot-architecture/pull/747 12:11:45 ... I tried to capture some possible mitigations in a new PR in the Architecture repository 12:12:38 ... I added some assertions, differentiating between internet access and LAN 12:13:16 ... stricter requirements for TLS usage could then be applied if the Thing is available on the internet 12:13:40 ... these are MUSTs, while the LAN assertionas are SHOULDs 12:14:30 ... only using TLS does not solve the mentioned issue, though, not allowing nosec is also required 12:15:00 ... the immutable identifiers are not addressed, yet, therefore I would take this part out 12:15:39 ... nosec should also not be used for directories containing privacy related information 12:16:25 ... (shows the addition in the rendered document) 12:17:15 ... I added MUST assertions regarding TLS usage to a subsection called public networks 12:17:40 -> https://pr-preview.s3.amazonaws.com/mmccool/wot-architecture/pull/747.html#sec-security-consideration-secure-transport Preview - 10.5 Secure Transport 12:17:49 ... in a private networks subsection, there is a new MAY assertion 12:18:11 ... in the case of Brownfield devices, I added the recommendation of not exposing them on the internet 12:19:33 ... when it comes to PII, I added a new assertion that prohibits the use of nosec and mandates the use of TLS, when privacy related information is contained in a TD 12:19:44 jr: looks good to me 12:20:12 mm: have just created the PR 12:20:39 ... regarding this one (11.2 Access to PII) 12:20:47 i/looks good/scribenick: kaz/ 12:23:39 ... (generates comments for the PR 747) 12:26:13 zkis_ has joined #wot-sec 12:26:17 scribenick: JKRhb 12:26:55 -> https://github.com/w3c/wot-architecture/pull/747#issuecomment-1121031993 McCool's comments 12:27:22 mm: Another aspect that we might want to add would be to require non-nosec on private networks without TLS 12:28:07 ... this might complicate things, however, as private networks are better protected from random attacks in general than Things on the public internet 12:29:44 topic: UUIDs 12:30:09 mm: Current Profile spec has the requirement that IDs must be set and that they must be globally unique 12:30:18 ... I discussed this in the last profile call 12:30:39 ... and said that we took out globally unique IDs out of the TD spec for a reason 12:31:09 ... instead, cryptographically unique IDs should be used instead 12:31:28 ... there are security issues with some versions of UUID, though 12:31:40 ... the only suitable versions are v4 or v5 12:32:12 ... my proposal would be to only recommend v4 12:32:13 i|Current Pro|-> https://github.com/w3c/wot-profile/issues/139 wot-profile issue 139 - unique id 12:32:16 q+ 12:32:56 ... v4 does not use hashing, relies completely on random numbers 12:33:12 ... constrained devices might not have access to reliable random generators 12:34:40 ... current proposal is to use UUIDs and put this ID in the database of a directory 12:34:59 ... DIDs would be another alternative, but those are not mature, yet 12:35:05 kaz: I tend to agreee 12:35:11 ... UUID is a possible solution 12:35:29 ... we should probably clarify the use of IDs a bit more, based on use-cases and concrete scenarios 12:35:57 ... as I mentioned in the profile call, which kind of uniqueness is required for local IDs? 12:36:03 s/we should/however, we should/ 12:36:19 s/use of IDs/our requirements for IDs/ 12:36:25 mm: We don't to have IDs with metadata in them 12:36:36 ... we don't want to have collisions with IDs in directories 12:36:52 ... IDs should be reasonably unique and be based on a standard 12:37:02 ... UUIDs tick all of those boxes 12:37:20 s/local IDs/local IDs (session-wide uniqueness, global uniqueness, reuse of IDs, etc.)/ 12:37:25 ... they also don't rely on a central authority 12:37:34 s/don't to/don't/ 12:37:55 ... we could list those requirements eplicitly 12:38:40 .. I will propose the current approach (using UUID v4) in the profiles call on wednesday 12:39:20 jr: Sounds reasonable to me 12:39:28 topic: Issues 12:39:43 mm: Let's see if we have any more issues 12:39:53 https://github.com/w3c/wot-security/issues/204 - could probably do more here 12:40:11 subtopic: WoT-Security Issue #204 12:40:33 mm: (Adds a comment to the issue) 12:43:00 ... I noticed some security related aspects with home assistant 12:43:11 ... I linked an issue from the testing repository in the comments 12:43:25 subtopic: WoT-Security Issue #197 12:43:32 mm: This issue is relatively new 12:43:32 https://github.com/w3c/wot-security/issues/197 12:43:43 ... we discuss it in the future 12:44:01 ... rather: the latest comment is new, the issue is older 12:44:15 ... I will the issue to the next meeting's agenda 12:44:51 ... (adds the issue to the Wiki page) 12:45:14 subtopic: WoT-Security Issue #195 12:45:25 mm: This issue relates to what I just did here 12:45:29 ... let me make a note here 12:45:31 i/204/subtopic: Issue 204/ 12:46:03 i/subtopic: Issue 204/204/ 12:46:07 rrsagent, draft minutes 12:46:07 I have made the request to generate https://www.w3.org/2022/05/09-wot-sec-minutes.html kaz 12:46:33 ... (adds a comment about the updated S & P consideratiosn in the Architecture repository regarding TLS on LANs) 12:47:04 rrsagent, make log public 12:47:05 rrsagent, draft minutes 12:47:05 I have made the request to generate https://www.w3.org/2022/05/09-wot-sec-minutes.html kaz 12:48:07 s/regarding TLS on LANs/regarding TLS on LANs, PII and immutable IDs/ 12:48:18 s/subtopic: Issue 204// 12:48:33 q? 12:48:35 ack k 12:48:52 rrsagent, draft minutes 12:48:52 I have made the request to generate https://www.w3.org/2022/05/09-wot-sec-minutes.html kaz 12:50:02 mm: Private networks can be differentiated, however, into personal and institutional ones 12:50:08 ... is an issue of use-cases 12:50:09 s/subtopic: WoT-Security Issue #204// 12:50:24 i|could probably|subtopic: WoT-Security Issue #204| 12:50:27 rrsagent, draft minutes 12:50:27 I have made the request to generate https://www.w3.org/2022/05/09-wot-sec-minutes.html kaz 12:50:38 ... question of how to relate security considerations to use-cases 12:51:07 ... the MAY assertion regarding the use of TLS should probably be a SHOULD instead 12:51:44 i|This issue relates to what I just did here|-> https://github.com/w3c/wot-security/issues/195 Issue 195 - Consider specific security guidance for particular contexts| 12:51:52 rrsagent, draft minutes 12:51:52 I have made the request to generate https://www.w3.org/2022/05/09-wot-sec-minutes.html kaz 12:51:54 ... (adds another comment to PR #747 in the WoT Architecture repository) 12:52:33 ... I think that covers all the cases 12:52:42 s/- could probably do more here/Issue 204 - Review Security Architecture of Home Assistant/ 12:53:13 s|https://github.com/w3c/wot-security/issues/197|-> https://github.com/w3c/wot-security/issues/197 Issue 197 - Promoting an approach where every thing is a server is a security nightmare| 12:53:16 rrsagent, draft minutes 12:53:16 I have made the request to generate https://www.w3.org/2022/05/09-wot-sec-minutes.html kaz 12:54:59 ... institutional networks could have stricter requirements/need stricter assertions than personal ones 12:58:53 ... the assertions should be kept as SHOULDs, but we should add an informative note that says that the risk increases with the number of people and the sensitivity of data. The use of secure transport should than be advised more strongly in more vulnerable contexts 12:59:04 rrsagent, draft minutes 12:59:04 I have made the request to generate https://www.w3.org/2022/05/09-wot-sec-minutes.html kaz 12:59:48 -> https://github.com/w3c/wot-architecture/pull/747 wot-architecture PR 747 - Additional Security/Privacy Considerations around TLS, access controls for PII 13:00:07 -> https://github.com/w3c/wot-architecture/pull/747#issuecomment-1121067483 McCool's updated comments 13:00:11 [adjourned] 13:00:47 rrsagent, draft minutes 13:00:48 I have made the request to generate https://www.w3.org/2022/05/09-wot-sec-minutes.html kaz 14:44:19 zkis_ has joined #wot-sec 14:55:58 zkis_ has joined #wot-sec 15:07:25 Zakim has left #wot-sec 15:16:01 zkis__ has joined #wot-sec