12:05:28 RRSAgent has joined #wot-sec 12:05:28 logging to https://www.w3.org/2022/05/16-wot-sec-irc 12:05:41 meeting: WoT Security 12:06:12 present+ Kaz_Ashimura, Michael_McCool, Jan_Romann 12:11:06 JKRhb has joined #wot-sec 12:11:14 scribenick: JKRhb 12:11:21 topic: Minutes Review 12:11:49 There are a couple of spelling issues, which are fixed by kaz 12:12:05 Minutes are accepted 12:12:57 https://github.com/w3c/wot-security/issues/153 12:13:41 topic: Architecture Security and Privacy Considerations 12:14:04 mm: The PR 747 in the architecture repository has been merged 12:14:35 ... there was some feedback before the merge 12:14:45 ... let's look at the current draft and see it in context 12:15:15 ... I added a section "Secure Transport", which we discussed last time 12:15:41 ... I will go over the section again 12:16:02 ... let me create an issue to capture some thoughts 12:16:21 ... (starts adding a new issue) 12:17:03 ... reference for TLS would be good as well as mentioning DTLS 12:18:02 ... should an explicit version number be mentioned? Or just "up-to-date"? 12:18:50 present+ Tomoaki_Mizushima 12:19:35 ... (adds comment that others should add missing points if they see any) 12:19:41 https://github.com/w3c/wot-architecture/issues/753 12:19:55 i|There are a|-> https://www.w3.org/2022/05/09-wot-sec-minutes.html May-9| 12:19:56 topic: Discovery Explainer Draft 12:20:27 s/topic: Architecture Security and Privacy Considerations// 12:20:29 mm: Started a PR for a Discovery explainer text 12:20:34 i|issues/153|topic: Architecture Security and Privacy Considerations| 12:21:12 ... I am mentioning this here because there are a lot of security related aspects in discovery 12:21:29 ... added use-cases and requirements 12:21:53 i|The PR 747|-> https://github.com/w3c/wot-architecture/pull/747 PR 747 - Additional Security/Privacy Considerations around TLS, access controls for PII| 12:21:57 ... there is a paragraph on security, where I mention the TLS issue, access controls, and difficulties with LANs 12:22:20 ... I also mention best-effort security 12:22:45 i|PII|subtopic: PR 747| 12:22:50 https://github.com/w3c/wot-discovery/pull/309/files 12:23:12 jr: Is the PR ready for review yet? 12:23:16 rrsagent, make log public 12:23:20 rrsagent, draft minutes 12:23:20 I have made the request to generate https://www.w3.org/2022/05/16-wot-sec-minutes.html kaz 12:23:54 chair: McCool 12:23:55 rrsagent, draft minutes 12:23:55 I have made the request to generate https://www.w3.org/2022/05/16-wot-sec-minutes.html kaz 12:24:50 s/753/753 Issue 753 - Clean up new TLS S&P Considerations/ 12:26:01 i|Started a PR for a|-> https://github.com/w3c/wot-discovery/pull/309 PR 309 - Clean up new TLS S&P Considerations| 12:30:09 mm: (Adds a comment regarding the use of discovery in implementations) 12:30:14 https://github.com/w3c/wot-discovery/pull/309 12:31:21 topic: ID requirements 12:31:34 mm: We discussed what the requirements for IDs are 12:31:48 ... these are not completely done yet 12:32:00 https://github.com/w3c/wot-thing-description/issues/1497 12:32:04 ... TD issue #1497 has came up for example 12:32:26 s/has came u/has come u/ 12:32:50 ... IDs are optional, so my short term advice would be to not use IDs 12:33:06 ... as TDDs assign temporary IDs for example 12:33:23 ... we should probably consider use cases here 12:34:29 ... interesting approach by Ben Francis mentioned in the issue, including the base URL in the ID, which might not necessarily be the best idea, though 12:35:02 ... another relevant issue is TD issue #1490 12:35:08 https://github.com/w3c/wot-thing-description/issues/1490 12:35:47 ... (adds a comment regarding updated S&P considerations in the architecture document) 12:36:15 https://github.com/w3c/wot-thing-description/issues/1490 12:36:36 ... the issue is not about IDs per se, though 12:36:44 https://github.com/w3c/wot-thing-description/issues/1503 12:37:14 ... a new issue regarding IDs is TD issue #1503 12:37:39 ... the example given here does not use opaque IDs, however 12:40:08 jr: Maybe we could a privacy label to group ID related (and other) issues 12:40:18 mm: Could be a good idea 12:40:58 mm: Regarding the privacy issue: Rotating IDs might not be enough 12:41:22 mm: We currently have a section on immutable identifiers in the document 12:41:49 ... we could add another assertion that IDs must be altered when a thing is being transferred to another owner 12:42:29 ... IDs could also be fetched instead of being exposed in a TD, if legally permitted 12:43:03 ... in the ID metadata section, we could explicitly recommend UUID v4 12:43:33 ... in the Globally Unique Idenfiers section, we mention UUIDs again 12:44:38 ... let me capture some thoughts in an issue 12:44:55 ... (adds comment to TD issue #1497) 12:52:24 ... an example for use cases might be a keyfob which allows identification of an individual person and location 12:53:04 s/ and location/ and their location/ 12:55:39 jr: Another use case could be the exposure of Things and their TDs on the internet 12:55:51 ... allowing for tracking if IDs are included 12:57:10 mm: Difference is that Things are analogous to web sites not browsers 12:57:38 ... IDs on a thing do not lead to the browser being able to be tracked 12:58:47 ... access from a browser could lead to tracking if IDs are saved in unsecure cookies 13:00:06 Comment is marked as WIP as there might be additional aspects that require discussion 13:01:28 q+ 13:03:43 topic: MUD and WoT alignment 13:04:18 jr: added an example to an existing issue regarding MUD (Manufacturer Usage Description) and WoT alignment 13:04:22 https://github.com/w3c/wot-security/issues/153 13:05:23 mm: Discussed this with Michael Lagally before, makes things more complex as client behavior needs to be considered, should be discussed for the next charter 13:05:40 ... (adds the "DEFERRED" label to the issue) 13:05:41 rrsagent, make log public 13:05:43 [adjourned] 13:05:47 rrsagent, draft minutes 13:05:47 I have made the request to generate https://www.w3.org/2022/05/16-wot-sec-minutes.html kaz 15:12:33 Zakim has left #wot-sec