11:57:43 <RRSAgent> RRSAgent has joined #wot-sec
11:57:43 <RRSAgent> logging to https://www.w3.org/2022/05/23-wot-sec-irc
12:01:23 <kaz> meeting: WoT Security
12:01:38 <kaz> present+ Kaz_Ashimura, Michael_McCool, Jiye_Park, Philipp_Blum
12:01:44 <kaz> chair: McCool
12:02:57 <McCool> McCool has joined #wot-sec
12:05:36 <JKRhb> JKRhb has joined #wot-sec
12:05:57 <kaz> present+ Jan_Roann, Tomoakai_Mizushima
12:06:12 <kaz> agenda: https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#23_May_2022
12:06:42 <Mizushima> Mizushima has joined #wot-sec
12:07:14 <JIYE> JIYE has joined #wot-sec
12:07:57 <kaz> scribenick: JIYE
12:10:05 <kaz> topic: Minutes
12:10:14 <kaz> -> https://www.w3.org/2022/05/16-wot-sec-minutes.html May-16
12:13:03 <kaz> approved
12:13:15 <JIYE> topic: TLS cleanup
12:13:19 <JIYE> https://github.com/w3c/wot-architecture/issues/753
12:15:12 <kaz> s/https/-> https/
12:15:19 <JIYE> mm: no PR yet, the problem is that when we discussed about TLS 1.3, browsers didn't support TLS 1.3 yet
12:15:27 <kaz> s/753/753 wot-architecture Issue 753 - Clean up new TLS S&P Considerations/
12:15:35 <kaz> rrsagent, make log public
12:15:40 <kaz> rrsagent, draft minutes
12:15:40 <RRSAgent> I have made the request to generate https://www.w3.org/2022/05/23-wot-sec-minutes.html kaz
12:15:43 <citrullin> https://caniuse.com/tls1-3
12:17:05 <JIYE> jy: Nowdays major browsers support TLS 1.3
12:19:57 <kaz> i/Now/jr: (provides link for "Can I use...")/
12:20:00 <kaz> q?
12:20:04 <JKRhb> https://datatracker.ietf.org/doc/html/rfc9147
12:20:24 <kaz> s/jr:/pb:/
12:21:08 <JIYE> jr: there is DTLS 1.3 RFC, it is official
12:21:15 <JIYE> jy: is there any implementation?
12:21:36 <JIYE> jr: DTLS 1.3 implementation is not supported by Openssl
12:23:21 <JIYE> topic: IDs
12:23:38 <JIYE> ->https://github.com/w3c/wot-thing-description/issues/1497
12:25:02 <JIYE> mm: word 'tracking' causes confusion as it can interpreted two meanings.
12:25:20 <kaz> s/->https/-> https/
12:25:40 <JIYE> ...: any thoughts about definition of 'tracking'?
12:26:00 <kaz> i|topic: IDs|-> https://github.com/w3c/wot-architecture/issues/753#issuecomment-1134607063 McCool's comments|
12:26:55 <JIYE> ...: two meaning can be : determining location and observing behavior. Anything missing here?
12:27:17 <kaz> i/1497/1497 wot-thing-description Issue 1497 - Identifiers don't seem to rotate enough/
12:30:43 <JIYE> ...: we can make assertion that for onboarding and offboarding, new ID is required
12:31:04 <JIYE> pb: I agree, that is a good idea
12:32:18 <JIYE> pb: isn't it onboarding and offboarding kind of topic that we still need to discuss?
12:32:29 <JIYE> mm: yes, we need to dicuss about it
12:32:59 <JIYE> pb: maybe we discuss about it again when we are discussing onboarding offboarding topics
12:35:02 <JIYE> pb: as we didn't discuss onboarding offboarding process yet, ID can stay the same unless onboarding offboarding happens
12:39:01 <JIYE> topic: Specify how to treat ids in ThingModel
12:39:06 <JIYE> -> https://github.com/w3c/wot-thing-description/issues/1503
12:39:34 <kaz> i|Specify|-> https://github.com/w3c/wot-thing-description/issues/1497#issuecomment-1134623635 McCool's comments|
12:41:16 <JIYE> pb: I would have serious security concerns if it goes as written on the comments of others
12:41:43 <JIYE> mm: id shouldn't define relationships
12:44:40 <JIYE> mm: it can be directly related to privacy issues, so let's don't do this
12:47:46 <JIYE> pb: general question, is it nessary to have an id in the thing model?
12:47:55 <JIYE> mm: id and id of the thing can be confused. id of the thing model is id of the abstraction.
12:48:30 <JIYE> pb: wouldn't it make more sense to have some mechanism by having some hashing value as an id or something?
12:48:40 <JIYE> mm: UUIDv4 is using a random value
12:49:32 <JIYE> topic: Security Bootstrapping #313
12:49:42 <JIYE> -> https://github.com/w3c/wot-discovery/pull/313
12:50:48 <kaz> i|Security Boo|-> https://github.com/w3c/wot-thing-description/issues/1503#issuecomment-1134635114 McCool's comments|
12:51:22 <JIYE> mm: this problem is addressing : we have introduction mechanism which is url indicating TD. The thing is you don't know what the security scheme is when you don't know TD yet. so you have a bootstrapping problem. so at this point, we just use HTTP bootstrapping mechanism.
12:51:27 <kaz> s/313/313 wot-discovery PR 313 - Security Bootstrapping|
12:52:08 <JIYE> ...: had a look the available schemes
12:52:45 <kaz> s/...:/.../
12:53:01 <kaz> s/look/look at/
12:57:01 <JIYE> mm: farshidtz suggested associating security definitions with links but I want to avoid complications
12:59:01 <JIYE> pb: to have our own security mechanism, having links is out of scope of our work
12:59:52 <JIYE> mm: I will discuss about it in the discovery call, if anybody wants to comment on this, feel free to do that
13:00:57 <kaz> s/about it/it/
13:01:01 <kaz> [adjourned]
13:01:08 <kaz> rrsagent, draft minutes
13:01:08 <RRSAgent> I have made the request to generate https://www.w3.org/2022/05/23-wot-sec-minutes.html kaz
13:58:18 <kaz> i/May-16/scribenick: kaz/
13:58:29 <kaz> i/TLS clean/scribenick: JIYE/
13:58:31 <kaz> rrsagent, draft minutes
13:58:31 <RRSAgent> I have made the request to generate https://www.w3.org/2022/05/23-wot-sec-minutes.html kaz
14:25:54 <Zakim> Zakim has left #wot-sec
16:00:34 <JKRhb> JKRhb has joined #wot-sec