Meeting minutes
Minutes
approved
TLS cleanup
wot-architecture Issue 753 - Clean up new TLS S&P Considerations
McCool: no PR yet, the problem is that when we discussed about TLS 1.3, browsers didn't support TLS 1.3 yet
<citrullin> https://
<kaz> pb: (provides link for "Can I use...")
Jiye: Nowdays major browsers support TLS 1.3
<JKRhb> https://
Jan: there is DTLS 1.3 RFC, it is official
Jiye: is there any implementation?
Jan: DTLS 1.3 implementation is not supported by Openssl
<kaz> McCool's comments
IDs
<kaz> 1497 wot-thing-description Issue 1497 - Identifiers don't seem to rotate enough
https://
McCool: word 'tracking' causes confusion as it can interpreted two meanings.
… : any thoughts about definition of 'tracking'?
… : two meaning can be : determining location and observing behavior. Anything missing here?
… : we can make assertion that for onboarding and offboarding, new ID is required
Philipp: I agree, that is a good idea
Philipp: isn't it onboarding and offboarding kind of topic that we still need to discuss?
McCool: yes, we need to dicuss about it
Philipp: maybe we discuss about it again when we are discussing onboarding offboarding topics
Philipp: as we didn't discuss onboarding offboarding process yet, ID can stay the same unless onboarding offboarding happens
<kaz> McCool's comments
Specify how to treat ids in ThingModel
https://
Philipp: I would have serious security concerns if it goes as written on the comments of others
McCool: id shouldn't define relationships
McCool: it can be directly related to privacy issues, so let's not do this
Philipp: general question, is it nessary to have an id in the thing model?
McCool: id and id of the thing can be confused. id of the thing model is id of the abstraction.
Philipp: wouldn't it make more sense to have some mechanism by having some hashing value as an id or something?
McCool: UUIDv4 is using a random value
<kaz> McCool's comments
Security Bootstrapping #313
wot-discovery PR 313 - Security Bootstrapping
McCool: this problem is addressing : we have introduction mechanism which is url indicating TD. The thing is you don't know what the security scheme is when you don't know TD yet. so you have a bootstrapping problem. so at this point, we just use HTTP bootstrapping mechanism.
… had a look at the available schemes
McCool: farshidtz suggested associating security definitions with links but I want to avoid complications
Philipp: to have our own security mechanism, having links is out of scope of our work
McCool: I will discuss it in the discovery call, if anybody wants to comment on this, feel free to do that
<kaz> [adjourned]