W3C

– DRAFT –
WoT Security

23 May 2022

Attendees

Present
Jan_Roann, Jiye_Park, Kaz_Ashimura, Michael_McCool, Philipp_Blum, Tomoakai_Mizushima
Regrets
-
Chair
McCool
Scribe
JIYE, kaz

Meeting minutes

Minutes

May-16

approved

TLS cleanup

wot-architecture Issue 753 - Clean up new TLS S&P Considerations

McCool: no PR yet, the problem is that when we discussed about TLS 1.3, browsers didn't support TLS 1.3 yet

<citrullin> https://caniuse.com/tls1-3

<kaz> pb: (provides link for "Can I use...")

Jiye: Nowdays major browsers support TLS 1.3

<JKRhb> https://datatracker.ietf.org/doc/html/rfc9147

Jan: there is DTLS 1.3 RFC, it is official

Jiye: is there any implementation?

Jan: DTLS 1.3 implementation is not supported by Openssl

<kaz> McCool's comments

IDs

<kaz> 1497 wot-thing-description Issue 1497 - Identifiers don't seem to rotate enough

https://github.com/w3c/wot-thing-description/issues/1497

McCool: word 'tracking' causes confusion as it can interpreted two meanings.
… : any thoughts about definition of 'tracking'?
… : two meaning can be : determining location and observing behavior. Anything missing here?
… : we can make assertion that for onboarding and offboarding, new ID is required

Philipp: I agree, that is a good idea

Philipp: isn't it onboarding and offboarding kind of topic that we still need to discuss?

McCool: yes, we need to dicuss about it

Philipp: maybe we discuss about it again when we are discussing onboarding offboarding topics

Philipp: as we didn't discuss onboarding offboarding process yet, ID can stay the same unless onboarding offboarding happens

<kaz> McCool's comments

Specify how to treat ids in ThingModel

https://github.com/w3c/wot-thing-description/issues/1503

Philipp: I would have serious security concerns if it goes as written on the comments of others

McCool: id shouldn't define relationships

McCool: it can be directly related to privacy issues, so let's not do this

Philipp: general question, is it nessary to have an id in the thing model?

McCool: id and id of the thing can be confused. id of the thing model is id of the abstraction.

Philipp: wouldn't it make more sense to have some mechanism by having some hashing value as an id or something?

McCool: UUIDv4 is using a random value

<kaz> McCool's comments

Security Bootstrapping #313

wot-discovery PR 313 - Security Bootstrapping

McCool: this problem is addressing : we have introduction mechanism which is url indicating TD. The thing is you don't know what the security scheme is when you don't know TD yet. so you have a bootstrapping problem. so at this point, we just use HTTP bootstrapping mechanism.
… had a look at the available schemes

McCool: farshidtz suggested associating security definitions with links but I want to avoid complications

Philipp: to have our own security mechanism, having links is out of scope of our work

McCool: I will discuss it in the discovery call, if anybody wants to comment on this, feel free to do that

<kaz> [adjourned]

Minutes manually created (not a transcript), formatted by scribe.perl version 185 (Thu Dec 2 18:51:55 2021 UTC).