11:59:53 <RRSAgent> RRSAgent has joined #wot-sec
11:59:53 <RRSAgent> logging to https://www.w3.org/2022/06/20-wot-sec-irc
11:59:54 <citrullin> citrullin has joined #wot-sec
12:00:01 <kaz> meeting: WoT Security
12:00:55 <kaz> present+ Kaz_Ashimra, Michael_McCool, Philipp_Blum
12:01:34 <McCool> McCool has joined #wot-sec
12:01:59 <jiye> jiye has joined #wot-sec
12:02:26 <kaz> present+ Jan_Romann, Jiye_Park
12:02:44 <JKRhb> JKRhb has joined #wot-sec
12:03:10 <Mizushima> Mizushima has joined #wot-sec
12:03:37 <kaz> agenda: https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#20_June_2022
12:05:33 <citrullin> scribenick: citrullin
12:05:42 <citrullin> topic: review minutes
12:06:06 <kaz> -> https://www.w3.org/2022/06/13-wot-sec-minutes.html June-13
12:06:23 <kaz> present+ Tomoaki_Mizushima
12:06:46 <citrullin> mm: Any changes to the minutes? No changes. Any objections publishing? No objections.
12:07:44 <citrullin> topic: TLS assertions
12:08:02 <citrullin> Issue 335: Fix TLS Assertions->https://github.com/w3c/wot-discovery/issues/335
12:08:30 <citrullin> mm: This PR got already merged. I took out the assertions. Replaced it with a paragraph.
12:08:45 <kaz> rrsagent, make log public
12:08:50 <kaz> rrsagent, draft minutes
12:08:50 <RRSAgent> I have made the request to generate https://www.w3.org/2022/06/20-wot-sec-minutes.html kaz
12:10:48 <citrullin> topic: PING review
12:11:00 <kaz> i|This PR|-> https://github.com/w3c/wot-discovery/pull/336 wot-discovery PR 336 - Fix TLS assertions for TD Server|
12:11:23 <kaz> i/Issue 335/wot-discovery Issue 335/
12:11:25 <kaz> rrsagent, draft minutes
12:11:25 <RRSAgent> I have made the request to generate https://www.w3.org/2022/06/20-wot-sec-minutes.html kaz
12:12:09 <citrullin> subtopic: Temporary vs. permanent IDs
12:12:15 <kaz> s/wot-discovery Issue 335//
12:12:25 <kaz> s/Issue 335/wot-discovery Issue 335/
12:12:27 <kaz> rrsagent, draft minutes
12:12:27 <RRSAgent> I have made the request to generate https://www.w3.org/2022/06/20-wot-sec-minutes.html kaz
12:12:29 <citrullin> Identifiers don't seem to rotate enough ->https://github.com/w3c/wot-thing-description/issues/1497
12:13:13 <citrullin> mm: The problem here is that there are systems that rely on permanent IDs.
12:13:39 <citrullin> mm: A simple solution is to have anonymous TDs.
12:14:02 <citrullin> https://github.com/w3c/wot-discovery/issues/303->https://github.com/w3c/wot-discovery/issues/303
12:14:12 <citrullin> mm: Ben also had issues with rotating IDs.
12:14:13 <kaz> rrsagent, draft minutes
12:14:13 <RRSAgent> I have made the request to generate https://www.w3.org/2022/06/20-wot-sec-minutes.html kaz
12:14:59 <kaz> s|https://github.com/w3c/wot-discovery/issues/303->wot-discovery Issue 303 - Personal devices and public/private TDDs|
12:15:16 <citrullin> mm: There is some discussion in the ticket about it. Including tracking and onboarding. Onboarding would require, from my point of view, a whole another spec.
12:15:21 <kaz> rrsagent, draft minutes
12:15:21 <RRSAgent> I have made the request to generate https://www.w3.org/2022/06/20-wot-sec-minutes.html kaz
12:15:47 <kaz> s|https://github.com/w3c/wot-discovery/issues/303->|wot-discovery Issue 303 - Personal devices and public/private TDDs->|
12:16:18 <kaz> s/Identifiers don/wot-thing-description Issue 1497 - Identifiers don/
12:16:20 <kaz> rrsagent, draft minutes
12:16:20 <RRSAgent> I have made the request to generate https://www.w3.org/2022/06/20-wot-sec-minutes.html kaz
12:17:22 <citrullin> mm: A way around it would be to make permanent IDs only available via a property. So they must be protected. So the TD id is always mutable.
12:17:34 <citrullin> -> https://github.com/w3c/wot-discovery/issues/303#issuecomment-1153869121
12:20:33 <kaz> s/9121/9121 McCool's comments/
12:20:33 <kaz> [[
12:20:35 <kaz> Personal devices SHOULD only register to public TDDs anonymously, omitting the "id" member, to make fingerprinting and tracking an individual across public TDDs more difficult.
12:20:38 <kaz> ]]
12:21:25 <citrullin> pb: Would it also make sense to have the DID also in this property then? Instead in the ID part?
12:22:23 <kaz> q+
12:24:15 <citrullin> mm: DID are not required, they are an option. And maybe have to go back to the DID group how they go about this.
12:26:10 <citrullin> kaz: We should meet with the DID wg on the TPAC.
12:26:44 <citrullin> mm: Solving all of these issues is more part of the WoT TD 2.0.
12:27:27 <citrullin> mm: The proposal is for solving the issue right now without changing too much.
12:27:49 <kaz> s/on the/during the/
12:27:59 <citrullin> kaz: I agree. Having this for now and thinking about the other for 2.0.
12:28:44 <kaz> s/TPAC./TPAC. BTW, as you know, the good point of DID approach is separation of the identifier itself and PII. Anyway, that collaboration should be considered for the WoT 2.0 version, though./
12:33:06 <citrullin> pb: I am more toward strong privacy by default.
12:33:55 <citrullin> mm: With should not we avoid potential conflicts with local laws that require to make it permanent.
12:37:01 <jiye> https://gdpr-info.eu/art-4-gdpr/
12:37:20 <citrullin> mm: There are some conflicts about the definition of tracking of user.
12:37:42 <citrullin> pb: I find the definition in GDPR regarding personal data, tracking, profiling etc. very interesting.
12:38:57 <citrullin> mm: It might be useful to point towards that definiton.
12:39:15 <citrullin> mm: I am going to execute that and can fix both issues.
12:42:52 <citrullin> topic: testing
12:43:12 <citrullin> mm: Did some work on getting the implementation reports cleaned up.
12:45:27 <citrullin> mm: We added a ton of new assertions for privacy and security. They are all manual and people have problems dealing with this. I am not sure how to deal with them in a comprehensive way.
12:45:48 <citrullin> mm: We should go through them and find a way how to test them.
12:47:57 <citrullin> mm: For example the HTML markup. We could check the HTML markup in strings for example. That's possible to automate.
12:48:18 <kaz> (sec-ini-sanitize)
12:48:53 <citrullin> topic: auto security scheme
12:48:56 <McCool> https://github.com/w3c/wot-thing-description/pull/1543
12:49:28 <citrullin> s/https/->https/
12:50:36 <citrullin> mm: In the original you had a paragraph that says: when you use auto, you can't use name. name doesn't exist in auto. I took out that assertion.
12:50:53 <kaz> i|Did some work|-> https://w3c.github.io/wot-thing-description/testing/report11.html Thing Description 1.1 draft Implementation Report|
12:52:41 <kaz> s|1543|1543 wot-thing-description PR 1543 - Revise statements about auto SecurityScheme|
12:54:02 <citrullin> jr: This is reasonable to do. It's good that you bring this up. My original issue are fixed by the RFC.
12:54:45 <citrullin> mm: I should put the assertion back. It's used in the in field.
12:54:59 <citrullin> jr: It was kind of a workaround.
12:55:44 <citrullin> mm: Maybe we can get rid of the second assertion.
12:56:08 <citrullin> Some discussion between mm and jr where and how to structure it.
12:56:58 <citrullin> jp: I think that setence should go back.
12:57:46 <citrullin> mm: I have a problem with the MUST and make it a SHOULD. In order to not create unnecessary conflicts.
13:01:10 <citrullin> mm adds comment to #1543 ->https://github.com/w3c/wot-thing-description/pull/1543#issuecomment-1160419246
13:01:59 <McCool> https://github.com/w3c/wot-thing-description/pull/1542
13:02:33 <kaz> [adjourned]
13:02:37 <kaz> rrsagent, draft minutes
13:02:37 <RRSAgent> I have made the request to generate https://www.w3.org/2022/06/20-wot-sec-minutes.html kaz
14:33:00 <Zakim> Zakim has left #wot-sec
23:52:17 <kaz> kaz has joined #wot-sec