Meeting minutes
review minutes
<kaz> June-13
McCool: Any changes to the minutes? No changes. Any objections publishing? No objections.
TLS assertions
wot-discovery Issue 335: Fix TLS Assertions
<kaz> wot-discovery PR 336 - Fix TLS assertions for TD Server
McCool: This PR got already merged. I took out the assertions. Replaced it with a paragraph.
PING review
Temporary vs. permanent IDs
wot-thing-description Issue 1497 - Identifiers don't seem to rotate enough
McCool: The problem here is that there are systems that rely on permanent IDs.
McCool: A simple solution is to have anonymous TDs.
wot-discovery Issue 303 - Personal devices and public/private TDDs
McCool: Ben also had issues with rotating IDs.
<kaz> s|https://
McCool: There is some discussion in the ticket about it. Including tracking and onboarding. Onboarding would require, from my point of view, a whole another spec.
McCool: A way around it would be to make permanent IDs only available via a property. So they must be protected. So the TD id is always mutable.
<kaz> Personal devices SHOULD only register to public TDDs anonymously, omitting the "id" member, to make fingerprinting and tracking an individual across public TDDs more difficult.
Philipp: Would it also make sense to have the DID also in this property then? Instead in the ID part?
McCool: DID are not required, they are an option. And maybe have to go back to the DID group how they go about this.
Kaz: We should meet with the DID wg during the TPAC. BTW, as you know, the good point of DID approach is separation of the identifier itself and PII. Anyway, that collaboration should be considered for the WoT 2.0 version, though.
McCool: Solving all of these issues is more part of the WoT TD 2.0.
McCool: The proposal is for solving the issue right now without changing too much.
Kaz: I agree. Having this for now and thinking about the other for 2.0.
Philipp: I am more toward strong privacy by default.
McCool: With should not we avoid potential conflicts with local laws that require to make it permanent.
<jiye> https://
McCool: There are some conflicts about the definition of tracking of user.
Philipp: I find the definition in GDPR regarding personal data, tracking, profiling etc. very interesting.
McCool: It might be useful to point towards that definiton.
McCool: I am going to execute that and can fix both issues.
testing
<kaz> Thing Description 1.1 draft Implementation Report
McCool: Did some work on getting the implementation reports cleaned up.
McCool: We added a ton of new assertions for privacy and security. They are all manual and people have problems dealing with this. I am not sure how to deal with them in a comprehensive way.
McCool: We should go through them and find a way how to test them.
McCool: For example the HTML markup. We could check the HTML markup in strings for example. That's possible to automate.
<kaz> (sec-ini-sanitize)
auto security scheme
<McCool> wot-thing-description PR 1543 - Revise statements about auto SecurityScheme
McCool: In the original you had a paragraph that says: when you use auto, you can't use name. name doesn't exist in auto. I took out that assertion.
Jan: This is reasonable to do. It's good that you bring this up. My original issue are fixed by the RFC.
McCool: I should put the assertion back. It's used in the in field.
Jan: It was kind of a workaround.
McCool: Maybe we can get rid of the second assertion.
Some discussion between mm and jr where and how to structure it.
Jiye: I think that setence should go back.
McCool: I have a problem with the MUST and would like to make it a SHOULD. In order to not create unnecessary conflicts.
<McCool> https://
<kaz> [adjourned]