11:58:38 RRSAgent has joined #wot-sec 11:58:38 logging to https://www.w3.org/2022/06/27-wot-sec-irc 11:58:45 meeting: WoT Security 11:59:11 present+ Kaz_Ashimura, Michael_McCool 12:00:48 McCool has joined #wot-sec 12:02:33 jiye has joined #wot-sec 12:03:49 Mizushima has joined #wot-sec 12:03:54 present+ Jiye_Park 12:06:21 present+ Tomoaki_Mizushima 12:06:47 scribenick: kaz 12:07:00 topic: Minutes 12:07:10 -> https://www.w3.org/2022/06/20-wot-sec-minutes.html June-20 12:08:31 approved 12:09:09 topic: PRs 12:09:14 subtopic: TD PR 1544 12:09:38 -> https://github.com/w3c/wot-thing-description/pull/1544 wot-thing-description PR 1544 - Add RFC9200 reference 12:10:07 mm: RFC 9200 is "publication in process" 12:10:17 (the PR itself has been already merged) 12:10:28 subtopic: TD PR 1543 12:11:01 -> https://github.com/w3c/wot-thing-description/pull/1543 wot-thing-description PR 1543 - Revise statements about auto SecurityScheme 12:11:15 mm: (shows the diff) 12:11:50 -> https://pr-preview.s3.amazonaws.com/w3c/wot-thing-description/1543/1d10392...mmccool:4d90753.html#sec-security-vocabulary-definition diff - 5.3.3 Security Vocabulary Definitions 12:12:26 mm: decided to put informative text on "auto" 12:12:31 ... probably fine 12:12:42 [[ 12:12:43 auto : 12:12:43 The location is determined as part of the protocol, or negotiated. If a value of auto is set for the in field of a SecurityScheme , then the name field SHOULD NOT be set. In this case, the application of the SecurityScheme is subject to the respective specification for the given protocol (e.g. [ RFC8288 ] when using the BasicSecurityScheme with HTTP). 12:12:45 ]] 12:13:12 mm: and then some statement around "5.3.3.3 AutoSecurityScheme" 12:14:10 s/topic: PRs/topic: Recently merged PRs for TD/ 12:14:15 subtopic: TD PR 1542 12:14:42 -> https://github.com/w3c/wot-thing-description/pull/1542 wot-thing-description PR 1542 - Discuss Secure Transport in Security Schemes 12:14:50 jp: what about nosec security? 12:15:11 mm: yeah, some scheme doesn't require security 12:15:35 jp: that's why I added a sentence 12:16:02 ... nosec is clear that we don't use TLS 12:16:29 mm: wondering what kind of simple sentence to be added the other schemes 12:16:42 -> https://pr-preview.s3.amazonaws.com/w3c/wot-thing-description/1542/daaf302...mmccool:2673f53.html#basicsecurityscheme diff - 5.3.3.5 BasicSecurityScheme 12:17:12 jp: we could leave it asis 12:17:20 ... and add another text for clarification 12:17:36 mm: let me add a comment about that 12:17:43 ... will create an issue for that 12:18:34 -> https://github.com/w3c/wot-thing-description/issues/1554 new issue for wot-thing-description @@@ 12:18:56 s/@@@/Further Improve Discussion of Secure Transport in Security Schemes 12:19:03 rrsagent, make log public 12:19:07 rrsagent, draft minutes 12:19:07 I have made the request to generate https://www.w3.org/2022/06/27-wot-sec-minutes.html kaz 12:21:32 https://github.com/w3c/wot-thing-description/issues/1554 12:21:56 topic: Pending updates 12:22:14 subtopic: Architecture PR 783 12:22:36 -> https://github.com/w3c/wot-architecture/pull/783 wot-architecture PR 783 - Specify TLS and DTLS versions 12:22:45 mm: added these assertions on security 12:22:55 -> https://github.com/w3c/wot-architecture/pull/783/files Files changed 12:24:14 jp: don't see any problems 12:24:31 (merged) 12:24:42 s/merged/will be merged/ 12:24:44 https://github.com/w3c/wot-architecture/pull/781 12:24:57 s/781/subtopic: Architecture PR 781/ 12:25:02 s/https/-> https/ 12:25:29 s/781/781 wot-architecture PR 781 - Define Trusted Environment 12:25:43 mm: added some definition 12:26:00 .. for "Trusted Environment" 12:26:28 s/.. f/... f/ 12:26:38 ... "isolated network" might be a bit too strong here, though 12:26:50 ... could say "protected network" 12:27:50 kaz: not a completely separate network from the Internet but a network connected to the Internet which is protected. right? 12:27:52 mm: right 12:29:09 (fixed the expression) 12:29:25 topic: Privacy wide review 12:29:49 subtopic: TD Issue 1497 12:30:10 -> https://github.com/w3c/wot-thing-description/issues/1497 wot-thing-description Issue 1497 - Identifiers don't seem to rotate enough 12:30:36 mm: had a proposal and discussed it 12:30:44 ... then made 2 PRs 12:31:48 -> https://github.com/w3c/wot-thing-description/pull/1547 wot-thing-description PR 1547 - Improve Privacy Assertions 12:31:59 mm: TD PR 1547 has been merged 12:32:59 ... technically could rotate IDs more frequently 12:33:17 ... added text saying: 12:33:37 [[ 12:33:38 Ideally, any required immutable identifiers SHOULD only be 12:33:38 made available via affordances, such as a property, whose value can 12:33:38 only be obtained after appropriate authentication and 12:33:38 authorization, and managed separately from the TD identifier. 12:33:39 If it is necessary to use an immutable identifier as the TD identifier, 12:33:40 extra attention should be paid to secure 12:33:42 ]] 12:33:51 mm: then removed redundant text 12:33:57 jy: ok with the changes 12:34:02 ... much clearer now 12:34:19 mm: more rotation of IDs and mutable IDs 12:34:34 s/mutable/immutable/ 12:35:49 (already merged 5 days ago, and that's fine) 12:36:14 -> https://github.com/w3c/wot-discovery/pull/353 wot-discovery PR 353 - Update Privacy Considerations 12:36:36 mm: statement around GDPR 12:37:12 q+ about TLS version (PR #753) 12:37:12 [[ 12:37:14 In general, "profiling" includes any mechanism used to evaluate 12:37:14 information about a person, including economic status, health, 12:37:14 preferences, interests, reliability, and behavior. 12:37:15 ]] 12:37:41 ]] 12:37:45 s/]]/[[/ 12:37:47 To avoid location tracking and other forms of profiling, 12:37:47 a WoT Thing associated with a person MAY 12:37:48 ]] 12:38:08 mm: about generating new IDs 12:38:13 ... then 12:38:30 [[ 12:38:32 It is also prudent to generate new identifiers upon major changes in configuration, 12:38:34 such as unregistering from a local network or hub and registering with a new one (which typically indicates 12:38:37 a change in ownership). 12:38:39 ]] 12:38:41 and 12:38:43 [[ 12:38:57 Finally, there is a problem with devices that require immutable identifiers, 12:38:59 e.g. medical devices in such jurisdictions. 12:39:01 This is discussed in [[wot-thing-description11]], but in summary the 12:39:03 problem can be avoided if such immutable identifiers are made available 12:39:05 only as protected properties, e.g. via affordances requiring authentication, 12:39:07 not in the TD, and the TD identifier itself (if used) is 12:39:09 independent of the immutable identifier, and so can be made mutable. 12:39:11 ]] 12:39:13 mm: a bit redundant but should be OK 12:39:34 ... (shows diff as well) 12:40:01 -> https://pr-preview.s3.amazonaws.com/w3c/wot-discovery/353/15cfbf8...mmccool:7242e52.html#privacy-consideration-location-tracking diff - 9.1 Location Tracking and Profiling 12:40:16 jy: good idea to add text around GDPR 12:40:31 mm: hopefully could merge this during the Discovery call today 12:40:33 q? 12:40:38 q+ 12:40:54 ack m 12:40:59 topic: AOB 12:41:16 mizu: question about Architecture PR 783 12:41:29 ... wondering about the versions of TLS 12:41:36 ... SHOULD use TLS 1.3 12:41:42 ... May use TLS 1.2 12:41:56 ... seems not really consistent 12:41:59 s/May/MAY/ 12:42:04 mm: yeah 12:42:13 ... generally a bad idea... 12:42:40 ... but not enough just say "use TLS" 12:42:48 ... and we need to specify the versons 12:42:52 s/versons/versions/ 12:42:54 q? 12:42:56 q+ 12:43:31 kaz: so using TLS 1.3 would be better 12:43:48 ... but if it's not possible, we should use TLS 1.2 12:43:56 ... is that our basic stance? 12:43:59 mm: yeah 12:44:40 ... if TLS 1.3 cannot be used for compatibility reasons TLS 1.2 MAY be used 12:44:53 q? 12:45:07 ack k 12:45:28 kaz: so the comments on the PR 783 are not clear 12:45:38 https://github.com/w3c/wot-architecture/pull/783 12:45:44 ... but the proposed text for the spec itself is clear enough, I think 12:45:47 mm: yeah 12:45:54 ... anyway the PR 783 itself is still open 12:46:05 ... so we can add further clarification if needed 12:46:23 s/AOB/Architecture PR 783 (revisited)/ 12:47:03 mizu: TLS 1.1 is also still used by some of the applications 12:47:34 mm: the question is that some of the existing devices might use TLS 1.1 12:47:46 ... but don't think it's secure enough 12:47:55 q? 12:47:56 q+ 12:48:53 kaz: in that case, the question here is whether we want to allow people to use TLS 1.1 or not 12:49:15 ... if yes, we should mention "1.1 MAY be used" too 12:49:38 ... or if not, we should clarify 1.1 should be avoided 12:50:07 mm: (adds comments about that point to PR 783) 12:50:39 Kaz/Mizu: tx 12:51:32 -> https://github.com/w3c/wot-architecture/pull/783#issuecomment-1167313426 McCool's comments 12:51:47 topic: Wide review status 12:52:02 mm: (sees the latest status) 12:52:15 ... nothing new... 12:52:44 ... once those PRs are merged, we can close the wide reviews 12:52:49 [adjourned] 12:52:52 rrsagent, make log public 12:52:56 rrsagent, draft minutes 12:52:56 I have made the request to generate https://www.w3.org/2022/06/27-wot-sec-minutes.html kaz 14:32:29 Mizushima has left #wot-sec 15:05:09 Zakim has left #wot-sec