12:07:49 RRSAgent has joined #wot-sec 12:07:49 logging to https://www.w3.org/2022/08/01-wot-sec-irc 12:08:07 meeting: WoT Security 12:08:24 present+ Kaz_Ashimura, Michael_McCool, Jiye_Park 12:10:00 McCool has joined #wot-sec 12:10:47 agenda: https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#1_August_2022 12:10:50 topic: Minutes 12:11:09 -> https://www.w3.org/2022/07/18-wot-sec-minutes.html July-18 12:12:45 approved 12:12:49 topic: Issues 12:13:06 subtopic: Issue 1497 12:13:21 -> https://github.com/w3c/wot-thing-description/issues/1497 Issue 1497 - Identifiers don't seem to rotate enough 12:13:30 mm: still need confirmation to close this 12:14:20 ... (adds a label "Propose closing") 12:15:58 s/subtopic: Issue 1497/subtopic: TD Issue 1497/ 12:16:14 s/1497 Issue/1497 TD Issue/ 12:16:57 ... can be closed in the Aug 3 TD call 12:17:42 -> https://github.com/w3c/wot-thing-description/issues/1497#issuecomment-1201124372 McCool's comments 12:18:01 subtopic: Discovery Issue 303 12:18:15 -> https://github.com/w3c/wot-discovery/issues/303 Discovery Issue 303 - Personal devices and public/private TDDs 12:18:51 zakim, who is on the call? 12:18:51 Present: Kaz_Ashimura, Michael_McCool, Jiye_Park 12:18:58 present+ Tomoaki_Mizushima 12:22:16 present+ Jan_Romann 12:22:39 mm: already closed 12:22:45 ... (adds some more comments) 12:22:51 -> https://github.com/w3c/wot-discovery/issues/303#issuecomment-1201130296 McCool's comments 12:22:51 JKRhb has joined #wot-sec 12:22:59 topic: Wide reviews 12:23:28 subtopic: TAG review 12:24:02 -> https://github.com/w3ctag/design-reviews/issues/736 design reviews issue 736 - Web of Things (WoT) Architecture 1.1 12:24:05 q+ 12:25:18 kaz: I was suggesting we have a joint meeting with TAG 12:25:33 ... probably we don't need to wait until TPAC but have that meeting this month 12:25:47 mm: good idea 12:25:56 ... have you or Sebastian contacted them? 12:26:02 kaz: no, not from me 12:26:12 mm: agree, the sooner, the better 12:26:23 ... but we still need to fix our own action items too 12:27:11 -> https://github.com/w3c/wot-thing-description/issues/1635 TD Issue 1635 - Adjust Policy-Like Assertions 12:27:39 -> https://github.com/w3c/wot-security/issues/208 Security Issue 208 - Remove References to "Security Best Practices" 12:28:06 -> https://github.com/w3c/wot-security/issues/209 Security Issue 209 - Update "Security and Privacy Guidelines" prior to PR of other deliverables 12:28:37 mm: still need to work on policy-like assertions for TD 12:28:51 ... also for Discovery and Architecture as well 12:29:00 s/TD/TD (Issue 1635 above) 12:29:05 rrsagent, make log public 12:29:11 rrsagent, draft minutes 12:29:11 I have made the request to generate https://www.w3.org/2022/08/01-wot-sec-minutes.html kaz 12:30:50 subtopic: TD assertions 12:32:41 -> https://w3c.github.io/wot-thing-description/#privacy-mutable-id-ownership privacy-mutable-id-ownership 12:32:57 mm: (skims the assertions) 12:33:14 jp: it's more deployment information 12:33:52 ... could have clearer description, once onboarding/offloading is clearly specified 12:33:56 mm: right 12:34:04 ... in that case, what can we do now? 12:34:18 jy: we can remove the assertion itself. maybe? 12:34:39 mm: opt1. deleting the assertion 12:34:44 ... opt2. refine the text 12:35:08 ... opt3. clarify it's a policy 12:37:30 ... think opt 2 would be the best 12:37:54 s/2/3/ 12:38:02 ... and the question is how to describe that 12:41:23 ... (adds some comments about possible rewording) 12:46:05 -> https://w3c.github.io/wot-thing-description/#privacy-td-pii privacy-td-pii 12:46:19 mm: need rewording 12:46:57 jr: making the capital SHOULD lower case? 12:47:48 mm: (generates a proposed text) 12:49:02 ... "As a matter of policy, it is suggested that THing Descriptions associated with a personal device be treated as if they contained personally identifiable information, even if this information is not explicit" 12:49:12 jr: sounds good 12:49:18 jp: fine 12:50:22 -> https://w3c.github.io/wot-thing-description/#sec-inj-sanitize sec-inj-sanitize 12:50:39 rrsagent, make log public 12:50:42 rrsagent, draft minutes 12:50:42 I have made the request to generate https://www.w3.org/2022/08/01-wot-sec-minutes.html kaz 12:51:06 mm: similar rewording here as well 12:52:26 ... "As a matter of policy, it is suggested that strings sourced from TDs either be sanitized using a carefully betted HTML sanitizer that diabls any markup or be inserted into an HTML template using DOM node manipulation APIs that will escape any markup." 12:52:42 -> https://w3c.github.io/wot-thing-description/#security-update-contexts secuirty-update-contexts 12:52:54 s/secuirty/security/ 12:53:18 mm: two assertions here 12:53:57 [[ 12:53:58 Constrained implementations SHOULD use statically managed and vetted versions of their supported context extensions. Constrained implementations SHOULD NOT follow links to remote contexts. 12:53:58 ]] 12:54:38 mm: then 12:54:38 [[ 12:54:40 Supported context extensions on constrained implementations MAY be managed through secure software update mechanisms. 12:54:43 ]] 12:55:05 mm: we could just delete it or make it a feature-at-risk 12:55:44 q+ 12:55:53 jp: opt 1 is fine for this 12:57:03 kaz: just to make sure, the first two assertions within one sentence remain 12:57:16 ... while the last one "Supported..." to be removed 12:57:18 ... right? 12:57:22 mm: right 12:58:18 ... suggest option 1 (delete it) for security-update-contexts (Supported context extensions...) 12:59:22 ... but fold the idea of "secure" updates into an earlier assertion: "Constrained implementations..." 13:00:22 => "Constrained implementations SHOULD use vetted versions of their supported context extensios managed statically or as part of a secure update process." 13:00:28 mm: what do you think? 13:01:37 (no objections) 13:02:42 mm: will generate a PR for that in time for the TD call on Aug 3 13:02:44 [adjourned] 13:02:56 rrsagent, draft minutes 13:02:56 I have made the request to generate https://www.w3.org/2022/08/01-wot-sec-minutes.html kaz 14:01:39 kaz has joined #wot-sec 14:25:34 zkis has joined #wot-sec 15:08:43 Zakim has left #wot-sec