12:08:49 <RRSAgent> RRSAgent has joined #wot-sec
12:08:49 <RRSAgent> logging to https://www.w3.org/2022/08/08-wot-sec-irc
12:09:23 <zkis> zkis has joined #wot-sec
12:09:23 <kaz> meeting: WoT Security
12:09:42 <kaz> present+ Kaz_Ashimura, Michael_McCool, Jan_Romann
12:10:45 <JKRhb> JKRhb has joined #wot-sec
12:11:25 <JKRhb> scribenick: JKRhb
12:11:27 <McCool> McCool has joined #wot-sec
12:11:48 <kaz> chair: McCool
12:11:52 <JKRhb> topic: Minutes Review
12:12:01 <kaz> present+ Kaz_Ashimura, Michael_McCool, Jan_Romann, Tomoaki_Mizushima
12:12:08 <kaz> scribnick: JKRhb
12:13:09 <kaz> agenda: https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#8_August_2022
12:15:00 <JKRhb> mm: There is a formatting issue regarding long lines, could you fix this, kaz?
12:15:07 <JKRhb> kaz: Will insert newlines
12:15:17 <JKRhb> mm: Any objections to approving the minutes?
12:15:30 <JKRhb> No objections, minutes are approved
12:16:13 <JKRhb> Topic: Issues
12:16:28 <JKRhb> subtopic: Discovery Issue #254
12:16:38 <JKRhb> mm: I think we have finished reviewing things here
12:16:42 <JKRhb> ... any objections to closing?
12:17:15 <kaz> present+ Jiye_Park
12:17:39 <kaz> i|There is a|-> https://www.w3.org/2022/08/01-wot-sec-minutes.html Aug-1|
12:17:40 <JKRhb> No objections to closing, issue is closed
12:18:45 <JKRhb> topic: TAG review
12:19:03 <JKRhb> s/TAG review/TAG Review/
12:19:27 <JKRhb> mm: I answered the TAG review in a comment
12:19:39 <JKRhb> ... we took care of discovery and TD
12:19:51 <JKRhb> ... we now need to take care of Architecture
12:20:10 <JKRhb> ... Michael Lagally created a number of issues, which also overlap with security
12:20:49 <JKRhb> ... his issues span the entire document, however, while our interest focuses on security and privacy
12:21:08 <JKRhb> ... we will therefore create additional issues that solely focus on security and privacy
12:23:13 <JKRhb> ... (adds issue addressing policy-like security and privacy assertions)
12:26:12 <JKRhb> mm: In section 10.1.1 there is some redundancy in the assertions, one of which could be removed
12:26:39 <JKRhb> ... regarding testing, these are more like requirements than policies
12:26:54 <JKRhb> ... any objections to that?
12:27:16 <JKRhb> s/to that/to removing the redundant assertions/
12:27:28 <JKRhb> There are none
12:27:42 <kaz> rrsagent, make log public
12:27:46 <kaz> rrsagent, draft minutes
12:27:46 <RRSAgent> I have made the request to generate https://www.w3.org/2022/08/08-wot-sec-minutes.html kaz
12:28:35 <kaz> s/scribnick:/scribenick:/
12:28:37 <kaz> rrsagent, draft minutes
12:28:37 <RRSAgent> I have made the request to generate https://www.w3.org/2022/08/08-wot-sec-minutes.html kaz
12:28:43 <JKRhb> mm: The one that is removed is the last assertion from the paragraph, as it does not mention extensions
12:29:48 <kaz> i|I think we have finished|-> https://github.com/w3c/wot-discovery/issues/254 wot-discovery issue 254 - Review Security and Privacy Considerations|
12:29:51 <JKRhb> mm: (adds more notes to the issue)
12:31:57 <JKRhb> ... what I am worried about are untestable assertions. Is it okay to leave requirements as assertions, Kaz?
12:32:42 <JKRhb> kaz: I think so. We could also describe them in a note, not containing MUST assertions
12:33:26 <JKRhb> mm: I think we should decide whether to keep this kind of assertions
12:33:55 <JKRhb> ... question if assertion is testable at the time of implementing a Thing
12:34:29 <JKRhb> ... let's keep track of them for now and see if we need to adjust them later on
12:35:50 <kaz> -> https://www.w3.org/TR/WCAG21/ Web Content Accessibility Guidelines (WCAG) 2.1
12:36:24 <JKRhb> kaz: Another point: documents like the a11y guidelines could also be referred to
12:37:15 <JKRhb> ... the easiest way might be to cite the Thing Description implementation report for these assertions
12:39:22 <JKRhb> mm: Regarding testing, I think the first three assertions in this section are verifiable
12:39:27 <kaz> i|I answered the|-> https://github.com/w3ctag/design-reviews/issues/733 TAG design-reviews issue 733 - Web of Things (WoT) Discovery|
12:39:40 <JKRhb> ... the first one could be changed from a SHOULD to a MUST, though
12:39:58 <kaz> i|I answered the|-> https://github.com/w3ctag/design-reviews/issues/715 TAG design-reviews issue 715 - Web of Things (WoT) Thing Description 1.1: TAG and Security Review|
12:40:21 <kaz> i|I answered the|-> https://github.com/w3ctag/design-reviews/issues/736 TAG design-reviews issue 736 - Web of Things (WoT) Architecture 1.1|
12:40:36 <kaz> rrsagent, draft minutes
12:40:36 <RRSAgent> I have made the request to generate https://www.w3.org/2022/08/08-wot-sec-minutes.html kaz
12:40:42 <JKRhb> ... binding templates assertions in section 10.1.2 are a bit strange, as they are referring to informative documents in normative statements
12:41:05 <JKRhb> ... this is a general problem
12:43:16 <JKRhb> ... these should be verifiable and covered by tests
12:45:12 <JKRhb> mm: assertions in section 10.2.1 are difficult as they formulate requirements for WoT runtimes not specific to the Scripting API
12:45:53 <JKRhb> ... an issue with this assertion is that Node.js does not run in a sandbox, so this requirement is not satisfied yet
12:47:23 <JKRhb> ... you could run everything inside a sandbox, so nothing could get out
12:47:35 <kaz> rrsagent, draft minutes
12:47:35 <RRSAgent> I have made the request to generate https://www.w3.org/2022/08/08-wot-sec-minutes.html kaz
12:48:06 <JKRhb> ... easiest solution would be to turn the assertions into informative statements regarding policy
12:48:21 <kaz> i|in section 10|-> https://w3c.github.io/wot-architecture/#sec-security-considerations WoT Architecture 1.1 - 10. Security Considerations
12:48:29 <JKRhb> ... there are several of these kind of statements
12:48:39 <JKRhb> s/these kind/this kind/
12:48:48 <JKRhb> rrsagent, draft minutes
12:48:48 <RRSAgent> I have made the request to generate https://www.w3.org/2022/08/08-wot-sec-minutes.html JKRhb
12:50:06 <kaz> i|in section 10|-> https://w3c.github.io/wot-architecture/testing/report11.html WoT Architecture 1.1 Implementation Report|
12:53:16 <JKRhb> mm: I could deploy the runtime inside a Docker container to satisfy the assertion. So it is rather a deployment issue. An implementation in WASM could be done to achieve sandboxing, but not isolation
12:54:44 <JKRhb> mm: There are more assertions which I would review offline so that we can discuss them next week
12:55:14 <JKRhb> ... we need at least one more meeting to get through this
12:55:31 <JKRhb> ... I will update the issue with additional points as I review the assertions
12:57:23 <JKRhb> jp: Next week will be a holiday in (some parts of) Germany
12:57:35 <JKRhb> mm: We will cancel our next meeting then
12:57:48 <JKRhb> ... next one will be on August 22
12:59:45 <JKRhb> [adjourned]
13:02:07 <kaz> rrsagent, draft minutes
13:02:07 <RRSAgent> I have made the request to generate https://www.w3.org/2022/08/08-wot-sec-minutes.html kaz
14:34:09 <Zakim> Zakim has left #wot-sec
14:44:15 <zkis> zkis has joined #wot-sec
16:17:55 <kaz> kaz has joined #wot-sec
17:45:54 <kaz> kaz has joined #wot-sec
18:50:18 <kaz> kaz has joined #wot-sec
19:16:56 <zkis> zkis has joined #wot-sec