12:02:14 <RRSAgent> RRSAgent has joined #wot-sec
12:02:14 <RRSAgent> logging to https://www.w3.org/2022/10/10-wot-sec-irc
12:02:33 <JKRhb> JKRhb has joined #wot-sec
12:02:49 <kaz> meeting: WoT Security
12:03:06 <kaz> present+ Kaz_Ashimura, Jan_Romann, Jiye_Park
12:03:14 <kaz> present+ Michael_McCool
12:03:30 <McCool> McCool has joined #wot-sec
12:03:43 <Jiye> Jiye has joined #wot-sec
12:03:47 <kaz> agenda: https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#10_October_September_2022
12:04:26 <JKRhb> scribenick: JKRhb
12:05:47 <JKRhb> topic: Previous Minutes
12:06:14 <JKRhb> mm: (goes over the last meeting's minutes)
12:06:34 <JKRhb> ... pretty short meeting, any concerns or changes?
12:06:58 <JKRhb> There are no objections, minutes are approved
12:07:10 <kaz> i|goes over|-> https://www.w3.org/2022/09/26-wot-sec-minutes.html Sep-26|
12:07:18 <Mizushima> Mizushima has joined #wot-sec
12:09:10 <JKRhb> topic: Issues
12:09:36 <JKRhb> s/Issues/Implementation Report Reviews/
12:10:03 <kaz> subtopic: Architecture
12:10:15 <kaz> -> https://cdn.statically.io/gh/w3c/wot-architecture/7856f8b0b8534211f03273c44ecec6bfdc8935d0/testing/report11.html rendered Implementation Report
12:10:36 <JKRhb> mm: There are still a number of issues that need to be resolved. A lot of assertions are not tested yet, especially regarding (D)TLS versions
12:11:08 <JKRhb> ... does anyone know of a test for the used TLS version?
12:11:48 <JKRhb> jp: You could use Wireshark. There is also a library for testing the TLS version
12:12:49 <JKRhb> mm: Wireshark is probably too complicated for most people to use, I was hoping for a script. A library version is probably easier. People could also tell us which version they are using.
12:13:09 <JKRhb> mm: We are currently not in a state to go to CR
12:13:33 <JKRhb> ... however, only half of people have responded yet
12:14:14 <JKRhb> ... I think we cannot expect certain test results since they require a more mature implementation that goes beyond a prototype
12:14:52 <JKRhb> ... I have also not seen any commercial implementations (which would have more mature security requirements)
12:15:09 <kaz> q+
12:15:13 <JKRhb> ... the question is whether we can get any implementations like these
12:15:55 <JKRhb> ... kaz, do you think Takenaka Corporation could provide such an implementation?
12:16:01 <JKRhb> kaz: I will talk to them
12:16:52 <JKRhb> mm: Jiye, do you think Siemens can also provide an implementation? Can you talk to Sebastian?
12:17:09 <JKRhb> jp: Need more information what is required
12:18:28 <kaz> q+
12:18:50 <JKRhb> mm: We have at least three commercial implementations with no inputs yet (CGLL by Takenaka, Netzo, Desigo by Siemens)
12:19:08 <JKRhb> ... especially needed for Architecture
12:20:15 <kaz> i/We have at least/kaz: my question is also which assertions from which specifications do we need their responses./
12:23:19 <JKRhb> ... (gives an example for providing test results via a CSV file)
12:24:08 <JKRhb> jp: I will have a look into it and discuss it with Sebastian
12:24:13 <kaz> q?
12:24:28 <McCool> https://github.com/w3c/wot-testing/blob/main/data/input_2022/Architecture/Results/ditto.csv
12:24:45 <JKRhb> mm: Similar goes for Takenaka, I will also speak to Ege regarding Netzo
12:25:17 <McCool> https://github.com/w3c/wot-architecture/blob/main/testing/manual.csv
12:25:29 <McCool> https://cdn.statically.io/gh/w3c/wot-architecture/7856f8b0b8534211f03273c44ecec6bfdc8935d0/testing/report11.html
12:25:39 <JKRhb> kaz: The test results are for the latest version?
12:26:17 <JKRhb> mm: (Provides links to the input file and the implementation report)
12:26:45 <JKRhb> ... also, an implementation description should be given as an HTML file
12:27:01 <McCool> https://github.com/w3c/wot-testing/blob/main/data/input_2022/Architecture/Impls/node-wot.html
12:27:20 <JKRhb> ... (posts a link to node-wot's description)
12:27:20 <kaz> s/The test results are for the latest version?/We should clarify what we want from them. That's basically manual.csv like ditto.csv. Right?/
12:28:22 <kaz> kaz: and it would be nicer if we could have some description about those expected files on the top page of the wot-testing repo :)
12:28:30 <kaz> i/and/scribenick: kaz/
12:28:36 <kaz> scribenick: JKRhb
12:28:46 <JKRhb> mm: At this point, making changes to the document is difficult, as every change reopens the review period
12:29:42 <JKRhb> ... any changes still at-risk are still fixable but are not ideal. I would suppose we should be able to get rid of at least half of them, though
12:30:15 <JKRhb> topic: Issues
12:30:25 <JKRhb> subtopic: TD Issue #1670
12:30:31 <McCool> https://github.com/w3c/wot-thing-description/issues/1670
12:30:40 <JKRhb> mm: Someone asked me to look into this
12:31:36 <JKRhb> ...in the link relation-types table we have a proxy-to relation-type and we also have a security scheme field "proxy"
12:31:49 <JKRhb> ... the question is when to use which and if they are redundant
12:32:11 <JKRhb> ... what is asked in the issue is if we can at least explain what the difference is
12:32:29 <JKRhb> ... the problem is that this is part of TD 1.0 as well
12:32:56 <JKRhb> ... we could mark it as at-risk and remove it in the next major version
12:34:03 <JKRhb> ... there might be use cases for using a proxy link (that indicates what is being proxied) in addition to a proxy security scheme field
12:34:25 <JKRhb> jp: I agree that it makes sense to keep it
12:34:48 <JKRhb> mm: (adds a comment to the issue)
12:36:25 <JKRhb> s/in addition to a proxy security scheme field/in addition to a proxy security scheme field that provides security metadata for the proxy itself/
12:37:59 <JKRhb> mm: I have an implementation that is actually a reverse-proxy but we could turn it into a forward-proxy as well
12:39:41 <JKRhb> mm: One issue is that we did not mark this assertion as its own row in the table
12:40:19 <JKRhb> ... or rather as a general issue: The corresponding table that does not contain IDs for assertions at all
12:40:40 <JKRhb> ... is rather a best-practice table with example than an assertion table
12:41:28 <JKRhb> ... (adds another comment about this to the issue)
12:44:47 <kaz> rrsagent, make log public
12:44:50 <kaz> rrsagent, draft minutes
12:44:50 <RRSAgent> I have made the request to generate https://www.w3.org/2022/10/10-wot-sec-minutes.html kaz
12:45:22 <kaz> chair: McCool
12:46:21 <JKRhb> mm: So we could add an additional sentence regarding the use of proxy information from security schemes for proxy-to links
12:46:30 <JKRhb> ... as suggested in the comment
12:46:53 <JKRhb> ... converting the whole table into assertions, however, does not seem practical
12:48:18 <JKRhb> topic: Implementation Report Reviews (continued)
12:48:24 <JKRhb> subtopic: Discovery
12:48:54 <JKRhb> mm: Here we have a similar problem with regard to the security
12:49:02 <kaz> i/my question is also/scribenick: kaz/
12:49:16 <kaz> i/We have at least three/scribenick: JKRhb/
12:49:24 <JKRhb> s/to the security/to security/
12:50:22 <kaz> s|1670|1670 wot-thing-description Issue 1670 - Add informative text defining use of proxy-to link relation type|
12:50:29 <kaz> rrsagent, draft minutes
12:50:29 <RRSAgent> I have made the request to generate https://www.w3.org/2022/10/10-wot-sec-minutes.html kaz
12:51:00 <JKRhb> mm: Most of the assertions have become stale, I will ask again in the security call for people to update their implementations
12:51:07 <kaz> i|Here we have|-> https://cdn.statically.io/gh/w3c/wot-discovery/daca95eefcb71a1cddda847eb1a824d3eb099e44/testing/report.html rendered version Implementation Report for Discovery|
12:51:09 <kaz> rrsagent, draft minutes
12:51:09 <RRSAgent> I have made the request to generate https://www.w3.org/2022/10/10-wot-sec-minutes.html kaz
12:51:44 <kaz> s|https://github.com/w3c/wot-thing-description/issues/1670|-> https://github.com/w3c/wot-thing-description/issues/1670|
12:51:45 <kaz> rrsagent, draft minutes
12:51:45 <RRSAgent> I have made the request to generate https://www.w3.org/2022/10/10-wot-sec-minutes.html kaz
12:52:16 <JKRhb> ... should we do something to soften the assertions? In the worst case we would need to change them back to informative
12:52:35 <JKRhb> ... is having too many at-risk items a problem for CR transition?
12:53:15 <JKRhb> kaz: Too many features at risk would not be great, as I mentioned before we could consider putting them in a separate section and putting it at-risk as a whole
12:53:53 <JKRhb> mm: We could put security at risk as a whole but it does not seem like a good idea
12:54:24 <JKRhb> ... we could put them at risk and add a statement that we might need to make them informative again
12:55:20 <JKRhb> kaz: Ideally, all security features should be implemented, right? We need to talk to Philipp and Ralph but I think if some security features only have one implementation that might be negotiable
12:56:38 <kaz> s/Philipp /Philippe /
12:56:47 <JKRhb> ... we could explain the background of why security implementations are missing
12:57:50 <JKRhb> mm: I could implement half of the features in my implementation, a problem might be CoAP
12:58:16 <JKRhb> ... I would be reluctant to take these features out, but it would be a possibility
12:59:07 <JKRhb> ... we should schedule a meeting with Philippe and discuss these points
12:59:26 <JKRhb> [adjourned]
13:00:34 <kaz> i/I could im/mm: As mentioned, we still have not got implementation reports from three industrial implementers, those should care about security./
13:00:43 <kaz> i/As mention/scribenick: kaz/
13:01:04 <kaz> i/I could imple/scribenick: JKRhb/
13:01:12 <kaz> rrsagent, draft minutes
13:01:12 <RRSAgent> I have made the request to generate https://www.w3.org/2022/10/10-wot-sec-minutes.html kaz
13:07:40 <zkis> zkis has joined #wot-sec
14:54:40 <Zakim> Zakim has left #wot-sec