11:52:19 RRSAgent has joined #wot-sec 11:52:19 logging to https://www.w3.org/2022/10/24-wot-sec-irc 11:52:23 meeting: WoT Security 11:54:27 present+ Kaz_Ashimura 12:02:15 present+ Michael_McCool 12:02:35 Mizushima has joined #wot-sec 12:02:58 McCool has joined #wot-sec 12:03:51 jiye has joined #wot-sec 12:04:22 present+ Jan_Romann, Jiye_Park 12:04:26 JKRhb has joined #wot-sec 12:05:53 scribenick: jiye 12:06:03 citrullin has joined #wot-sec 12:06:20 agenda: https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#24_October_2022 12:06:27 topic: Minutes 12:06:37 -> https://www.w3.org/2022/10/17-wot-sec-minutes.html Oct-17 12:09:58 topic: Implementation Reports 12:10:15 mm: resolution on Wednesday, Oct 26 12:10:37 present+ Philipp_Blum, Tomoaki_Mizushima 12:10:47 mm:I will spend some time to plan next step 12:11:05 present+ Jan_Romann 12:11:13 rrsagent, make log public 12:11:17 rrsagent, draft minutes 12:11:17 I have made the request to generate https://www.w3.org/2022/10/24-wot-sec-minutes.html kaz 12:12:01 https://github.com/w3c/wot-discovery/pull/430 12:12:05 mm: I have three PR 12:12:14 https://github.com/w3c/wot-thing-description/pull/1730 12:12:30 https://github.com/w3c/wot-architecture/pull/858 12:12:33 s/mm: I have three PR// 12:12:38 i|430|mm: I have three PR| 12:12:42 s/PR/PRs/ 12:13:16 subtopic: Discovery PR 12:13:47 -> https://github.com/w3c/wot-discovery/pull/430 PR 430 - CR publication prep and IR finalization 12:13:56 s/PR 430/wot-discovery PR 430/ 12:14:26 mm: It's not related security directly, but just small updates on CoAP, there is no progress on security based assertions 12:14:58 ...:still many parts about security are at risk 12:15:39 subtopic: TD PR 12:16:02 -> https://github.com/w3c/wot-thing-description/pull/1730 wot-thing-description PR 1730 - Prep for CR 12:16:07 subtopic: Architecture PR 12:16:11 rrsagent, draft minutes 12:16:11 I have made the request to generate https://www.w3.org/2022/10/24-wot-sec-minutes.html kaz 12:16:35 mm: it's not security related 12:16:52 i|it's|-> https://github.com/w3c/wot-architecture/pull/858 wot-architecture PR 858 - Prep for CR, finalize IR and document at-risk items| 12:17:01 q+ 12:17:14 ...: at least the TLS related topics are not at risk anymore 12:17:34 present+ Sebastian_Kaebisch 12:17:38 jr: the implementation I support we don't support DTLS v1.3 12:17:46 sebastian has joined #wot-sec 12:17:54 chair: McCool 12:18:06 rrsagent, draft minutes 12:18:06 I have made the request to generate https://www.w3.org/2022/10/24-wot-sec-minutes.html kaz 12:18:19 q+ 12:18:27 mm: some of them remained are related to policy, probably we can get some statement from people 12:19:03 mm: anybody has idea that some certain things should be normative? 12:19:24 ack s 12:21:01 mm: DTLS is used only for CoAP and we don't have any implementation 12:21:28 ack s 12:22:02 arch-security-consideration-avoid-direct Security N The WoT Runtime SHOULD NOT directly expose native device interfaces to the script developers. 12:22:34 s/arch-se/[[ arch-se/ 12:22:47 s/developers./developers. ]]/ 12:22:50 kaz: @@@ 12:23:10 mm: if things are at risk and we end up informative text, we could convert to informative text in advance 12:23:49 s/I agree we need that kind of discussion, but what's more important from my viewpoint is we need to add some more clarification to the assertions./ 12:23:53 q+ 12:23:56 ack k 12:24:20 kaz: might want to add clarification only to asserssion? 12:24:44 mm: this could be helpful 12:24:54 ...: we can create an issue when you bring up 12:27:50 s/@@@/I agree we need that kind of discussion, but what's more important from my viewpoint is we need to add some more clarification to the assertions./ 12:28:12 ack s 12:28:34 s/to the assertions/to the assertions, because when I asked the ECHONET guys to submit their report, they were not sure what this assertion meant (and I had to agree)./ 12:30:04 q+ 12:30:10 kaz: if it's possible, we have to mention also about our expectation. 12:30:47 s/have to mention also about our/should describe our/ 12:31:15 q? 12:31:17 ack jk 12:31:46 q+ 12:32:10 https://github.com/w3c/wot-architecture/issues/864 12:33:30 mm: consumers won't be affected by this 12:34:03 s/https/-> https/ 12:34:50 s/864/864 McCool creates a new issue 864 for wot-architecture - arch-security-consideration-avoid-direct unclear/ 12:34:51 ...: I don't intend to make PR right now. 12:34:57 ack c 12:34:59 rrsagent, draft minutes 12:34:59 I have made the request to generate https://www.w3.org/2022/10/24-wot-sec-minutes.html kaz 12:35:19 s/...:/.../g 12:35:21 rrsagent, draft minutes 12:35:22 I have made the request to generate https://www.w3.org/2022/10/24-wot-sec-minutes.html kaz 12:35:46 s/... :/... /g 12:35:47 rrsagent, draft minutes 12:35:47 I have made the request to generate https://www.w3.org/2022/10/24-wot-sec-minutes.html kaz 12:36:59 kaz: if I get any feedback, I will let you know 12:38:04 s/any/any more/ 12:38:27 topic: aria-description 12:38:55 mm: we can look at this again 12:42:36 topic: Cancellations 12:43:24 mm: Security call will be cancelled on Oct 31 since Kaz (and the JP Members) can't make it. 12:43:41 q+ 12:43:46 topic: Commercial Implementations 12:43:52 q? 12:43:54 q+ 12:45:22 sebastian: currently we have two official commercial implementations 12:45:59 ...: one is for building automation use case, the other one is sayWoT which is more generic purpose. 12:46:46 ack s 12:47:35 kaz: I have contacted other companies as well, and would be able to get the feedback as well. just question is timing 12:48:42 mm: my assumssion is all the assertions in privacy and security parts are new. Some are hard to validate. So if it is needed, we need to change to informative text 12:49:07 s/just question is timing/The question is the timing. If it's OK for us to get their reports after CR transition, maybe we can get some results from them./ 12:49:09 ...: feedback is a bit slow from commercial implementation side, so we can consider change to informative text 12:49:28 sebastian: we definitely can ask Bosh 12:49:30 mm: already did 12:49:31 q+ 12:49:53 s/assussion/assumption/ 12:50:07 kas: technically we should make those features are at risk 12:50:23 q+ 12:50:27 ack k 12:51:01 s/at risk/at risk, and see the results when we transition to PR./ 12:51:04 sebastian: this week we hava meeting with telecom people, and we can ask them to give implementation result input 12:51:22 kaz: this will be very welcome 12:51:29 s/this/that/ 12:51:39 s/hava/have a/ 12:52:09 topic: S&P guildelines update 12:52:21 mm: we might need internal review 12:52:39 ...: what is the currently charter time line? 12:52:44 kaz: end of Jan. 12:53:25 s/end of Jan./31 January 2023/ 12:53:38 -> https://www.w3.org/2022/07/wot-wg-2022.html extended WoT WG Charter 12:54:17 mm: my proposal is finishing working on this before christmas holiday 12:54:31 sebastian_ has joined #wot-sec 12:54:34 q+ 12:54:36 s/this/this document/ 12:54:57 https://github.com/w3c/wot-testing/blob/main/data/input_2022/TD/saywot/saywot.csv 12:55:45 topic: security testing 12:55:53 mm: this is related to pentesting implementation 12:56:16 ...: the question is how to do this pen or security testing 12:56:36 ...: I have looked some tools, and seems it's not so difficult 12:56:57 ...: for example, time out from discovery document can be tested 12:57:41 ...: at least we need an update how we do the testing. it will be very useful 12:57:49 s/...:/... /g 12:58:00 rrsagent, draft minutes 12:58:00 I have made the request to generate https://www.w3.org/2022/10/24-wot-sec-minutes.html kaz 12:58:48 s/assumssion/assumption/ 12:58:48 rrsagent, draft minutes 12:58:48 I have made the request to generate https://www.w3.org/2022/10/24-wot-sec-minutes.html kaz 13:00:07 [adjourned] 13:00:09 rrsagent, draft minutes 13:00:09 I have made the request to generate https://www.w3.org/2022/10/24-wot-sec-minutes.html kaz 13:54:00 kaz has joined #wot-sec 14:55:30 Zakim has left #wot-sec 15:14:16 kaz has joined #wot-sec