13:01:50 <RRSAgent> RRSAgent has joined #wot-sec
13:01:50 <RRSAgent> logging to https://www.w3.org/2022/12/05-wot-sec-irc
13:02:41 <McCool> McCool has joined #wot-sec
13:03:46 <kaz> meeting: WoT Security
13:03:58 <kaz> present+ Kaz_Ashimura, Michael_McCool, Jiye_Park
13:03:59 <Jiye> Jiye has joined #wot-sec
13:04:11 <kaz> chair: McCool
13:04:36 <kaz> agenda: https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#5_December_2022
13:07:36 <Jiye> present+ Kaz_Ashimura, Michael_McCool, Jiye_Park
13:07:52 <Jiye> topic: Minutes
13:08:04 <kaz> -> https://www.w3.org/2022/11/28-wot-sec-minutes.html Nov-28
13:08:40 <Jiye> scribenick: Jiye
13:08:52 <kaz> approved
13:08:56 <kaz> topic: Schedule
13:09:23 <Jiye> mm: until end of this year, we will have one more meeting
13:09:36 <kaz> i|until|-> https://www.w3.org/WoT/IG/wiki/Main_WoT_WebConf#Cancellations_and_Schedule_Updates Cancellations on the main wiki|
13:09:49 <Jiye> ...: next week meeting will be canceled and then week after, we will have a meeting
13:10:49 <Jiye> s/...:/...
13:14:22 <kaz> present+ Jan_Romann, Tomoaki_Mizushima
13:14:30 <Jiye> topic: wide review
13:15:09 <Jiye> -> https://github.com/w3c/transitions/issues/474#issuecomment-1326375790
13:16:52 <Jiye> mm: TAG review is closed and security review is close which is add
13:16:58 <Jiye> s/add/odd/
13:18:13 <Jiye> s/TAG review is closed and security review is close which is odd/ TAG review is closed and security review is still opened which is odd/
13:19:15 <Mizushima> Mizushima has joined #wot-sec
13:19:24 <Jiye> (writing an email to Daniel)
13:20:03 <Jiye> ... I am not sure who is responsible for security review and Sam didn't response
13:20:15 <Jiye> topic: implementation reports
13:22:21 <kaz> s/5790/5790 transitions issue 474 - CR Request for Web of Things (WoT) Architecture 1.1/
13:22:52 <kaz> rrsagent, make log public
13:22:56 <kaz> rrsagent, draft minutes
13:22:56 <RRSAgent> I have made the request to generate https://www.w3.org/2022/12/05-wot-sec-minutes.html kaz
13:26:03 <Jiye> mm: there are few gaps about certain security schemes
13:26:41 <Jiye> ... one is the body security location using json pointers which no one is use that
13:27:39 <kaz> i|there are|-> https://w3c.github.io/wot-thing-description/testing/report11.html TD 1.1 Implementation Report|
13:30:39 <kaz> * 95: sec-body-name-json-pointer
13:30:41 <kaz> * 97: sec-body-name-json-pointer-array
13:30:57 <kaz> * 100: td-security-in-uri-variable
13:31:10 <kaz> * 102: td-security-uri-variables-distinct
13:35:17 <Jiye> jy: I have asked if there is any update regarding security schemes on Siemens side, and there is no big update. The question is do we really need security schemes in the body?
13:35:39 <Jiye> ... there is no difference on security strength if we use TLS/DTLS
13:36:32 <Jiye> mm: it's about API support. I can implement this part in Java or Python
13:37:06 <Jiye> ... for instance, philips hue add security key into URI
13:37:16 <Jiye> jy: but this is not secure
13:37:22 <Jiye> mm: agree but that's how they do
13:38:26 <Jiye> ... we need to find an example of using security scheme in the body using JSON pointer and refer to it
13:40:02 <McCool> see also https://github.com/w3c/wot-profile/pull/331
13:40:18 <kaz> s/see also/->/
13:40:37 <kaz> s/331 See also: wot-profile PR 331 - narrowing down oauth required flows/
13:40:41 <Jiye> mm: seems we don't have client side implementation. only client flow is at risk
13:40:41 <kaz> rrsagent, draft minutes
13:40:41 <RRSAgent> I have made the request to generate https://www.w3.org/2022/12/05-wot-sec-minutes.html kaz
13:41:11 <Jiye> ... we also have device flow at risk but it's more like device onboarding than authenticating
13:41:25 <kaz> * 131: td-security-oauth2-client-flow
13:41:26 <kaz> * 132: td-security-oauth2-client-flow-no-auth
13:41:33 <kaz> * 133: td-security-oauth2-device-flow
13:41:35 <Jiye> ... I more concern about the client implementation
13:41:57 <Jiye> ... probably we need to work on the client side implementation
13:43:30 <Jiye> * 232: td-security-extension
13:44:41 <Jiye> mm: some of the examples are old. we need another example that someone is using the extension. we have to invent a scenario which needs extension, this is kinda weird one
13:46:33 <Jiye> mm: table is sorted number 282 downward, security, privacy are groupped
13:48:09 <Jiye> topic: scanning security implementation for discovery
13:48:21 <Jiye> * 33?: security-bootstrapping-endpoints
13:48:31 <Jiye> s/33?/33/
13:48:54 <Jiye> mm: this is simple to handle, we just need to add an assertion.
13:49:17 <Jiye> * 34:exploration-secboot-401
13:49:36 <Jiye> mm: this is also related to bootstrapping and it's invisible
13:49:58 <Jiye> jan: there is an implementation pending having this feature
13:51:07 <Jiye> mm: note that number 33 - 36 are security related
13:52:14 <Jiye> ... 137-144 resonable to have it.
13:53:34 <Jiye> * 142: sec-tdd-intro-if-multicast-required
13:55:28 <Jiye> topic: scanning security implementation for architecture
13:57:45 <Jiye> mm: most of the things will be not at risk if there is one more implementation
14:00:16 <Jiye> jan: there is no DTLS 1.3 implementation
14:01:15 <Jiye> mm: number 51, there is a bit of ambiguous
14:01:37 <Jiye> jy: yes, it doesn't need to be now, but it's better to change from MAY to MUST eventually
14:01:59 <kaz> kaz: it wouldn't change implementation requirements. right?
14:02:00 <Jiye> topic: AOB
14:02:07 <kaz> i/AOB/mm: right/
14:02:45 <McCool> https://github.com/w3c/wot-architecture/issues/885
14:02:45 <Jiye> topic: AOB
14:02:47 <Jiye> (none)
14:03:07 <kaz> [adjourned]
14:03:40 <kaz> rrsagent, draft minutes
14:03:40 <RRSAgent> I have made the request to generate https://www.w3.org/2022/12/05-wot-sec-minutes.html kaz
15:23:20 <Zakim> Zakim has left #wot-sec