13:06:00 <RRSAgent> RRSAgent has joined #wot-sec
13:06:04 <RRSAgent> logging to https://www.w3.org/2022/12/19-wot-sec-irc
13:06:06 <kaz> chair: McCool
13:07:18 <kaz> present+ Kaz_Ashimura, Michael_McCool, Jiye_Park
13:07:24 <kaz> present+ Tomoaki_Mizushima
13:07:27 <kaz> topic: Minutes
13:07:35 <kaz> -> https://www.w3.org/2022/12/05-wot-sec-minutes.html Dec-5
13:07:42 <kaz> mm: (goes through the minutes)
13:08:15 <Mizushima> Mizushima has joined #wot-sec
13:10:43 <kaz> topic: Next Charter
13:11:12 <kaz> agenda: https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#19_December_2022
13:11:32 <kaz> mm: we'll cancel the call next week and Jan 9
13:11:57 <kaz> i|we'll|-> https://github.com/w3c/wot/tree/main/proposals/deliverable-proposals Deliverable Proposals
13:12:47 <kaz> -> https://github.com/w3c/wot/pull/1031 wot PR 1031 - Create Security Deliverable Proposal
13:12:58 <kaz> mm: proposal for a normative spec for Security and Privacy
13:13:21 <kaz> q+
13:13:37 <kaz> ... would put onboarding
13:13:55 <kaz> ... also thinking that key management for DID, etc.
13:14:11 <kaz> jp: normative document for Security and Privacy?
13:14:44 <kaz> mm: there is some ambiguity around onboarding
13:15:09 <kaz> q?
13:15:28 <kaz> ... need discussion on what would be a better security scheme
13:15:44 <kaz> ... embedded security key is not a good practice
13:16:10 <kaz> ... best practice to be clarified
13:17:40 <kaz> kaz: so far, we've put security/privacy portions into the other specs
13:17:55 <kaz> ... e.g., Architecture, TD, Discovery and Profile
13:18:05 <kaz> ... but do we want to change that approach?
13:18:11 <kaz> mm: right
13:18:29 <kaz> ... note that right now security guideline is an informative document
13:20:02 <kaz> kaz: the expectation for the normative security/privacy document is describing the best practices for WoT systems in general rather than the level of TDs, etc.
13:20:06 <kaz> mm: right
13:21:24 <kaz> kaz: so "WoT Best Practices" or something like that could be the name for that document
13:21:27 <kaz> mm: yeah
13:21:41 <kaz> ... still need discussion, though
13:21:43 <kaz> ack k
13:22:03 <kaz> ... should include security scheme and ontology for that purpose as well
13:22:20 <kaz> ... registry for that purpose as well
13:24:17 <kaz> ... (mentions "WoT Security and Privacy Recommendations" or "WoT Security and Privacy Best Practices" as potential titles)
13:24:26 <kaz> jy: we don't need to make decision today
13:24:30 <kaz> mm: right
13:25:18 <kaz> ... one more thing I wanted to mention
13:25:35 <kaz> ... VC, SSI, and key distribution
13:26:26 <kaz> (merged)
13:26:42 <kaz> topic: Publications
13:27:11 <kaz> mm: not have time to go through the Security Guideline doc...
13:27:33 <kaz> ... would aim to complete the reviews and suggested changes by Jan 23
13:27:57 <kaz> s/Publications/Publication for S&P Guidelines/
13:28:24 <kaz> topic: Planning
13:28:35 <kaz> mm: January 23
13:28:58 <kaz> topic: Testing
13:29:09 <kaz> mm: Testfest happened last week
13:29:42 <kaz> ... as expected, the most of the remaining features at-risk were around security
13:30:17 <kaz> ... (shows the results)
13:30:25 <kaz> subtopic: TD
13:31:14 <kaz> mm: (shows the latest Implementation Report on his PC)
13:31:29 <kaz> kaz: how many remaining?
13:31:36 <kaz> mm: 18
13:32:20 <kaz> ... and 12 or so of them are around security
13:33:34 <kaz> ... regarding "282: security-mutual-auth-td", need to see if it's really correct because it says "mutually authenticated"
13:33:41 <kaz> q?
13:34:04 <kaz> ... the next one "283: security-server-auth-td" should be easy
13:34:14 <kaz> q+
13:34:41 <kaz> ack k
13:34:52 <kaz> kaz: have you updated the results during the weekend?
13:35:16 <kaz> mm: still need to work on that
13:36:08 <kaz> jp: what about OAuth2?
13:37:38 <kaz> i|shows|-> https://w3c.github.io/wot-thing-description/testing/report11.html latest Implementation Report on GitHub|
13:38:30 <kaz> mm: "td-security-oauth2-client-*" to be looked into
13:39:32 <kaz> ... "td-security-oauth2-code-flow" is already covered, though
13:40:01 <kaz> subtopic: Discovery
13:40:59 <kaz> -> https://w3c.github.io/wot-discovery/testing/report.html latest Implementation Report on GitHub
13:41:09 <kaz> mm: still have 44 features at-risk
13:41:33 <kaz> ... a bit weird to have this big number
13:42:10 <kaz> ... 33, 34, 35, 36 are easy
13:42:19 <kaz> s/easy/easy, though/
13:43:52 <kaz> ... 56, etc., are not security
13:44:20 <kaz> ... "137: sec-tdd-throttle-queries", etc., are around mitigation
13:46:01 <kaz> ... "142: sec-tdd-intro-if-multicast-required" might be difficult due to lack of library
13:46:23 <kaz> ... hope we can get rid of some of the features at-risk
13:47:24 <kaz> ... think client-flow features are more important than code-flow features
13:48:18 <kaz> s/code-flow features/others like watchdog features/
13:48:30 <kaz> subtopic: Architecture
13:48:45 <kaz> -> https://w3c.github.io/wot-architecture/testing/report11.html latest Implementation Report on GitHub
13:49:59 <kaz> mm: "31: arch-security-consideration-communication-platform", etc., were added for binding
13:50:26 <kaz> ... to be honest, I'm OK with removing this feature because it's kind of vague
13:50:56 <kaz> ... (goes through the features at-risk)
13:51:19 <kaz> ... "46: arch-security-consideration-tls-recommended-priv" should be done
13:52:05 <kaz> ... "50: arch-security-consideration-dtls-1-3" to be changed
13:52:07 <kaz> q+
13:52:35 <kaz> kaz: what do you mean by "change" here?
13:52:41 <kaz> ... removing the feature?
13:52:51 <McCool> https://github.com/w3c/wot-architecture/pull/886
13:53:28 <kaz> s/https/-> https/
13:53:45 <kaz> s/886/886 Revise (D)TLS-1-2 assertions/
13:54:39 <kaz> kaz: so the proposed change is "TLS 1.2 MAY be used" to be changed to "at least TLS 1.2 SHOULD"
13:54:50 <kaz> s/SHOULD"/SHOULD be used"/
13:56:12 <kaz> mm: we need to consult with the Director before PR transition
13:57:32 <kaz> ... regarding "31: arch-security-consideration-communication-platform", it depends of which platform to be considered, ECHONET, OPC UA or what?
13:57:53 <kaz> topic: Charter discussion
13:58:15 <kaz> mm: we'll have a special meeting on new WG Charter on Jan 16-19
13:58:32 <McCool> https://www.w3.org/WoT/IG/wiki/Main_WoT_WebConf#Special_Meetings_to_Discuss_Next_Charter
13:58:39 <kaz> ... Security normative spec idea also to be discussed there
13:58:50 <kaz> s|https://www.w3.org/WoT/IG/wiki/Main_WoT_WebConf#Special_Meetings_to_Discuss_Next_Charter||
13:59:03 <kaz> i|we'll|-> https://www.w3.org/WoT/IG/wiki/Main_WoT_WebConf#Special_Meetings_to_Discuss_Next_Charter Special Meeting on Next Charter
13:59:18 <kaz> ... would be great if you also could join that meeting, Jiye
13:59:58 <kaz> jiye: overlapping with the WoT Security call?
14:00:13 <kaz> mm: the Security call will be cancelled on Jan 16
14:00:24 <kaz> ... we'll use a different WebEx for that meeting
14:00:41 <kaz> jiye: OK, will try to join that meeting on Jan 16
14:01:08 <kaz> mm: Sebastian will be also join it
14:01:11 <kaz> [adjourned]
14:01:15 <kaz> rrsagent, make log public
14:01:19 <kaz> rrsagent, draft minutes
14:01:20 <RRSAgent> I have made the request to generate https://www.w3.org/2022/12/19-wot-sec-minutes.html kaz
15:55:14 <Zakim> Zakim has left #wot-sec