13:03:23 <RRSAgent> RRSAgent has joined #wot-sec
13:03:27 <RRSAgent> logging to https://www.w3.org/2023/01/23-wot-sec-irc
13:03:29 <kaz> meeting: WoT Security
13:03:44 <kaz> agenda: https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#23_January_2022
13:03:56 <kaz> present+ Kaz_Ashimura, Michael_McCool, Jiye_Park
13:08:26 <kaz> topic: Minutes
13:08:35 <kaz> -> https://www.w3.org/2022/12/19-wot-sec-minutes.html Dec-19
13:08:37 <kaz> approved
13:08:49 <kaz> topic: Next Charter
13:09:16 <kaz> mm: let's recap the topic on Security
13:09:57 <kaz> -> https://github.com/w3c/wot/pull/1057 wot PR 1057 - WG 2023 Charter - Security Deliverable
13:10:23 <kaz> mm: onboarding to go to Architecture
13:10:35 <kaz> ... then
13:10:39 <kaz> ... 3 work items here
13:11:21 <kaz> -> https://github.com/w3c/wot/pull/1057#issuecomment-1386993506 McCool's comment on 3 points
13:11:23 <kaz> [[
13:11:30 <kaz> signing - definition (including canonicalization) in the TD 2.0 spec, then usage in Discovery (including chained signatures for modifications like embedding update times in enriched TDs) and Profiles (e.g. perhaps requiring signing, although it depends on how heavyweight it is to compute)
13:11:30 <kaz> security ontology - @egekorkan has proposed putting protocol-specific security schemes into the protocol bindings (and also into the formal ontology for that protocol)
13:11:30 <kaz> onboarding - Can go into Architecture. We already have lifecycle there. Arch can also be used to consolidate normative security assertions if that's what we want to do still.
13:11:31 <kaz> ]]
13:12:11 <kaz> s/signing/* signing/
13:12:17 <kaz> s/security ont/* security ont/
13:12:26 <kaz> s/onboarding - /* onboarding -/
13:12:37 <kaz> s/onboarding -/onboarding - /
13:12:50 <kaz> mm: (shows the draft WG Charter)
13:13:26 <kaz> -> https://w3c.github.io/wot/charters/wot-wg-2023-draft.html Draft WoT WG Charter
13:13:42 <kaz> [
13:13:45 <kaz> Onboarding (Architecture, Discovery, Security):
13:13:45 <kaz> Define lifecycle process to establish mutual trust and identification.
13:13:45 <kaz> Security Scheme Ontology (Thing Description, Security):
13:13:45 <kaz> Refactor TD security schemes using TD extension ontologies.
13:13:45 <kaz> Signing (Discovery, Thing Description, Security):
13:13:46 <kaz> Add support for TD signing and support signed TDs in the discovery process. Requires definition of TD canonicalization.
13:13:49 <kaz> ]]
13:13:52 <kaz> s/[/[[/
13:14:29 <kaz> (note McCool's local file has more description than the online draft Charter)
13:15:31 <kaz> mm: thought I had merge this PR but it's still open...
13:17:01 <kaz> ... our current Charter says we'll update the Guideline Note
13:19:59 <kaz> ... probably we should keep this PR open and get more reviews
13:20:41 <kaz> ... (McCool puts comment to the PR 1057)
13:21:05 <kaz> ... Security TF reviewed this on Jan 23 and approves the updates
13:21:30 <kaz> topic: Planning
13:21:48 <kaz> mm: Security and Privacy Guidelines update still needed
13:21:59 <kaz> ... Jiye, do you still need to review it?
13:22:03 <kaz> jy: Yes
13:22:15 <kaz> mm: (put comments on the agenda wiki)
13:22:25 <kaz> ... TF Members still reviewing
13:22:33 <kaz> ... by Jan 30
13:22:46 <kaz> topic: AOB
13:23:02 <kaz> jy: will we change the TLS version?
13:23:18 <kaz> mm: it's too late for us to add changes from now
13:23:32 <kaz> ... we've already published a CR
13:24:10 <kaz> ... if really needed, we can still add changes. however, the schedule would be very tight
13:24:28 <kaz> ... on the other hand, we can still add informative description to add clarification
13:24:43 <kaz> s/a CR/CRs/
13:25:49 <kaz> -> https://github.com/w3c/wot-architecture/pull/886 wot-architecture PR 886 - Revise (D)TLS-1-2 assertions
13:33:10 <kaz> kaz: given the text within the WoT Architecture spec, and the assertion table shows continuous two assertions on (1) if TLS 1.3 can't be used, you MAY use TLS 1.2 and (2) earlier version of TLS than 1.2 (=1.1) MUST NOT be used
13:33:22 <kaz> ... we don't need to apply this PR
13:33:41 <kaz> mm: OK
13:34:04 <kaz> ... so there are 3 possible options
13:34:16 <kaz> ... 1. keep the text asis
13:34:33 <kaz> ... 2. still revise the text and go for the 2nd CR
13:35:53 <kaz> ... 3. talk with the Director
13:36:00 <kaz> ... tend to go for #2
13:36:28 <kaz> kaz: don't think we should go for #2
13:37:31 <kaz> ... but if we do, we should check all the potential problems in addition to this to avoid potential third CR
13:37:56 <kaz> mm: Jiye, do you agree if we don't add this change?
13:38:02 <kaz> jp: yes
13:38:36 <kaz> -> https://github.com/w3c/wot-architecture/pull/886#issuecomment-1400360327 McCool's comments on wot-architecture PR 886
13:38:37 <kaz> [[
13:38:51 <kaz> - Not worth insisting on another CR to include this change, as logically the meaning is captured considering the above additional assertion
13:38:51 <kaz> - Certainly we could include it IF there was another CR for other reasons
13:38:51 <kaz> - Do we ask for an exception? We can ask PLH.
13:38:51 <kaz> - Worst case, we don't change it. While not ideal, this is acceptable.
13:38:52 <kaz> ]]
13:39:00 <kaz> [adjourned]
13:39:04 <kaz> rrsagent, make log public
13:39:10 <kaz> rrsagent, draft minutes
13:39:11 <RRSAgent> I have made the request to generate https://www.w3.org/2023/01/23-wot-sec-minutes.html kaz
13:39:18 <kaz> present+ Tomoaki_Mizushima, Jan_Romann
13:39:18 <kaz> rrsagent, draft minutes
13:39:19 <RRSAgent> I have made the request to generate https://www.w3.org/2023/01/23-wot-sec-minutes.html kaz
13:39:47 <McCool> s/tend to go for #2/tend to go for 1 or 3/
13:46:22 <kaz> rrsagent, draft minutes
13:46:23 <RRSAgent> I have made the request to generate https://www.w3.org/2023/01/23-wot-sec-minutes.html kaz