W3C

– DRAFT –
WoT Security

23 January 2023

Attendees

Present
Jan_Romann, Jiye_Park, Kaz_Ashimura, Michael_McCool, Tomoaki_Mizushima
Regrets
-
Chair
McCool
Scribe
kaz

Meeting minutes

Minutes

Dec-19

approved

Next Charter

McCool: let's recap the topic on Security

wot PR 1057 - WG 2023 Charter - Security Deliverable

McCool: onboarding to go to Architecture
… then
… 3 work items here

McCool's comment on 3 points

* signing - definition (including canonicalization) in the TD 2.0 spec,
 then usage in Discovery (including chained signatures for modifications
 like embedding update times in enriched TDs) and Profiles (e.g. perhaps
 requiring signing, although it depends on how heavyweight it is to compute)

* security ontology - @egekorkan has proposed putting protocol-specific
  security schemes into the protocol bindings (and also into the formal
  ontology for that protocol)

* onboarding - Can go into Architecture. We already have lifecycle
  there. Arch can also be used to consolidate normative security
  assertions if that's what we want to do still.

McCool: (shows the draft WG Charter)

Draft WoT WG Charter

Onboarding (Architecture, Discovery, Security):
  Define lifecycle process to establish mutual trust and identification.
Security Scheme Ontology (Thing Description, Security):
  Refactor TD security schemes using TD extension ontologies.
Signing (Discovery, Thing Description, Security):
  Add support for TD signing and support signed TDs in the discovery
  process. Requires definition of TD canonicalization.

(note McCool's local file has more description than the online draft Charter)

McCool: thought I had merge this PR but it's still open...
… our current Charter says we'll update the Guideline Note
… probably we should keep this PR open and get more reviews
… (McCool puts comment to the PR 1057)
… Security TF reviewed this on Jan 23 and approves the updates

Planning

McCool: Security and Privacy Guidelines update still needed
… Jiye, do you still need to review it?

Jiye: Yes

McCool: (put comments on the agenda wiki)
… TF Members still reviewing
… by Jan 30

AOB

Jiye: will we change the TLS version?

McCool: it's too late for us to add changes from now
… we've already published CRs
… if really needed, we can still add changes. however, the schedule would be very tight
… on the other hand, we can still add informative description to add clarification

wot-architecture PR 886 - Revise (D)TLS-1-2 assertions

Kaz: given the text within the WoT Architecture spec, and the assertion table shows continuous two assertions on (1) if TLS 1.3 can't be used, you MAY use TLS 1.2 and (2) earlier version of TLS than 1.2 (=1.1) MUST NOT be used
… we don't need to apply this PR

McCool: OK
… so there are 3 possible options
… 1. keep the text asis
… 2. still revise the text and go for the 2nd CR
… 3. talk with the Director
… in my opinion, we should go for 1 or 3

Kaz: don't think we should go for #2
… but if we do, we should check all the potential problems in addition to this to avoid potential third CR

McCool: Jiye, do you agree if we don't add this change?

Jiye: yes

McCool's comments on wot-architecture PR 886

- Not worth insisting on another CR to include this change, as logically
  the meaning is captured considering the above additional assertion
- Certainly we could include it IF there was another CR for other reasons
- Do we ask for an exception? We can ask PLH.
- Worst case, we don't change it. While not ideal, this is acceptable.

[adjourned]

Minutes manually created (not a transcript), formatted by scribe.perl version 197 (Tue Nov 8 15:42:48 2022 UTC).