Meeting minutes
Minutes
approved
Next Charter
McCool: let's recap the topic on Security
wot PR 1057 - WG 2023 Charter - Security Deliverable
McCool: onboarding to go to Architecture
… then
… 3 work items here
* signing - definition (including canonicalization) in the TD 2.0 spec, then usage in Discovery (including chained signatures for modifications like embedding update times in enriched TDs) and Profiles (e.g. perhaps requiring signing, although it depends on how heavyweight it is to compute) * security ontology - @egekorkan has proposed putting protocol-specific security schemes into the protocol bindings (and also into the formal ontology for that protocol) * onboarding - Can go into Architecture. We already have lifecycle there. Arch can also be used to consolidate normative security assertions if that's what we want to do still.
McCool: (shows the draft WG Charter)
Onboarding (Architecture, Discovery, Security): Define lifecycle process to establish mutual trust and identification. Security Scheme Ontology (Thing Description, Security): Refactor TD security schemes using TD extension ontologies. Signing (Discovery, Thing Description, Security): Add support for TD signing and support signed TDs in the discovery process. Requires definition of TD canonicalization.
(note McCool's local file has more description than the online draft Charter)
McCool: thought I had merge this PR but it's still open...
… our current Charter says we'll update the Guideline Note
… probably we should keep this PR open and get more reviews
… (McCool puts comment to the PR 1057)
… Security TF reviewed this on Jan 23 and approves the updates
Planning
McCool: Security and Privacy Guidelines update still needed
… Jiye, do you still need to review it?
Jiye: Yes
McCool: (put comments on the agenda wiki)
… TF Members still reviewing
… by Jan 30
AOB
Jiye: will we change the TLS version?
McCool: it's too late for us to add changes from now
… we've already published CRs
… if really needed, we can still add changes. however, the schedule would be very tight
… on the other hand, we can still add informative description to add clarification
wot-architecture PR 886 - Revise (D)TLS-1-2 assertions
Kaz: given the text within the WoT Architecture spec, and the assertion table shows continuous two assertions on (1) if TLS 1.3 can't be used, you MAY use TLS 1.2 and (2) earlier version of TLS than 1.2 (=1.1) MUST NOT be used
… we don't need to apply this PR
McCool: OK
… so there are 3 possible options
… 1. keep the text asis
… 2. still revise the text and go for the 2nd CR
… 3. talk with the Director
… in my opinion, we should go for 1 or 3
Kaz: don't think we should go for #2
… but if we do, we should check all the potential problems in addition to this to avoid potential third CR
McCool: Jiye, do you agree if we don't add this change?
Jiye: yes
McCool's comments on wot-architecture PR 886
- Not worth insisting on another CR to include this change, as logically the meaning is captured considering the above additional assertion - Certainly we could include it IF there was another CR for other reasons - Do we ask for an exception? We can ask PLH. - Worst case, we don't change it. While not ideal, this is acceptable.
[adjourned]