13:03:35 RRSAgent has joined #wot-sec 13:03:39 logging to https://www.w3.org/2023/01/30-wot-sec-irc 13:03:40 meeting: WoT Security 13:03:46 JKRhb has joined #wot-sec 13:04:20 Jiye has joined #wot-sec 13:04:21 present+ Kaz_Ashimura, Jan_Romann, Michael_McCool 13:07:55 present+ Jiye_Park 13:07:57 scribenick: JKRhb 13:08:07 McCool has joined #wot-sec 13:08:23 topic: Minutes Review 13:08:33 agenda: https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#30_January_2023 13:08:44 -> https://www.w3.org/2023/01/23-wot-sec-minutes.html Jan-23 13:09:38 Mizushima has joined #wot-sec 13:10:07 mm: We looked at topics for the new charter, discussed the DTLS issue 13:10:56 ... not the end of the world to leave things as they are. If I am mistaken, PLH has not responded to my mail yet 13:11:58 ... can you clarify one formulation regarding the options for addressing the DTLS issue, Kaz? 13:12:03 kaz: fixed 13:12:42 s/fixed/fixed. BTW, we've already got a response from PLH, and we need to respond around the date and time for a meeting./ 13:12:50 present+ Tomoaki_Mizushima 13:13:18 mm: Any objections to publishing the minutes? 13:13:26 There are no objections, minutes are approved. 13:13:59 topic: Next Charter 13:14:14 mm: Did not have time for reviewing 13:15:06 q+ 13:15:17 ... security is currently not a separate deliverable, many points are in TD, refactoring can be done later and details can be removed 13:15:25 ... any comments? 13:15:42 kaz: I created a PR for fixing the CSS of the draft 13:15:57 mm: Will merge afterwards since it does not change any contents 13:16:09 ack k 13:16:52 mm: PR 1057 regarding the actual normative deliverable is still open 13:17:03 ... there was a discussion if it should be normative 13:17:29 i|I created|-> https://github.com/w3c/wot/pull/1067 wot PR 1067 - Update wot-wg-2023-draft.html| 13:17:34 ... so this PR version is putting things into the other already existing documents 13:17:54 ... while keeping the Security Deliverable informative 13:18:05 s/of the draft/of the draft. can be merged safely before having further discussion./ 13:18:22 ... not quite ready to be merged since there are still some normative parts in it 13:18:40 ... any more points that should be discussed here? 13:18:42 i|1057|-> https://github.com/w3c/wot/pull/1057 wot PR 1057 - WG 2023 Charter - Security Deliverable| 13:18:53 zakim, who is on the call? 13:18:53 Present: Kaz_Ashimura, Jan_Romann, Michael_McCool, Jiye_Park, Tomoaki_Mizushima 13:19:00 ... if you have any more points, create a comment or an issue 13:19:12 topic: S&P Guidelines 13:19:16 rrsagent, make log public 13:19:20 rrsagent, draft minutes 13:19:21 I have made the request to generate https://www.w3.org/2023/01/30-wot-sec-minutes.html kaz 13:19:28 mm: Last week, I said we need to make some reviews 13:20:03 ... I made some progress and created some notes in the PR (#209) 13:20:15 ... problem is that discovery is not mentioned yet at all 13:20:26 ... therefore, a revision is needed 13:21:03 ... also, some parts of WoT are now prescriptive which needs to be addressed 13:21:13 chair: McCool 13:21:19 ... DDoS as a threat needs to be mentioned 13:21:36 ... intro section does not mention privacy 13:22:10 s/in the PR (#209)/in the Issue 209/ 13:22:15 ... alignment with Architecture Document (e.g., regarding lifecycle) is needed 13:22:34 i|Last week|-> https://github.com/w3c/wot-security/issues/209 Issue 209 - Update "Security and Privacy Guidelines" prior to 2022 PR transitions| 13:22:51 ... protocol bindings need to be mentioned 13:23:12 jp: What do you have in mind for referring to Protocol Bindings? 13:23:23 q+ 13:23:41 mm: We don't actually mention Protocol Bindings but limit ourselves to HTTP/CoAP/MQTT 13:24:29 jp: We could amend the places where HTTP/CoAP/MQTT are mentioned 13:25:43 mm: Referring to Protocol Bindings might take future additions such as OPC UA into account 13:26:24 ... introduction was also quite weak, referenced documents need to be updated 13:26:35 jp: I have some more notes 13:27:33 ... in section 3, the requirements are not very well defined, the threat model is not really a requirement, could be moved to another section or the section could be renamed 13:27:52 mm: Section is rather a requirements analysis, section could be renamed as such 13:28:40 jp: Also, I had some issues with section 6 13:29:31 mm: Yeah, we are repeating ourselves a lot here. However, at least we are not contradicting ourselves 13:29:49 ... specific protocols are mentioned here as well 13:30:40 jp: "Secure Practices" is also not very well fitting, since we already have a Best Practices document 13:31:01 mm: Also, signing TDs is mentioned here, which we have not specified yet 13:31:30 ... section should be removed in order not to repeat ourselves 13:31:55 mm: (Adds a comment to Issue 209) 13:32:56 rrsagent, draft minutes 13:32:58 I have made the request to generate https://www.w3.org/2023/01/30-wot-sec-minutes.html JKRhb 13:33:13 rrsagent, make log public 13:35:38 kaz: I think we should clarify which parts should be updated during the current charter and which should be moved into the next charter. Furthermore, it should be clarified which security topics should be covered by this document or by other documents instead 13:36:06 s/which parts/which parts of the topics within this Issue 209/ 13:36:07 ... such as the Binding documents 13:36:18 s/should be updated/should be applied/ 13:36:57 s/topics should be covered/topics are/ 13:37:39 mm: Simplest approach would be aiming for the next charter. It is unfortunate that it is outdated and does not mention discovery. 13:38:12 s/by this document or by other documents instead/by which spec, e.g., Architecture, TD, Discovery and Profile./ 13:38:42 ... however, updating it within the next two weeks might be tough. However, some small updates could be made, including references 13:38:50 s/such as the Binding documents/also should clarify which to be covered by the (future version of) the Binding Templates spec/ 13:39:34 ... new versions of deliverables should be referenced 13:39:49 i/new/kaz: right. that's why I'm suggesting we clarify which points to be applied during this Charter period to which spec./ 13:40:00 i/right/scribenick: kaz/ 13:40:11 i/new versions/scribenick: JKRhb/ 13:40:14 q? 13:40:15 ack k 13:40:50 ... some of this fixes should be easy and might take a month overall. Revisions to the abstract or the intro could be made afterwards 13:42:35 ... beyond the points mentioned in the Issue, it is mostly major refactoring and alignment with Architecture and other documents 13:44:50 ... do you have any more comments, Kaz? 13:45:15 kaz: We should look into all propose deliverables and should clarify which feature is proposed by which one 13:45:52 mm: There are some things that might turn out to be too specific for architecture 13:46:06 ... and should then be moved into to another document 13:46:40 ... so we should probably create a "pile" of security considerations and then move them to the appropriate place 13:47:31 ... of concern are assertions that overlap 13:47:42 ... review across all the documents is needed 13:48:19 ... should a longterm coordination of security considerations be a workitem? 13:48:43 q+ 13:48:44 jp: I strongly agree with the suggestion, would make things a lot easier in the end 13:49:27 mm: Could be added as an item "Coordinating security and privacy considerations" 13:50:22 ack k 13:50:34 kaz: Does not necessarily need to be a workitem, but we should clarify how security features should be organized in order to be able to be understood by developers 13:51:05 s/Does not necessarily need to be a workitem/that might be going to make sense/ 13:51:44 mm: Should be aligned with Security Best Practices, but we need to be careful not to contradict ourselves 13:52:06 s|how security features should be organized|which security/privacy portion to be described which specification how/ 13:52:43 https://github.com/w3c/wot-security/issues/209 13:52:45 q? 13:53:04 ... my proposal would be to create issues which people can comment and work on 13:53:58 rrsagent, draft minutes 13:54:00 I have made the request to generate https://www.w3.org/2023/01/30-wot-sec-minutes.html kaz 13:54:07 ... an issue for references already exists, would you be fine with looking into this, Jiye? 13:54:13 jp: Sure 13:55:06 mm: Another easy fix should be mentioning the deliverables, I can take care of this one 13:55:20 i|an issue|-> https://github.com/w3c/wot-security/issues/206 Issue 206 - Add and Update References| 13:55:38 s/deliverables/new deliverables/ 13:56:08 ... then we have "revise the abstract", we I can take care of as well 13:57:30 ... can you have a look into the intro and the requirements section? 13:57:54 Jiye is assigned to the requirements and Jan to the intro 13:58:23 mm: I will take care of the DDoS section and check for contradictions 13:58:44 s/DDoS section/DDoS threat topic/ 13:59:07 rrsagent, draft minutes 13:59:08 I have made the request to generate https://www.w3.org/2023/01/30-wot-sec-minutes.html JKRhb 13:59:44 ... after a thorough review, we should then be able to publish an update 13:59:44 ... hope to be done in a month or two 13:59:59 ... will create issues 14:00:44 s/will create issues/will create the remaining issues after the meeting/ 14:00:52 [adjourned] 14:00:59 rrsagent, draft minutes 14:01:01 I have made the request to generate https://www.w3.org/2023/01/30-wot-sec-minutes.html JKRhb 16:09:42 Zakim has left #wot-sec