13:06:49 <RRSAgent> RRSAgent has joined #wot-sec
13:06:53 <RRSAgent> logging to https://www.w3.org/2023/02/06-wot-sec-irc
13:06:54 <kaz> meeting: WoT Security
13:07:33 <McCool> McCool has joined #wot-sec
13:07:39 <kaz> present+ Kaz_Ashimura, Michael_McCool, Ege_Korkan, Jiye_Park
13:08:45 <Jiye> topic: Agenda
13:09:16 <kaz> agenda: https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#6_February_2023
13:09:20 <kaz> -> https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#6_February_2023 agenda
13:09:31 <kaz> scribenick: Jiye
13:09:41 <Ege> Ege has joined #wot-sec
13:09:43 <Jiye> mm: Minutes, New Member, Security Mechanism Analysis, Review Issues, S&P guidelines, Next Chater
13:10:04 <kaz> rrsagent, make log public
13:10:10 <kaz> rrsagent, draft minutes
13:10:11 <RRSAgent> I have made the request to generate https://www.w3.org/2023/02/06-wot-sec-minutes.html kaz
13:10:29 <kaz> chair: McCool
13:10:30 <Jiye> topic: Minutes
13:11:21 <Jiye> -> https://www.w3.org/2023/01/30-wot-sec-minutes.html
13:12:06 <kaz> s/html/html Jan-30/
13:12:52 <Jiye> (no objection on publishing minute)
13:12:52 <kaz> present+ Luca_Barbato, Tomoaki_Mizushima
13:13:07 <kaz> q+
13:13:21 <kaz> ack k
13:13:32 <kaz> topic: Welcome Luca Babato!
13:14:00 <kaz> (Luca Barbato from Luminem)
13:14:17 <kaz> s/Luminem/Lumine gives self intro)
13:16:17 <kaz> q+
13:16:53 <kaz> rrsagent, draft minutes
13:16:54 <RRSAgent> I have made the request to generate https://www.w3.org/2023/02/06-wot-sec-minutes.html kaz
13:17:01 <Jiye> mm: S&G has security analaysis, it will be good to look at that if there is anything missing.
13:18:34 <Jiye> ... knowing real world implication of IoT device will be interesting
13:18:43 <kaz> ashimura@w3.org
13:19:20 <Jiye> kaz: join the WoT main call, you will get more information that you need
13:19:50 <McCool> spelling is "Luminum", correct?
13:19:56 <kaz> Luminem
13:20:54 <Jiye> mm: your question was what kind of security scheme you need to implement, right?
13:21:13 <Jiye> lb: currently we don't have any security implementation
13:21:39 <Jiye> mm: obvious step for security implementation is mutual authentication which is now at risk as lack of implementation
13:22:27 <Jiye> s/obvious/obviously
13:23:23 <Jiye> mm: as default, TLS is not doing mutual authentication with browser
13:23:42 <Ege> q+
13:23:46 <kaz> ack k
13:24:01 <Jiye> ... OAuth2.0 client side implementation is recommended
13:26:12 <Jiye> mm: in LAN if you don't want to reveal your device to Internet, CA verfication is a problem. in that case you can use PSK but how to setup the PSK is not defined. Need to do manually.
13:27:03 <Jiye> lb: I wanted to try or get around mDNS, you need to trust mDNS and need to sign, chicken and egg problem
13:28:32 <kaz> q+
13:29:16 <kaz> ack e
13:30:42 <Jiye> jy: if it's to have some security for the implementation, then TLS + basic authentication is recommended
13:33:20 <kaz> q?
13:33:23 <Jiye> lb: having not too high barrier for security implementation will be good
13:35:45 <Jiye> jy: I would say really minimum security implemenation is TLS + PSK
13:36:37 <Jiye> ... it's easy to have, and no problem in LAN
13:36:44 <kaz> q?
13:37:51 <Jiye> (discussion about implementation on ESP series experience)
13:38:49 <Jiye> kaz: this is very important discussion. Suggest to document this discussion, could be extended version or best practice document or use case document ..etc.
13:39:05 <kaz> -> https://w3c.github.io/wot-usecases/ Use Cases and Requirements
13:39:12 <kaz> -> https://w3c.github.io/wot-security-best-practices/ Security Best Practices
13:39:33 <kaz> s/version or/version of/
13:39:57 <luca_barbato> luca_barbato has joined #wot-sec
13:40:15 <kaz> s/ ..etc./, but maybe we at least can start with some MD file to record this kind of feedback on paint points./
13:40:20 <Jiye> mm: these documents are quite out dated. Filing issues is the best to do now.
13:40:22 <kaz> ack k
13:40:44 <Jiye> ... would say start with TLS first as jy said. and we see
13:41:04 <Jiye> ... not sure what protocol you are using
13:41:26 <Jiye> lb: HTTP, and some implementation with web sockets. MQTT we tried and discarded
13:42:05 <Jiye> mm: Specking of Single point failture, for CA could also happens
13:42:47 <Jiye> ... if it's for home, you can make some assumptions for DNS
13:44:47 <Jiye> mm: We can start collecting some issues, and will be good to point these issues in the future calls.
13:45:29 <Jiye> topic: Security Mechanism Analysis
13:46:23 <Jiye> ek: Jiye and me are supervising a person doing a security analysis of security mechanisms supported in TD 1.1.
13:47:01 <Jiye> ... question is we have it in PDF right now, and ideally I want to bring it to working group somehow. Where should be, how should be bring in?
13:48:07 <kaz> q+
13:48:57 <Jiye> ek: We wrote what we need and stopped there in TD document, it's about how to use it
13:51:11 <Jiye> mm: If the document is shared, will have a look and we can discuss
13:51:41 <Jiye> kaz: we don't care about the document format itself. What level of analysis is done?
13:51:54 <Jiye> ek: more than 10 pages.
13:52:29 <Jiye> kaz: it will be good to know some background and structure of the document ..etc
13:52:46 <kaz> s/What level/The question is rather what level/
13:52:53 <kaz> s/done?/done./
13:53:09 <kaz> s/ ..etc/, etc./
13:53:27 <kaz> q?
13:53:29 <kaz> ack k
13:53:31 <kaz> q+
13:54:12 <kaz> -> https://github.com/w3c/wot-charter-drafts/pulls wot-charter-drafts repo
13:54:26 <kaz> i/https/topic: Charter Draft/
13:55:08 <kaz> kaz: as discussed during the main call last week, I've generated a dedicated repo for the new Charter, and copied all the existing PRs to that repo as above
13:55:32 <kaz> ... we should confirm that during the main call
13:55:48 <kaz> topic: Architecture issue
13:56:43 <kaz> -> https://github.com/w3c/wot-architecture/pull/886 wot-architecture PR 886 - Revise (D)TLS-1-2 assertions
13:56:49 <kaz> mm: PLH is OK with merging this
13:57:24 <kaz> ... would merge this during the next Architecture call
13:57:36 <Jiye> ... so if you have objection, comment it
13:57:36 <kaz> ... please give comments if any problems
13:57:41 <kaz> s/... please give comments if any problems//
13:57:56 <kaz> i/as discuss/scribenick: kaz/
13:58:07 <kaz> i/so if you/scribenick: Jiye/
13:58:12 <kaz> rrsagent, draft minutes
13:58:14 <RRSAgent> I have made the request to generate https://www.w3.org/2023/02/06-wot-sec-minutes.html kaz
13:58:41 <kaz> s/... so if/mm: so if/
13:58:42 <kaz> rrsagent, draft minutes
13:58:44 <RRSAgent> I have made the request to generate https://www.w3.org/2023/02/06-wot-sec-minutes.html kaz
13:58:59 <Jiye> topic: Reviewing issues
13:59:51 <kaz> s/Architecture issue/DTLS Issue/
14:00:23 <kaz> q?
14:00:23 <kaz> q-
14:00:23 <kaz> q+
14:00:35 <McCool> https://github.com/w3c/wot-profile/labels/security
14:00:50 <kaz> s/Reviewing issues/Profile Issues/
14:01:02 <Jiye> mm: there are security issues, so feel free to have a look and work on it
14:01:05 <kaz> s/DTLS Issue/Architecture Issue on DTLS/
14:01:12 <kaz> rrsagent, draft minutes
14:01:13 <RRSAgent> I have made the request to generate https://www.w3.org/2023/02/06-wot-sec-minutes.html kaz
14:02:02 <McCool> https://github.com/w3c/wot-profile/issues/6
14:50:12 <kaz> rrsagent, draft minutes
14:50:13 <RRSAgent> I have made the request to generate https://www.w3.org/2023/02/06-wot-sec-minutes.html kaz
14:50:19 <kaz> [adjourned]
14:50:19 <kaz> rrsagent, draft minutes
14:50:20 <RRSAgent> I have made the request to generate https://www.w3.org/2023/02/06-wot-sec-minutes.html kaz
16:17:24 <Zakim> Zakim has left #wot-sec