13:06:06 <RRSAgent> RRSAgent has joined #wot-sec
13:06:10 <RRSAgent> logging to https://www.w3.org/2023/02/13-wot-sec-irc
13:06:20 <McCool_> McCool_ has joined #wot-sec
13:06:26 <kaz> meeting: WoT Security
13:06:40 <kaz> present+ Kaz_Ashimura, Jan_Romann, Tomaki_Mizushima
13:06:53 <kaz> present+ Jiye_Park, Michael_McCool
13:07:55 <JKRhb> JKRhb has joined #wot-sec
13:08:10 <kaz> scribenick: JKRhb
13:08:22 <JKRhb> topic: Minutes Review
13:08:29 <kaz> agenda: https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#13_February_2023
13:08:38 <kaz> -> https://www.w3.org/2023/02/06-wot-sec-minutes.html Feb-6
13:09:10 <JKRhb> mm: Spent some time on the first agenda items, need to address the two items in this call
13:09:15 <luca_barbato> luca_barbato has joined #wot-sec
13:09:32 <JKRhb> ... there is a spelling mistake in "Lumine"
13:10:20 <JKRhb> ... "jy" should be expanded to "Jiye", there is also a typo in "specking"
13:10:26 <JKRhb> kaz: Fixed
13:10:44 <JKRhb> mm: Any objections to publishing?
13:11:41 <JKRhb> lb: There is a typo in my name in the "Welcome" section
13:11:56 <JKRhb> ... there is an "r" missing
13:12:05 <JKRhb> kaz: Is fixed
13:12:20 <JKRhb> mm: No other objections, minutes are approved
13:12:28 <JKRhb> topic: Profile Security Issues
13:12:31 <McCool_> https://github.com/w3c/wot-profile/labels/security
13:12:48 <JKRhb> mm: What you see here are all the issues that are labelled as "security"
13:13:21 <JKRhb> ... there are some that are assigned to me, but I want to find volunteers
13:13:59 <JKRhb> ... there some that are labelled as "P1" for "Priority 1" but the more important ones are the ones labelled "Profile-1.1"
13:14:11 <JKRhb> ... let's go through them in order
13:14:22 <JKRhb> subtopic: Profile Issue #6
13:14:28 <kaz> q+
13:14:48 <JKRhb> mm: In this one, there is a set of allowable security schemes
13:14:54 <kaz> ack k
13:15:36 <JKRhb> kaz: Do you think we discuss these issues in this call?
13:16:07 <JKRhb> mm: My proposal would be doing a quick survey and then assigning the issues
13:16:57 <JKRhb> ... issue deals with section 5.4
13:17:16 <JKRhb> ... there is a set of schemes
13:17:26 <JKRhb> question is if we can trim them down
13:17:40 <JKRhb> s/question is/mm: question is/
13:17:40 <kaz> s/Do you think we discuss these issues in this call?/Before starting the discussion, I have a question on how to run the discussion. Given you want to have some more volunteer reviewers, do you want to improve the procedure as well? Or OK with having discussion during this WoT Security call for a while?/
13:17:59 <JKRhb> s/mm: question is/mm: ...question is/
13:18:16 <kaz> s/assigning the issues/assigning the issues to the volunteer reviewers./
13:19:08 <JKRhb> ... I think we can actually retire this issue
13:19:38 <kaz> i|In this one|-> https://github.com/w3c/wot-profile/issues/6 wot-profile Issue 6 - Recommended Security
13:19:44 <kaz> rrsagent, make log public
13:19:50 <kaz> rrsagent, draft minutes
13:19:51 <RRSAgent> I have made the request to generate https://www.w3.org/2023/02/13-wot-sec-minutes.html kaz
13:21:05 <kaz> q?
13:21:08 <kaz> q+ Jiye
13:21:42 <JKRhb> jp: I am fine with getting rid of Digest in this section. There is also no mention of TLS in this section
13:21:43 <luca_barbato> q+
13:22:47 <kaz> -> https://w3c.github.io/wot-profile/#common-constraints-security WoT Profile - 5.4 Security
13:22:52 <kaz> ack J
13:22:56 <kaz> rrsagent, draft minutes
13:22:58 <RRSAgent> I have made the request to generate https://www.w3.org/2023/02/13-wot-sec-minutes.html kaz
13:23:22 <JKRhb> mm: Using Basic without TLS is not very secure, but can be seen in some scenarios. Assertions to use TLS are already present in Architecture
13:23:54 <JKRhb> lb: You need to keep in mind that Things might already use a secure channel, e.g. a VPN
13:23:56 <kaz> q+
13:24:06 <JKRhb> ... so you need to define the layer
13:24:16 <JKRhb> mm: No mentioning of VPNs yet
13:24:29 <JKRhb> ... which themselves are likely secured by TLS
13:24:50 <JKRhb> ... (captures the discussion in an issue comment)
13:27:09 <JKRhb> ... I think there should probably be at least be a SHOULD or a MUST for secure transport. But might be redundant with regard to the Architecture
13:28:37 <JKRhb> kaz: This section has a bigger question about the relationship between specifications
13:28:56 <JKRhb> ... another point is that the discussion in this section is kind of redundant
13:29:27 <JKRhb> ... we should think about a bit more what should be described by the Profile specification and what should be discussed in other documents
13:29:51 <kaz> s/This section has/From my viewpoint, this section has/
13:29:52 <JKRhb> mm: This Profile document is dealing with HTTP in particular
13:30:02 <kaz> s/between/among/
13:30:24 <JKRhb> ... so the intention is to limit the available security schemes to a well-defined subset
13:30:34 <kaz> s/point is/point is, as already captured within this Issue 6,/
13:30:42 <JKRhb> ... there are also a lot of "weird ones" like API key
13:30:42 <kaz> ack k
13:30:43 <kaz> ack l
13:31:01 <kaz> q+
13:31:08 <luca_barbato> q+
13:31:15 <JKRhb> ... some of its variants also have a lot of implementation effort
13:31:28 <JKRhb> ... so we want a minimum set of "good" security schemes
13:31:50 <JKRhb> ... and define best practices
13:32:25 <kaz> qq+ Jiye
13:32:28 <kaz> q- Jiye
13:32:35 <JKRhb> ... a bad scheme, for example, would be using Basic with credentials in the URL
13:32:52 <JKRhb> jp: Maybe that should be mentioned in an informative note
13:33:41 <JKRhb> kaz: Probably this is partly related to Luca's point is well: We should probably define the security scope of Profile documents a bit clearer
13:34:08 <kaz> s/is well/as well/
13:34:33 <kaz> s/Profile documents/WoT Profile spec/
13:34:35 <kaz> ack k
13:34:36 <JKRhb> ... aspects like VPNs might not need to be mentioned here
13:35:37 <JKRhb> mm: Question is if we should disallow some variants of the Basic security scheme (e.g., putting it in the Query)
13:36:02 <JKRhb> jp: Strongly in favor of that, since Basic with information in the query is not RFC-compliant
13:36:25 <kaz> s/aspects like VPNs might not need to be mentioned here/e.g., HTTP-based interaction like HTTP Basic Profile, HTTP SSE Profile and HTTP Webhook Profile are our targets, and technologies like VPNs are not in our scope of this spec./
13:37:35 <kaz> q?
13:37:37 <kaz> ack l
13:38:14 <JKRhb> q+
13:39:07 <JKRhb> mm: My suggestion would be to remove the security section from common constraints and move it to HTTP Basic
13:39:26 <JKRhb> q-
13:39:36 <kaz> s/to HTTP Basic/under the HTTP Basic Profile/
13:39:55 <kaz> kaz: think that is what we've been describing by the section 5.4
13:40:06 <kaz> s/think/scribenick: kaz/
13:40:11 <kaz> scribenick: JKRhb
13:40:16 <kaz> q?
13:40:37 <kaz> q+
13:41:37 <JKRhb> lb: OAuth2 is bound to HTTP so mentioning it in common constraints does not make sense
13:41:58 <JKRhb> mm: If we move the whole section to the HTTP Basic Profile then this problem disappears as well
13:42:21 <JKRhb> ... need to define some actions based on the discussion we had
13:42:31 <JKRhb> ... (adds another issue comment)
13:43:06 <kaz> q?
13:44:03 <kaz> ack k
13:44:18 <JKRhb> kaz: I partly agree, but we cannot avoid thinking about security aspects for other profiles as well and think about common security considerations
13:45:14 <JKRhb> ... WebHooks and SSE also need some kind of description of security aspects
13:45:20 <kaz> a/and think/and need to think/
13:46:28 <JKRhb> mm: Can someone volunteer to do a PR that addresses this issue?
13:46:38 <JKRhb> lb: I can try
13:46:44 <JKRhb> mm: Great, I'll assign you then
13:46:57 <kaz> i/WebHooks and SSE/mm: HTTP SSE Profile and HTTP Webhooks Profile are part of the HTTP Basic Profile, so should be able to reuse the security mechanism for the HTTP Basic Profile./
13:47:08 <JKRhb> ... meeting is on Wednesday, would be great if you could prepare a PR until then
13:47:22 <kaz> rrsagent, draft minutes
13:47:23 <RRSAgent> I have made the request to generate https://www.w3.org/2023/02/13-wot-sec-minutes.html kaz
13:47:34 <JKRhb> lb: Any formatting advice?
13:47:42 <kaz> chair: McCool
13:47:52 <JKRhb> mm: Avoid making unrelated whitespace changes or typo fixes
13:48:10 <kaz> i/are part of the/scribenick: kaz/
13:48:37 <kaz> i/some kind of description/scribenick: JKRhb/
13:48:41 <kaz> rrsagent, draft minutes
13:48:42 <RRSAgent> I have made the request to generate https://www.w3.org/2023/02/13-wot-sec-minutes.html kaz
13:49:18 <JKRhb> subtopic: Profile Issue #359
13:49:18 <JKRhb> mm: Not sure if we need to discuss the points mentioned in this issue
13:49:24 <kaz> i|Not sure|-> https://github.com/w3c/wot-profile/issues/359 wot-profile Issue 359 - Security - open issues|
13:50:30 <kaz> s/WebHooks and SSE also need some kind of description of security aspects/Yeah, that's possible. My point is those guys (=HTTP SSE Profile and HTTP Webhooks Profile) also needs some description on security./
13:50:39 <JKRhb> ... one issue is that NoSec in Common Constraints applies to everybody
13:51:09 <JKRhb> ... while Basic and OAuth2 only apply to HTTP
13:51:37 <kaz> s/kaz: scribenick: kaz that is what we've been describing by the section 5.4/kaz: think that is what we've been describing by the section 5.4./
13:51:53 <kaz> i/we've been describing/scribenick: kaz/
13:51:55 <kaz> rrsagent, draft minutes
13:51:56 <RRSAgent> I have made the request to generate https://www.w3.org/2023/02/13-wot-sec-minutes.html kaz
13:52:53 <kaz> s|a/and think/and need to think/||
13:52:57 <kaz> rrsagent, draft minutes
13:52:58 <RRSAgent> I have made the request to generate https://www.w3.org/2023/02/13-wot-sec-minutes.html kaz
13:53:05 <JKRhb> ... issue #6 was somehow not listed in this issue, adding it
13:53:43 <JKRhb> ... issue #220 looks similar to #6 and should be resolved at the same time
13:54:07 <JKRhb> ... let me quickly look at the other ones
13:54:18 <kaz> (McCool updates the list of open Issues around security within Issue 359)
13:55:04 <JKRhb> ... issue #224 deals with Webhooks
13:56:16 <kaz> i|224|-> https://github.com/w3c/wot-profile/issues/220 Issue 220 - List of required Security Schemes|
13:56:28 <JKRhb> ... so from my understanding, to use Webhooks securely you need to provide some kind of authentication to subscribe to every event, otherwise it is rejected
13:56:45 <JKRhb> ... during a subscribeallevents operation
13:56:45 <kaz> i|so from|-> https://github.com/w3c/wot-profile/issues/224 Issue 224 - subscribeallevents security requirements|
13:57:02 <JKRhb> ... does somebody feel confident to work on this issue?
13:57:55 <JKRhb> jp: I will take a look
13:58:03 <JKRhb> lb: Does it have a deadline?
13:58:17 <kaz> present+ Luca_Barbato
13:58:20 <kaz> rrsagent, draft minutes
13:58:21 <RRSAgent> I have made the request to generate https://www.w3.org/2023/02/13-wot-sec-minutes.html kaz
13:58:27 <JKRhb> mm: Should be done by next week, want to retire many of the profile issues
13:58:34 <JKRhb> lb: Will also have a look on the issue
13:59:10 <JKRhb> mm: (Now turns to Issue #221)
13:59:21 <JKRhb> ... should also be resolved together with Issue #6
13:59:40 <kaz> i|should|-> https://github.com/w3c/wot-profile/issues/221 Issue 221 - Security Schemes are too loose|
14:00:28 <JKRhb> ... (looks at Issue #222)
14:00:46 <JKRhb> ... will discuss this issue in next week's call
14:01:15 <kaz> i|will|-> https://github.com/w3c/wot-profile/issues/222 Issue 222 - Security Requirements for WebHook Consumer|
14:01:23 <kaz> q+
14:01:39 <kaz> ack k
14:02:12 <JKRhb> topic: Next Meeting
14:02:26 <JKRhb> jr: Opened two small PRs for wot-security
14:02:47 <JKRhb> kaz: Should define a label for all security-related PRs
14:03:20 <JKRhb> mm: Will have a look on the PRs and remaining Profile issues next week
14:03:30 <JKRhb> [adjourned]
14:03:54 <kaz> i|adj|-> https://github.com/w3c/wot-profile/issues/359#issuecomment-1427988369 updated Issue list within Issue 359|
14:04:12 <kaz> s/PRs/PRs, but we can do that next week :)/
14:04:19 <kaz> rrsagent, draft minutes
14:04:21 <RRSAgent> I have made the request to generate https://www.w3.org/2023/02/13-wot-sec-minutes.html kaz
16:03:49 <Zakim> Zakim has left #wot-sec