13:01:04 RRSAgent has joined #wot-sec 13:01:08 logging to https://www.w3.org/2023/02/20-wot-sec-irc 13:01:10 meeting: WoT Security 13:04:10 JKRhb has joined #wot-sec 13:04:35 present+ Kaz_Ashimura, Michael_McCool, Jan_Romann, Jiye_Park, Luca_Barbato 13:05:01 Jiye has joined #wot-sec 13:06:15 agenda: https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#20_February_2023 13:07:29 scribenick: kaz 13:07:38 chair: McCool 13:07:54 -> https://www.w3.org/2023/02/13-wot-sec-minutes.html Feb-13 13:08:07 mm: (goes through the minutes) 13:09:35 present+ Tomoaki_Mizushima 13:09:59 approved 13:10:10 topic: Profile 13:10:29 s/Profile/Profile PR/ 13:10:49 -> https://github.com/w3c/wot-profile/pull/364 wot-profile PR 364 - Security http sections 13:11:22 mm: (goes through the discussion on the PR) 13:12:36 (Luca has some trouble with audio connection) 13:12:48 jp: probably should talk about this PR later? 13:12:54 mm: ok 13:13:19 topic: Profile Issues 13:13:43 -> https://github.com/w3c/wot-profile/issues?q=is%3Aissue+is%3Aopen+label%3Asecurity Security issues on Profile 13:14:04 subtopic: Issue 6 13:14:19 -> https://github.com/w3c/wot-profile/issues/6 wot-profile Issue 6 - Recommended Security 13:14:42 mm: This is a blocking issue for publication 13:15:26 -> https://github.com/w3c/wot-profile/issues/359 related wot-profile Issue 359 - Security - open issues 13:15:49 mm: some of the points are related to Luca's PR 13:15:58 ... so let's talk about the latter points 13:16:16 subtopic: Issue 222 13:16:35 -> https://github.com/w3c/wot-profile/issues/222 wot-profile Issue 222 - Security Requirements for WebHook Consumer 13:16:45 mm: the question where the stuff to go 13:16:47 q? 13:16:55 jp: yeah 13:17:03 ... thought there were another issue on webhook 13:18:07 -> https://github.com/w3c/wot-profile/issues/224 wot-profile Issue 224 - subscribeallevents security requirements 13:18:27 jp: the above Issue 224 is also related to WbHook 13:18:30 s/Wb/Web/ 13:18:43 q+ 13:19:57 mm: how can we summarize the situation and do we have any recommendations? 13:20:03 jp: no actual recommendation yet... 13:20:35 mm: when I subscribe, register some callback 13:20:59 ... and specify using some specific token to be used 13:21:03 jp: a bit confused 13:21:39 mm: WebHook means we'll get some callback later 13:22:42 ... two problems here 13:22:55 ... how to authenticate consumers 13:23:12 ... and subscribing all the events 13:23:28 ... however, don't see technical problems here 13:23:31 q? 13:23:49 jp: technically, agree 13:23:56 q+ 13:24:22 ... but I'm not sure if what Ben describes here is really correct 13:25:40 ack k 13:26:30 kaz: given the situation, having multiple issues around WebHook and those issues are getting longer, I'd suggest we clarify people's expected mechanism on how to deal with WebHook a bit more first 13:26:38 ... then think about how to describe that later 13:26:43 mm: yeah 13:27:17 ... need to clarify how to deal with the body and the payload, etc. 13:27:19 q? 13:27:45 ... also it seems Ege is reopening what we had already concluded again 13:27:54 q? 13:28:28 lb: do we have any implementations for WebHook? 13:28:36 ... to refer to? 13:28:55 ... would see the expected behavior 13:29:33 ... also do we want to bind some specific WebHook mechanism to ordinary Web security model? 13:30:09 ... one of the problem is trying to clarifying multiple Consumers using WebHook 13:30:18 mm: yeah, that's yet another problem 13:30:43 ... let's quickly look at existing standards... 13:31:17 ... (goes through the Wot Profile Editor's Draft) 13:31:20 -> @@@ 13:31:37 mm: my understanding is this is based on the Cloud Event mechanism 13:32:28 -> https://w3c.github.io/wot-profile/#sec-http-webhook-profile 10. HTTP Webhook Profile 13:32:44 mm: so need clarification around Cloud Events a bit more first 13:34:03 jp: right 13:34:16 ... there is no concrete description within the WoT Profile spec 13:35:01 ... another problem is how to authenticate the Consumer 13:36:06 https://hookdeck.com/webhooks/guides/what-are-the-webhook-authentication-strategies#signature-verification 13:37:24 jp: some information on Webhook authentication above 13:37:24 q+ 13:37:54 jp: not really authentication of WoT Consumers, though 13:37:54 ack l 13:38:12 lb: is there any specific implementation for that? 13:38:17 jp: no 13:39:22 q+ 13:40:03 ack k 13:40:24 kaz: so we need a firm specification around Webhook as the basis first 13:40:33 https://hookdeck.com/webhooks/guides/webhooks-security-checklist#verify-the-consumer 13:41:01 s/first/first, and then we ourselves need to think about what to be done for WoT Consumer authentication via Webhook/ 13:41:22 q+ 13:42:25 jp: some more resource around Webhook security 13:43:13 s/security/security on Verifying the consumer/ 13:43:17 q? 13:43:28 mm: maybe we need some more research 13:44:40 ... even though we're under some pressure with the timeline, think we need correct definition 13:44:44 kaz: definitely 13:45:28 lb: still wondering if there is any implementation 13:45:45 ... also who proposed this approach? 13:46:22 ... technically, there could be some good point with using Webhook 13:46:43 ... but need to clarify the need and how to handle it 13:46:58 mm: yeah 13:47:06 ... for example, SSE is easier 13:47:13 ... but has problem with scalability 13:47:28 ... leaving a socket open would be an option, though 13:48:10 ... on the other hand, mutual TLS would require authentication on the both sides 13:48:30 ... anyway, we need further research on the Webhook mechanism itself 13:48:36 q+ 13:48:38 ack l 13:50:19 kaz: agree we definitely need further research on the Webhook mechanism and have a firm basis for our specification 13:50:50 https://github.com/cloudevents/spec this is the cloudevents spec 13:51:00 q+ 13:51:31 kaz: maybe we can ask the TAG for help 13:51:33 mm: right 13:52:40 lb: FYI, there is a specification for CloudEvents as above 13:54:10 kaz: there is a link within that document for "HTTP 1.1 Web Hooks for Event Delivery - Version 1.0.2" 13:54:33 -> https://github.com/cloudevents/spec/blob/v1.0.2/cloudevents/http-webhook.md HTTP 1.1 Web Hooks for Event Delivery - Version 1.0.2 13:54:47 kaz: we can start to read those pages but should talk with TAG as well 13:55:46 https://github.com/cloudevents/spec/blob/v1.0.2/cloudevents/http-webhook.md#4-abuse-protection this seems to be the part that could be expanded a bit 13:56:10 q? 13:56:28 https://openid.net/wg/sharedsignals/ 13:56:41 mm: would look into the above document as well 13:57:19 q+ 13:57:28 kaz: we've already started to ask for the wide reviews 13:57:41 ... so can ask the TAG and the Wide Review groups for help 13:57:44 mm: that's correct 13:57:47 ack k 13:58:11 ... someone needs to read the resources 13:58:30 ... the one from OpenID seems to be promising, I think 13:58:50 ... during the WoT Profile, I'll mention this issue again 13:59:02 ack l 13:59:36 lb: as put above, "HTTP 1.1 Web Hooks for Event Delivery - Version 1.0.2" has some description 14:00:21 ... maybe we can try some PoC implementation as well 14:01:44 mm: However, Cloud Events itself doesn't handle necessary security for our purposes. right? 14:02:15 kaz: what Luca is talking about is rather the "HTTP 1.1 Web Hooks for Event Delivery - Version 1.0.2" document and the security section within it 14:02:40 ... However, that document might not be enough, and I agree we need further research anyway 14:02:51 ... also we should ask TAG, etc., for help as well 14:03:55 [adjourned] 14:04:00 rrsagent, make log public 14:04:05 rrsagent, draft minutes 14:04:06 I have made the request to generate https://www.w3.org/2023/02/20-wot-sec-minutes.html kaz 14:33:32 JKRhb has joined #wot-sec 16:05:28 Zakim has left #wot-sec