13:03:03 RRSAgent has joined #wot-sec 13:03:07 logging to https://www.w3.org/2023/03/06-wot-sec-irc 13:03:10 agenda: https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#6_March_2023 13:03:20 meeting: WoT Security 13:03:31 present+ Kaz_Ashimura, Michael_McCool, Jiye_Park 13:03:36 present+ Luca_Barbato 13:05:37 scribenick: kaz 13:05:43 topic: Minutes 13:05:48 present+ Tomoaki_Mizushima 13:06:02 -> https://www.w3.org/2023/02/27-wot-sec-minutes.html Feb-27 13:06:09 mm: (goes through the minutes 13:06:14 s/tes/tes)/ 13:06:40 https://github.com/w3c/wot-profile/pull/371 13:07:48 lb: would add the above PR to the agenda 13:07:50 mm: ok 13:08:03 ... minutes themselves look fine 13:08:11 approved 13:08:37 topic: PRs 13:09:21 subtopic: PR 216 13:09:30 -> https://github.com/w3c/wot-security/pull/216 PR 216 - Update IETF references, clean up whitespace 13:09:37 mm: looks reasonable 13:09:55 ... referring to the IETF standards 13:10:36 s/IETF standards/RFCs/ 13:10:53 ... my question is if it's appropriate to call RFCs "IETF standards" 13:10:57 jr: should be fine 13:10:59 mm: ok 13:11:03 present+ Jan_Romann 13:11:11 zakim, who is on the call? 13:11:11 Present: Kaz_Ashimura, Michael_McCool, Jiye_Park, Luca_Barbato, Tomoaki_Mizushima, Jan_Romann 13:11:34 subtopic: PR 217 13:11:45 -> https://github.com/w3c/wot-security/pull/217 PR 217 - Expand introduction section 13:11:55 mm: figures are removed? 13:11:58 jr: right 13:12:33 -> https://pr-preview.s3.amazonaws.com/w3c/wot-security/217/802fee3...JKRhb:528b4b1.html#introduction diff - 1. Introduction 13:12:40 mm: a bit confused 13:13:14 ... and concerned maybe there is some duplicate 13:14:27 q+ 13:14:53 -> https://pr-preview.s3.amazonaws.com/JKRhb/wot-security/pull/217.html#introduction Preview - 1. Introduction 13:15:04 mm: (goes through the Preview instead of the Diff) 13:15:42 ... ISO resources should be referenced. right? 13:16:46 kaz: should improve the text and the structure 13:17:18 mm: why don't you add a subtitle "Outline" right bfore "The rest of this document is..."? 13:17:46 kaz: yeah, we can start with something like that 13:18:13 mm: (adds a comment to the PR) 13:18:18 ... some improvements needed 13:19:44 ... e.g., put last paragraph of the section 1 in to sub section 13:20:15 s/sub section/sub section, "Outline"/ 13:20:27 ... use a bulleted list to make it easier to read 13:21:10 ... avoid making descriptions self-referential (lifecycle section explains the lifecycle) 13:21:34 -> https://github.com/w3c/wot-security/pull/217#issuecomment-1456124574 McCool's comments 13:22:22 topic: Profile issues 13:22:52 mm: still several remaining issues to be addressed 13:23:00 subtopic: Issue 221 13:23:26 -> https://github.com/w3c/wot-profile/issues/221 wot-profile issue 221 - Security Schemes are too loose 13:24:15 mm: need clarification on how to use security schemes 13:24:44 ... Ben provided several examples on what he did 13:24:47 -> https://github.com/w3c/wot-profile/issues/221#issuecomment-1415811569 Ben's comments 13:25:53 mm: (shows section "5.4 Security") 13:25:56 -> @@@ 13:26:17 mm: what is missing here is how to handle header, cookie, etc. 13:27:15 s|@@@|https://w3c.github.io/wot-profile/#common-constraints-security WoT Profile Editor's Draft - 5.4 Security| 13:28:20 -> https://github.com/w3c/wot-profile/issues/6 generic issue - wot-profile issue 6 - Recommended Security| 13:28:33 q+ 13:28:43 mm: let me put comments on the generic issue 6 13:29:09 ... current text still doesn't have limitations on use of "in" 13:29:21 s/"in"/"in" and "name" 13:29:37 ... let's focus on claning up the internal content of the sction first 13:29:53 ... latr on we can discuss whether o not it belongs inside a specific profile 13:31:14 -> @@@ 13:31:35 q+ 13:32:50 kaz: I'm OK with improving the WoT Profile spec incrementally 13:33:33 ... but it sounds to me we need clarification on how to implement actual WoT-based systems based on the WoT specs 13:34:15 ... so not 100% sure if it would be really the best solution to put all the necessary information around how to use the WoT features to the WoT Profile spec 13:34:24 ... probably we need bigger discussion about that 13:35:17 mm: yeah, would suggest incremental improvement in the short term 13:35:38 kaz: yeah, I'm OK with the short-term improvement itself 13:36:16 ... but we need bigger discussion about best practices and implementation guidelines for WoT-based system development at some point 13:36:19 mm: right 13:37:33 ... let's focus on cleaning up the internal text of the WoT Profile spec now 13:37:55 ... As Ben points out, since we only do HTTP in the current WoT Profile spec 13:38:37 ... but in the long run, we'll have to restructure things and have a security section for each profile 13:40:11 ... think the default values are already defined by the WoT Thing Description spec 13:41:22 -> https://w3c.github.io/wot-thing-description/#sec-default-values WoT Thing Description 1.1 ED - 5.4 Default Value Definitions 13:41:36 mm: actually, don't see the default value for OAuth... 13:42:15 ... (adds another comment to the wot-profile issue 6) 13:43:46 ... The "basic" scheme MUST use the default values for "in" and "name" of "header" and "Authorization" as defined in TD 13:43:58 s/in TD/in the Thing Description 1.1 spec./ 13:43:59 q? 13:45:48 kaz: which section do you want to refer to for that purpose? 13:46:50 mm: the ReSpec reference simply use the whole document as the reference 13:47:10 kaz: that's true, but we ourselves should be aware which section and text describes what 13:47:15 mm: right 13:49:07 kaz: if section "5.4 Default Value Definitions" itself doesn't have the description, some other section has some description. that's what you mean. right? 13:51:46 ... my question is if the Thing Description 1.1 spec has enough description and necessary assertion for that 13:51:55 ... or we need to have some text within Profile instead 13:52:09 mm: Thing Description 1.1 spec has many options 13:52:56 ... I'll do a PR on that point 13:53:14 -> https://github.com/w3c/wot-profile/issues/6#issuecomment-1456164456 McCool's comments 13:53:31 topic: Charter discussion 13:53:37 subtopic: PR 77 13:54:06 -> https://github.com/w3c/wot-charter-drafts/pull/77 wot-charter-drafts PR 77 - Expand description of Onboarding in Details 13:54:46 mm: question around description on Onboarding 13:55:13 -> https://github.com/w3c/wot-charter-drafts/issues/67 related issue 67 - What does "onboarding" involve? 13:55:51 q+ 13:56:02 -> https://github.com/w3c/wot-charter-drafts/issues/67#issuecomment-1455918245 McCool's comment on Issue 67 13:57:54 ack k 13:58:07 kaz: this discussion is already too much detail 13:59:11 ... of course we need discussion on what we need around IoT system lifecycle in general including onboarding 14:00:25 ... however, the question is to what level can we try to work on around onboarding and system lifecycle 14:00:30 mm: right 14:00:45 ... please continue to think about that 14:01:07 ... (adds comment to issue 67) 14:01:48 ... agree there is a possibility that we don't want to commit to doing onboarding in the Charter itself. 14:02:07 ... would suggest we merge this PR for now 14:02:28 ... but will create another PR to take the mention of onboaring out of the Charter 14:02:56 ... later when we do detailed planning we can decide if we want to tackle this in this Charter or not 14:03:10 -> https://github.com/w3c/wot-charter-drafts/issues/67#issuecomment-1456191689 McCool's comments 14:03:13 [adjourned] 14:03:18 rrsagent, make log public 14:03:23 rrsagent, draft minutes 14:03:25 I have made the request to generate https://www.w3.org/2023/03/06-wot-sec-minutes.html kaz 15:00:40 Mizushima has left #wot-sec 16:04:14 Zakim has left #wot-sec