12:03:40 RRSAgent has joined #wot-sec 12:03:44 logging to https://www.w3.org/2023/03/20-wot-sec-irc 12:03:44 meeting: WoT Security 12:03:54 Mizushima has joined #wot-sec 12:04:17 present+ Kaz_Ashimura, Michael_McCool, Ege_Korkan, Jiye_Park, Luca_Barbato, Tomoaki_Mizushima 12:05:49 q+ 12:06:13 ack k 12:06:45 agenda: https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#20_March_2023 12:07:34 scribenick: Jiye 12:08:07 topic: Minutes 12:08:21 -> https://www.w3.org/2023/03/13-wot-sec-minutes.html Mar-13 12:08:42 rrsagent, make log public 12:08:46 McCool_ has joined #wot-sec 12:08:47 rrsagent, draft minutes 12:08:48 I have made the request to generate https://www.w3.org/2023/03/20-wot-sec-minutes.html kaz 12:10:32 approved 12:10:55 topic: Security Issues 12:11:03 subtopic: ssue 220 12:11:06 https://github.com/w3c/wot-security/issues/220 12:11:08 s/ssue/Issue 220/ 12:11:34 https://github.com/w3c/wot-security/issues/214 12:11:48 s|https://github.com/w3c/wot-security/issues/220|-> https://github.com/w3c/wot-security/issues/220 Issue 220 - Consider moving Terminology to the beginning 12:12:05 q+ 12:12:26 ack k 12:13:02 subtopic: issue 214 12:13:05 i/214/(still waiting for comments) 12:13:15 s|https://github.com/w3c/wot-security/issues/214|| 12:13:19 mm: can we close this issue #214? any objection? 12:13:37 (no objection) 12:13:50 i|can we|-> https://github.com/w3c/wot-security/issues/214 Issue 214 - Expand the (currently very short) intro section| 12:13:57 rrsagent, draft minutes 12:13:58 I have made the request to generate https://www.w3.org/2023/03/20-wot-sec-minutes.html kaz 12:14:35 subtopic: Issue 208 12:14:45 -> https://github.com/w3c/wot-security/issues/208 Issue 208 - Remove Reference to "Security Best Practices" 12:14:53 mm: assigned to myself 12:15:19 topic: Next Chater Work Items 12:15:19 topic: Charter topics 12:15:23 s/topic: Charter topics/ 12:15:28 rrsagent, draft minutes 12:15:30 I have made the request to generate https://www.w3.org/2023/03/20-wot-sec-minutes.html kaz 12:16:08 chair: McCool 12:16:08 https://github.com/w3c/wot-charter-drafts/pull/77 12:17:11 mm: (Summary of the issue) previous description was short and Ben asked more details. 12:17:17 i/assigned to/scribenick: kaz/ 12:17:27 i/Next Charter Work/scribenick: Jiye/ 12:17:30 rrsagent, draft minutes 12:17:31 I have made the request to generate https://www.w3.org/2023/03/20-wot-sec-minutes.html kaz 12:18:10 i/Summary of/scribenick: Jiye/ 12:18:13 rrsagent, draft minutes 12:18:44 I have made the request to generate https://www.w3.org/2023/03/20-wot-sec-minutes.html kaz 12:18:51 i/77/subotopic: wot-charter-drafts PR 77/ 12:19:09 q+ 12:19:14 mm: people think that we need to start with experimental implementation, what is our opinion on this? 12:19:34 q+ 12:20:25 kaz: for the charter discussion we don't need to talk about that details now, we can discuss where the onboarding part goes. 12:20:54 s/that details/details/ 12:21:30 mm: I would like to know what the recommendation would be for this onboarding topic 12:23:05 ... we are not constrained right now where to add onboarding. We have several choices if we go informative right now. 12:23:30 kaz: We need to focus on charter discussion first than having discussion on details 12:24:33 mm: If we go for informative, onboarding part doesn't need to be at the architecture document, so I am fine with having some experimental document and then see if we can go for normative document 12:24:50 subtopic: Signing 12:25:31 rrsagent, draft minutes 12:25:32 I have made the request to generate https://www.w3.org/2023/03/20-wot-sec-minutes.html kaz 12:25:39 mm: questions is we don't have many people to work on both onboarding and signing. Do we need to work on this? IMO, signing has higher priority 12:26:18 ek: I think also onboarding part is more like life cycle thing 12:26:24 s/subotopic:/subtopic:/ 12:26:25 rrsagent, draft minutes 12:26:26 I have made the request to generate https://www.w3.org/2023/03/20-wot-sec-minutes.html kaz 12:26:54 i|Summary of the|-> https://github.com/w3c/wot-charter-drafts/pull/77 wot-charter-drafts PR 77 - Expand description of Onboarding in Details| 12:26:59 rrsagent, draft minutes 12:27:00 I have made the request to generate https://www.w3.org/2023/03/20-wot-sec-minutes.html kaz 12:27:10 mm: in security perspective, it is important feature, but for now we are ignoring. 12:27:30 https://docs.google.com/presentation/d/1OZeLR0-qAw01R1UloTG25xQjc5LFuwvRP9o50QVo660/edit?usp=sharing 12:27:36 eg: onboarding is more like we are using existing mechanism but sigining is more like we need to define how to do it 12:27:39 mm: agree 12:27:45 topic: TD Assertions for Dev Meeting 12:27:54 s|https://docs.google.com/presentation/d/1OZeLR0-qAw01R1UloTG25xQjc5LFuwvRP9o50QVo660/edit?usp=sharing|| 12:28:06 -> https://docs.google.com/presentation/d/1OZeLR0-qAw01R1UloTG25xQjc5LFuwvRP9o50QVo660/edit?usp=sharing Ege's draft slides for Dev Meeting 12:28:31 (Ege explaining overall list of TD assertions) 12:30:17 q+ 12:30:30 ack e 12:34:43 kaz: we should clarify to participants about the goal of developer meeting itself. If we want to give information for each assertions at risk ? that kind of clarification is needed 12:34:43 ack k 12:35:51 eg: so I prepared the slides about goal, risk, and how to contribute. 12:36:40 mm: need to check the date, we talk latest mid may. 12:37:50 s/I prepared/I'll add/ 12:38:08 mm: maybe a bit of more structure on overall list slide is needed 12:38:27 q+ 12:38:31 ... distinguishing security part and rest to easy to recognize. 12:38:43 ack k 12:38:54 kaz: this slide should show overall list of at risk features, right? 12:39:00 (Ege changed title of the slide) 12:40:18 q+ 12:40:26 ek: td-security-uri-variables-distinct might not really security feature, need double check 12:40:55 kaz: we also need to provide context of this list. What kind of description is clarified. 12:41:20 mm: security-server-auth-td might be able to go to discovery 12:41:24 ack k 12:41:47 q+ 12:42:15 ... let's check redandancy first, and if it's not we can move it to discovery 12:42:29 ... kaz, can we do that? 12:43:08 kaz: that's is the reason why I suggested to discuss the purpose of the event first to clarify assertions well. 12:44:22 mm: there is not reason why this assertion is at risk as it's easy to be satisfied 12:44:30 s/not/no/ 12:44:58 ek: this is not tls, right? 12:45:06 mm: no this is about tls, mutual authentication 12:45:59 s/that's is the reason why I suggested to discuss the purpose of the event first to clarify assertions well./Technically, that's possible, but that implies we need to publish updated CRs for TD and Discovery. That's why I've been suggesting we clarify the goal of the Dev Meeting, and my understanding simply clarifying the assertion texts and spec texts with the current spec structure./ 12:46:41 s/there is not/OK. That's my preference too. On the other hand, there is no/ 12:46:45 rrsagent, draft minutes 12:46:46 I have made the request to generate https://www.w3.org/2023/03/20-wot-sec-minutes.html kaz 12:50:14 (discussion on security-contect-secure-fetch assertion) 12:50:55 q+ 12:51:59 ack k 12:52:28 mm: bottom line is when you fetch, you should try https first, 12:52:52 ... it will be redirected if you do http, and server requires https 12:53:40 q+ 12:53:44 ack lu 12:55:30 lb: this is yet another larger topic if we have full JSON LD or not, and if it's fulled in case of full JSON LD implementation 12:55:49 mm: that's why we have condition 12:56:19 q+ 12:56:20 ... we also have other assertions, pointing out that concern 12:56:47 ack luca 12:58:24 lb: the problem I see is that either you decide you don't support real JSON LD and don't have security issue but parsing context. 12:59:16 mm: I don't disagree with you. 12:59:39 lb: I will make this assertion even stronger, would recommend MUST. 12:59:48 mm: we are trying to make MUST assertion. 12:59:59 s/to make/not to make/ 13:01:00 ek: have a question regarding about implemetability of assertions in general 13:01:22 q+ 13:01:23 mm: can have a further discussion in TD call. 13:01:36 ... also can talk about this offline 13:02:12 ... also can discuss in testing call as well 13:03:00 ->https://github.com/w3c/wot-testing/tree/main/events/2023.03.DevMtg Dev Meeting page 13:03:03 ack k 13:03:09 @@@ 13:03:24 kaz: given we're out of time, we need to clarify how to proceed with the discussion 13:03:40 ... we at least should use the Testing slot, though 13:04:19 proposed date of the dev meetings 13:04:20 Global: Reuse second hour of TD slot: 3/29 15:00 UTC 13:04:20 Japanese: 3/30 11:00 JST 13:04:26 i/prop/[[/ 13:04:26 ]] 13:04:31 rrsagent, draft minutes 13:04:32 I have made the request to generate https://www.w3.org/2023/03/20-wot-sec-minutes.html kaz 13:04:51 michael.d.mccool@gmail.com 13:05:17 s/michael.d.mccool@gmail.com// 13:05:59 [adjourned] 13:06:03 rrsagent, draft minutes 13:06:04 I have made the request to generate https://www.w3.org/2023/03/20-wot-sec-minutes.html kaz 13:06:59 i/given we're/scribenick: kaz/ 13:07:01 rrsagent, draft minutes 13:07:02 I have made the request to generate https://www.w3.org/2023/03/20-wot-sec-minutes.html kaz 15:03:28 Zakim has left #wot-sec