IRC log of wot-sec on 2021-02-01

Timestamps are in UTC.

13:05:10 [RRSAgent]
RRSAgent has joined #wot-sec
13:05:10 [RRSAgent]
logging to https://www.w3.org/2021/02/01-wot-sec-irc
13:05:17 [kaz]
Meeting: WoT Security
13:05:31 [kaz]
present+ Kaz_Ashimura, Michael_McCool, Oliver_Pfaff
13:05:43 [kaz]
regrets+ Elena_Reshetova
13:06:48 [kaz]
topic: Prev minutes
13:07:10 [kaz]
-> https://www.w3.org/2021/01/25-wot-sec-minutes.html Jan-25
13:07:27 [kaz]
mm: would be better to add titles for issues/PRs...
13:08:46 [kaz]
@@@kaz will add titles
13:09:17 [kaz]
Agenda: https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#1_February_2021
13:11:22 [kaz]
mm: (goes through the sections on apikeys from the editor's draft)
13:11:43 [kaz]
present+ Cristiano_Aguzzi
13:11:45 [kaz]
present+ Tomoaki_Mizushima
13:11:57 [cris__]
cris__ has joined #wot-sec
13:12:09 [kaz]
topic: WIP: add URI template location for security scheme parameters #1032
13:12:21 [kaz]
-> https://github.com/w3c/wot-thing-description/pull/1032 PR 1032
13:12:31 [kaz]
mm: (explains the points)
13:13:03 [kaz]
-> https://github.com/w3c/wot-thing-description/pull/1032#issuecomment-766835622 McCool's comments
13:13:27 [kaz]
[[
13:13:29 [kaz]
"securityDefinitions": {
13:13:29 [kaz]
"template": {
13:13:29 [kaz]
"scheme": "uri",
13:13:29 [kaz]
"uriVariables": {
13:13:29 [kaz]
"ID" : { "type": "string", "@type": "SecurityID" },
13:13:30 [kaz]
"KEY" : { "type": "string", "@type": "SecurityKey" }
13:13:32 [kaz]
}
13:13:34 [kaz]
}
13:13:36 [kaz]
}
13:13:38 [kaz]
]]
13:13:42 [kaz]
(example above)
13:14:16 [kaz]
mm: (adds some more comments in response to the comments from Cristiano and Ege)
13:20:23 [kaz]
... (put a "uri_key" entry, a "uri_id" entry and a combo entry to a new example)
13:21:27 [Mizushima_]
Mizushima_ has joined #wot-sec
13:21:49 [kaz]
s/editor's draft/editor's draft of the Thing Description spec/
13:23:08 [kaz]
mm: (shoes the ED of the TD spec again)
13:23:32 [kaz]
-> https://w3c.github.io/wot-thing-description/#apikeysecurityscheme Thing Description Editor's Draft - 5.3.3.6 APIKeySecurityScheme
13:24:30 [kaz]
-> https://github.com/w3c/wot-thing-description/pull/1032#issuecomment-770853792 McCool's updated comments including the new example of the combo security
13:24:51 [kaz]
mm: go with the "name" option
13:26:01 [kaz]
topic: Consider security issues in Discovery #196
13:26:11 [kaz]
-> https://github.com/w3c/wot-security/issues/196 Issue 196
13:27:16 [kaz]
-> https://github.com/w3c/wot-discovery/pull/107 related PR - Update SPARQL DDoS ed note #107
13:27:51 [kaz]
s/relate PR/relate PR for wot-discovery/
13:28:26 [kaz]
-> https://pr-preview.s3.amazonaws.com/w3c/wot-discovery/pull/107.html#security-considerations Section 7. Security and Privacy Considerations
13:29:08 [kaz]
mm: (shows the related PR 107 for WoT Discovery and its preview)
13:29:21 [kaz]
... (and then goes back to the Issue 196 itself)
13:29:32 [kaz]
... (adds comments)
13:29:43 [kaz]
... location may be implicit
13:30:17 [kaz]
... if a TD simply *appears* in a directory, then we know the Thing is in range (e.g. of WiFi) so it can register with the TDD
13:41:24 [kaz]
... (adds some more comments)
13:44:48 [kaz]
... in general, "disabling" geolocation for personal devices may be necessary, although it still is useful for institutional use cases
13:45:53 [kaz]
... another option would be to use a "code generator" to generate IDs (perhaps in combination with encrypted TDs) that is synchronized between the device and another application available to the user
13:45:55 [kaz]
q+
13:47:54 [kaz]
... so, for example, a user could use an app on their laptop to generate the current ID and then do a discovery search to find the location of their car, which had registered an encrypted TD with tat (rotating) ID with a discovery service.
13:48:14 [kaz]
kaz: yeah, this discussion is very important for security purposes
13:48:42 [kaz]
... note that we should be get ready for the privacy review at some point (within 6 months)
13:48:46 [kaz]
mm: yeah
13:48:51 [kaz]
... we need to work on this
13:49:24 [kaz]
... probably we need to allow "nosec" although it's probably a very bad idea except for development use cases.
13:51:02 [kaz]
... we could perhaps add an assertion that "if a TDD service is available to anyone other than the developer and supports registration of third-party TDs then it MUST NOT use the "nosec" scheme
13:51:18 [kaz]
s/"if/[[if/
13:51:25 [kaz]
s/scheme/scheme]]/
13:52:05 [kaz]
topi: AOB
13:52:08 [kaz]
mm: aob?
13:52:10 [kaz]
(none)
13:52:14 [kaz]
q?
13:52:14 [McCool]
q?
13:52:15 [kaz]
q-
13:52:24 [kaz]
[adjourned]
13:52:29 [kaz]
rrsagent, make log public
13:52:36 [kaz]
rrsagent, draft minutes
13:52:36 [RRSAgent]
I have made the request to generate https://www.w3.org/2021/02/01-wot-sec-minutes.html kaz
16:01:35 [Zakim]
Zakim has left #wot-sec