IRC log of wot-sec on 2021-02-01
Timestamps are in UTC.
- 13:05:10 [RRSAgent]
- RRSAgent has joined #wot-sec
- 13:05:10 [RRSAgent]
- logging to https://www.w3.org/2021/02/01-wot-sec-irc
- 13:05:17 [kaz]
- Meeting: WoT Security
- 13:05:31 [kaz]
- present+ Kaz_Ashimura, Michael_McCool, Oliver_Pfaff
- 13:05:43 [kaz]
- regrets+ Elena_Reshetova
- 13:06:48 [kaz]
- topic: Prev minutes
- 13:07:10 [kaz]
- -> https://www.w3.org/2021/01/25-wot-sec-minutes.html Jan-25
- 13:07:27 [kaz]
- mm: would be better to add titles for issues/PRs...
- 13:08:46 [kaz]
- @@@kaz will add titles
- 13:09:17 [kaz]
- Agenda: https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#1_February_2021
- 13:11:22 [kaz]
- mm: (goes through the sections on apikeys from the editor's draft)
- 13:11:43 [kaz]
- present+ Cristiano_Aguzzi
- 13:11:45 [kaz]
- present+ Tomoaki_Mizushima
- 13:11:57 [cris__]
- cris__ has joined #wot-sec
- 13:12:09 [kaz]
- topic: WIP: add URI template location for security scheme parameters #1032
- 13:12:21 [kaz]
- -> https://github.com/w3c/wot-thing-description/pull/1032 PR 1032
- 13:12:31 [kaz]
- mm: (explains the points)
- 13:13:03 [kaz]
- -> https://github.com/w3c/wot-thing-description/pull/1032#issuecomment-766835622 McCool's comments
- 13:13:27 [kaz]
- [[
- 13:13:29 [kaz]
- "securityDefinitions": {
- 13:13:29 [kaz]
- "template": {
- 13:13:29 [kaz]
- "scheme": "uri",
- 13:13:29 [kaz]
- "uriVariables": {
- 13:13:29 [kaz]
- "ID" : { "type": "string", "@type": "SecurityID" },
- 13:13:30 [kaz]
- "KEY" : { "type": "string", "@type": "SecurityKey" }
- 13:13:32 [kaz]
- }
- 13:13:34 [kaz]
- }
- 13:13:36 [kaz]
- }
- 13:13:38 [kaz]
- ]]
- 13:13:42 [kaz]
- (example above)
- 13:14:16 [kaz]
- mm: (adds some more comments in response to the comments from Cristiano and Ege)
- 13:20:23 [kaz]
- ... (put a "uri_key" entry, a "uri_id" entry and a combo entry to a new example)
- 13:21:27 [Mizushima_]
- Mizushima_ has joined #wot-sec
- 13:21:49 [kaz]
- s/editor's draft/editor's draft of the Thing Description spec/
- 13:23:08 [kaz]
- mm: (shoes the ED of the TD spec again)
- 13:23:32 [kaz]
- -> https://w3c.github.io/wot-thing-description/#apikeysecurityscheme Thing Description Editor's Draft - 5.3.3.6 APIKeySecurityScheme
- 13:24:30 [kaz]
- -> https://github.com/w3c/wot-thing-description/pull/1032#issuecomment-770853792 McCool's updated comments including the new example of the combo security
- 13:24:51 [kaz]
- mm: go with the "name" option
- 13:26:01 [kaz]
- topic: Consider security issues in Discovery #196
- 13:26:11 [kaz]
- -> https://github.com/w3c/wot-security/issues/196 Issue 196
- 13:27:16 [kaz]
- -> https://github.com/w3c/wot-discovery/pull/107 related PR - Update SPARQL DDoS ed note #107
- 13:27:51 [kaz]
- s/relate PR/relate PR for wot-discovery/
- 13:28:26 [kaz]
- -> https://pr-preview.s3.amazonaws.com/w3c/wot-discovery/pull/107.html#security-considerations Section 7. Security and Privacy Considerations
- 13:29:08 [kaz]
- mm: (shows the related PR 107 for WoT Discovery and its preview)
- 13:29:21 [kaz]
- ... (and then goes back to the Issue 196 itself)
- 13:29:32 [kaz]
- ... (adds comments)
- 13:29:43 [kaz]
- ... location may be implicit
- 13:30:17 [kaz]
- ... if a TD simply *appears* in a directory, then we know the Thing is in range (e.g. of WiFi) so it can register with the TDD
- 13:41:24 [kaz]
- ... (adds some more comments)
- 13:44:48 [kaz]
- ... in general, "disabling" geolocation for personal devices may be necessary, although it still is useful for institutional use cases
- 13:45:53 [kaz]
- ... another option would be to use a "code generator" to generate IDs (perhaps in combination with encrypted TDs) that is synchronized between the device and another application available to the user
- 13:45:55 [kaz]
- q+
- 13:47:54 [kaz]
- ... so, for example, a user could use an app on their laptop to generate the current ID and then do a discovery search to find the location of their car, which had registered an encrypted TD with tat (rotating) ID with a discovery service.
- 13:48:14 [kaz]
- kaz: yeah, this discussion is very important for security purposes
- 13:48:42 [kaz]
- ... note that we should be get ready for the privacy review at some point (within 6 months)
- 13:48:46 [kaz]
- mm: yeah
- 13:48:51 [kaz]
- ... we need to work on this
- 13:49:24 [kaz]
- ... probably we need to allow "nosec" although it's probably a very bad idea except for development use cases.
- 13:51:02 [kaz]
- ... we could perhaps add an assertion that "if a TDD service is available to anyone other than the developer and supports registration of third-party TDs then it MUST NOT use the "nosec" scheme
- 13:51:18 [kaz]
- s/"if/[[if/
- 13:51:25 [kaz]
- s/scheme/scheme]]/
- 13:52:05 [kaz]
- topi: AOB
- 13:52:08 [kaz]
- mm: aob?
- 13:52:10 [kaz]
- (none)
- 13:52:14 [kaz]
- q?
- 13:52:14 [McCool]
- q?
- 13:52:15 [kaz]
- q-
- 13:52:24 [kaz]
- [adjourned]
- 13:52:29 [kaz]
- rrsagent, make log public
- 13:52:36 [kaz]
- rrsagent, draft minutes
- 13:52:36 [RRSAgent]
- I have made the request to generate https://www.w3.org/2021/02/01-wot-sec-minutes.html kaz
- 16:01:35 [Zakim]
- Zakim has left #wot-sec