13:05:10 RRSAgent has joined #wot-sec 13:05:10 logging to https://www.w3.org/2021/02/01-wot-sec-irc 13:05:17 Meeting: WoT Security 13:05:31 present+ Kaz_Ashimura, Michael_McCool, Oliver_Pfaff 13:05:43 regrets+ Elena_Reshetova 13:06:48 topic: Prev minutes 13:07:10 -> https://www.w3.org/2021/01/25-wot-sec-minutes.html Jan-25 13:07:27 mm: would be better to add titles for issues/PRs... 13:08:46 @@@kaz will add titles 13:09:17 Agenda: https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#1_February_2021 13:11:22 mm: (goes through the sections on apikeys from the editor's draft) 13:11:43 present+ Cristiano_Aguzzi 13:11:45 present+ Tomoaki_Mizushima 13:11:57 cris__ has joined #wot-sec 13:12:09 topic: WIP: add URI template location for security scheme parameters #1032 13:12:21 -> https://github.com/w3c/wot-thing-description/pull/1032 PR 1032 13:12:31 mm: (explains the points) 13:13:03 -> https://github.com/w3c/wot-thing-description/pull/1032#issuecomment-766835622 McCool's comments 13:13:27 [[ 13:13:29 "securityDefinitions": { 13:13:29 "template": { 13:13:29 "scheme": "uri", 13:13:29 "uriVariables": { 13:13:29 "ID" : { "type": "string", "@type": "SecurityID" }, 13:13:30 "KEY" : { "type": "string", "@type": "SecurityKey" } 13:13:32 } 13:13:34 } 13:13:36 } 13:13:38 ]] 13:13:42 (example above) 13:14:16 mm: (adds some more comments in response to the comments from Cristiano and Ege) 13:20:23 ... (put a "uri_key" entry, a "uri_id" entry and a combo entry to a new example) 13:21:27 Mizushima_ has joined #wot-sec 13:21:49 s/editor's draft/editor's draft of the Thing Description spec/ 13:23:08 mm: (shoes the ED of the TD spec again) 13:23:32 -> https://w3c.github.io/wot-thing-description/#apikeysecurityscheme Thing Description Editor's Draft - 5.3.3.6 APIKeySecurityScheme 13:24:30 -> https://github.com/w3c/wot-thing-description/pull/1032#issuecomment-770853792 McCool's updated comments including the new example of the combo security 13:24:51 mm: go with the "name" option 13:26:01 topic: Consider security issues in Discovery #196 13:26:11 -> https://github.com/w3c/wot-security/issues/196 Issue 196 13:27:16 -> https://github.com/w3c/wot-discovery/pull/107 related PR - Update SPARQL DDoS ed note #107 13:27:51 s/relate PR/relate PR for wot-discovery/ 13:28:26 -> https://pr-preview.s3.amazonaws.com/w3c/wot-discovery/pull/107.html#security-considerations Section 7. Security and Privacy Considerations 13:29:08 mm: (shows the related PR 107 for WoT Discovery and its preview) 13:29:21 ... (and then goes back to the Issue 196 itself) 13:29:32 ... (adds comments) 13:29:43 ... location may be implicit 13:30:17 ... if a TD simply *appears* in a directory, then we know the Thing is in range (e.g. of WiFi) so it can register with the TDD 13:41:24 ... (adds some more comments) 13:44:48 ... in general, "disabling" geolocation for personal devices may be necessary, although it still is useful for institutional use cases 13:45:53 ... another option would be to use a "code generator" to generate IDs (perhaps in combination with encrypted TDs) that is synchronized between the device and another application available to the user 13:45:55 q+ 13:47:54 ... so, for example, a user could use an app on their laptop to generate the current ID and then do a discovery search to find the location of their car, which had registered an encrypted TD with tat (rotating) ID with a discovery service. 13:48:14 kaz: yeah, this discussion is very important for security purposes 13:48:42 ... note that we should be get ready for the privacy review at some point (within 6 months) 13:48:46 mm: yeah 13:48:51 ... we need to work on this 13:49:24 ... probably we need to allow "nosec" although it's probably a very bad idea except for development use cases. 13:51:02 ... we could perhaps add an assertion that "if a TDD service is available to anyone other than the developer and supports registration of third-party TDs then it MUST NOT use the "nosec" scheme 13:51:18 s/"if/[[if/ 13:51:25 s/scheme/scheme]]/ 13:52:05 topi: AOB 13:52:08 mm: aob? 13:52:10 (none) 13:52:14 q? 13:52:14 q? 13:52:15 q- 13:52:24 [adjourned] 13:52:29 rrsagent, make log public 13:52:36 rrsagent, draft minutes 13:52:36 I have made the request to generate https://www.w3.org/2021/02/01-wot-sec-minutes.html kaz 16:01:35 Zakim has left #wot-sec