12:04:42 RRSAgent has joined #wot-sec 12:04:42 logging to https://www.w3.org/2021/05/03-wot-sec-irc 12:04:51 meeting: WoT Security 12:05:16 present+ Kaz_Ashimura, Cristiano_Aguzzi, Michael_McCool, Oliver_Pfaff, Philipp_Blum 12:06:19 Oliver has joined #wot-sec 12:06:59 McCool has joined #wot-sec 12:07:08 Citrullin has joined #wot-sec 12:07:25 Mizushima has joined #wot-sec 12:07:56 topic: agenda 12:08:08 mc: I would discuss about singing requirements 12:08:10 scribenick: cris_ 12:08:20 s/singing/signing/ 12:09:24 kaz: same problems with w3c server, it is very slow 12:09:45 mc: ok let's skip the minutes review and do it next time 12:09:53 topic: td signing 12:10:08 present+ Tomoaki_Mizushima 12:10:20 philipp: I have the wiki opened 12:10:32 mc: do we need anything from it? 12:10:57 mc: ok skipping 12:12:04 mc: The signing mechanism that I have in my does not heavily rely on canonicalization. it uses just for stability 12:12:11 i/same/some/ 12:12:22 i/problems with/topic: minutes/ 12:12:33 ... #943 is based on obsolete information. we should close it 12:12:47 ... I would like to gather some requirements from people 12:12:54 ... and start working from them 12:13:21 s/in my does/in my PR does/ 12:14:14 kaz: btw w3c is now live again. 12:14:26 mc: ok then let's review the minutes in the last 10 minutes 12:14:31 s/w3c is/W3C server/ 12:14:37 s/server/server is/ 12:14:47 mc: a signed td is object security 12:15:36 ... we do not know about any system using object security 12:15:51 rrsagent, make log public 12:15:51 ... so we lack implementation information and we need to figure it out 12:15:54 rrsagent, draft minutes 12:15:54 I have made the request to generate https://www.w3.org/2021/05/03-wot-sec-minutes.html kaz 12:16:29 Chair: McCool 12:16:40 ... another point is that TDDs want to add metadata to a TD. This creates a problem cause it changes its signature. 12:17:09 ... but most metadata is easly recognizable cause it will use its tdd namespace 12:18:01 ... the problem is that id could be added by TDDs 12:18:26 ... and it's no easy to recognize this condition 12:19:23 -> https://github.com/w3c/wot-thing-description/issues wot-thing-description Issue 940 - Add optional proof section to TDs 12:19:33 q+ 12:20:11 i|#943 is|-> https://github.com/w3c/wot-thing-description/pull/943 wot-thing-description PR 943 - WIP: Add proof and proofChain sections| 12:20:12 mc: I would follow the ld proof pattern 12:20:15 q- 12:20:16 rrsagent, draft minutes 12:20:16 I have made the request to generate https://www.w3.org/2021/05/03-wot-sec-minutes.html kaz 12:20:49 ... so that each proof is in a chain and the latest contain the previous ones 12:22:04 mc: finally there is the issue about canonical form. 12:23:23 ... I am afraid that we missed little different serialization details that could lead to different strings breaking signinig 12:23:52 ... in the end we need a key value store to return the original string 12:24:16 ... kinda a fallback plan if something breaks the signature 12:25:04 q+ 12:25:32 ... the canonical form just make signing more robust but with the current proposal is orthogonal to signing. 12:26:31 mc: about algorithm I would use something based on JWS 12:26:33 ack cit 12:26:55 ... we should pickone 12:27:22 12:27:55 s/a al/an al/ 12:27:58 mc: I am think a single chain 12:28:11 s/think/thinking/ 12:28:15 rrsagent, draft minutes 12:28:15 I have made the request to generate https://www.w3.org/2021/05/03-wot-sec-minutes.html kaz 12:28:37 philipp: you could make an hash tree, signature every property 12:29:06 ... so you could check which affordance has changed 12:29:18 mc: I am not sure how it's different from a single chain 12:31:06 oliver: are we looking at json web signature? 12:31:08 mc: yes 12:31:20 oliver: there's also xml signature 12:31:30 ... it has some flexible feature 12:32:02 mc: yeah JWS is very simple 12:32:56 oliver: I think the signature format we have xml signature or COSE signature 12:33:43 s/ I think the signature format we have xml signature or COSE signature/ We have different options for signature formats: JSON, XML and COSE/ 12:33:55 mc: I think we should go for a concrete proposal 12:35:12 mccool writing a proposal in 940 12:36:52 mc: with the proposal we could keep track of the used vocabularies and sign metadata 12:37:14 zkis2 has joined #wot-sec 12:37:39 ... furthermore we could create a chain of different signing pass (e.g., td<- thing description directory) 12:38:20 cris: in context are we using urls or just prefixes? 12:38:29 mc: good point 12:38:47 ... the TD would have prefixes and it might be safe 12:39:18 ... rdf database preserve prefixes 12:39:30 s/database/databases/ 12:39:43 ... we could have both 12:40:12 q+ 12:40:52 mc: then we can have another simpler method 12:41:36 ... the signing order is give by the appearance in the list. 12:43:28 ... this second proposal is similar to ld-proof 12:44:47 oliver: I think it is a good proposal considering that jws is lacking feature that we need (like signing pieces of information) 12:45:51 ... in xml signature first you hash each object and then you sign over the hashes. It's one document - one hash - than hashes with signatures 12:46:28 mc: we could use json pointers but data may move and it's not robust 12:48:58 ... so the xml strategy is to have a manifest with parts and then sign each part 12:49:00 oliver: right 12:49:09 mc: we could do the same in the proposal 12:50:28 q+ to ping for minutes review 12:51:29 philipp: your proposal embeds the signature inside the TD, there might be usecases where the signature is pointing to a TD or part of it 12:51:55 mc: if the signatures are named is simply to refer it 12:52:13 ... but with pointers we could use array indexes 12:52:33 ack cit 12:52:38 ... however it might be a problem cause indices might chages 12:52:56 philipp: I was thinking about putting the signature on a chain 12:53:02 ... and pointing back to a TD 12:54:09 mc: I noted down the point, plus how this would relate wiht DID? 12:54:30 s/wiht/to/ 12:54:44 s/DID?/DID and VC?/ 12:55:22 ack k 12:55:22 kaz, you wanted to ping for minutes review 12:55:31 topic: minutes review 12:55:34 -> https://www.w3.org/2021/04/12-wot-sec-minutes.html Apr-12 12:55:43 -> https://www.w3.org/2021/04/19-wot-sec-minutes.html Apr-19 12:56:24 mc: there's a typo in the title is canonicalization 12:56:48 ... I don't understand one line attributed to me, please delete it 13:00:51 ... are we ok with these minutes? 13:02:07 ... ok minutes approved 13:02:23 mc: adjourned 13:02:29 [Apr-19 minutes approve; Apr-12 ones to be reviewed next week] 13:02:34 [adjourned] 13:02:39 rrsagent, draft minutes 13:02:39 I have made the request to generate https://www.w3.org/2021/05/03-wot-sec-minutes.html kaz 13:35:09 Mizushima has left #wot-sec 14:03:17 zkis has joined #wot-sec 15:02:37 Zakim has left #wot-sec 15:46:53 zkis2 has joined #wot-sec