12:03:33 <RRSAgent> RRSAgent has joined #wot-sec
12:03:33 <RRSAgent> logging to https://www.w3.org/2022/03/28-wot-sec-irc
12:03:57 <kaz> meeting: WoT Security
12:04:09 <kaz> chair: McCool
12:04:21 <kaz> present+ Kaz_Ashimura, Michael_McCool, Jan_Romann
12:06:14 <kaz> agenda: https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#28_March_2022
12:06:54 <kaz> present+ Jiye_Park
12:07:43 <jiye> jiye has joined #wot-sec
12:08:39 <kaz> present+ Tomoaki_Mizushima
12:08:58 <JKRhb> scribenick: JKRhb
12:09:19 <JKRhb> topic: Previous Minutes
12:10:40 <JKRhb> mm: (Reviews the previous minutes)
12:11:58 <JKRhb> ... I don't see any problems with the minutes, apart from one formulation with regard to the structure of the new AutoSecurityScheme in relation to the NoSecurityScheme
12:12:06 <JKRhb> ... apart from that, any objections?
12:12:29 <JKRhb> There are none, kaz fixes the issue and publishes the minutes
12:13:06 <kaz> present+ Tomoaki_Mizushima
12:14:06 <JKRhb> topic: PRs
12:15:03 <JKRhb> subtopic: TD PR 1421
12:15:52 <JKRhb> mm: There was a sentence indicating that Consumers should prompt users for credentials which is also true for other Schemes, therefore it should be removed
12:15:57 <JKRhb> jr: I just removed it
12:17:35 <JKRhb> JKRhb has joined #wot-sec
12:17:39 <JKRhb> mm: I was thinking about Security Considerations in this context
12:18:06 <JKRhb> ... related to vulnerability scanning
12:18:46 <JKRhb> ... (it seems if it this not in the document, yet)
12:19:25 <JKRhb> ... the AutoSecurityScheme could be a mitigation for vulnerabilities in this regard
12:19:59 <JKRhb> ... change is technically normative, but it should be trivial to implement as HTTP is already negotiating security
12:20:14 <zkis> zkis has joined #wot-sec
12:20:38 <JKRhb> ... PR should be merged in the TD call on wednesday
12:20:52 <JKRhb> subtopic: Discovery PR 287
12:21:20 <JKRhb> Was merged, there was a comment by Philipp that hasn't been resolved, yet, he should create an issue for that
12:21:41 <JKRhb> subtopic: Discovery PR 286
12:22:09 <JKRhb> mm: PR differentiates between DoS and DDoS attacks
12:22:19 <JKRhb> ... also considers amplification attacks
12:22:37 <JKRhb> ... (shows the current state of the rendered document)
12:22:53 <JKRhb> ... hope we will discuss this PR in the Discovery call
12:23:26 <JKRhb> ... maybe Jiye can review it, then we can merge it the Discovery call
12:23:50 <JKRhb> mm: PR deals with application attacks, especially in the context of CoAP
12:24:07 <JKRhb> ... were discussed in a IETF call
12:24:24 <kaz> i|PR differentiates|-> https://github.com/w3c/wot-discovery/pull/286 PR 286 - Add Amplification DDOS Security Consideration and Mitigations|
12:24:38 <JKRhb> ... advice is disabling Observe and Multicast in discovery
12:24:57 <kaz> i|Was merged|-> https://github.com/w3c/wot-discovery/pull/287 PR 287 - Cleanup of Security Considerations|
12:25:04 <JKRhb> ... annoying as Multicast can be useful
12:25:32 <JKRhb> ... Multicast is currently only used by CoRE RD and DID
12:27:52 <JKRhb> mm: Sending a multicast GET request to .well-known is technically an exploration mechanism, requires authentication
12:28:03 <JKRhb> ... might also concern HTTP
12:28:59 <JKRhb> jp: I will review the PR
12:29:13 <JKRhb> mm: I might be able to defer by one week
12:29:31 <JKRhb> subtopic: TD PR 1428
12:29:55 <kaz> i|There was a sentence|-> https://github.com/w3c/wot-thing-description/pull/1421 PR 1421 - feat: Add AutoSecurityScheme|
12:30:18 <JKRhb> mm: Very large PR, moves all normative security considerations to the Security Considerations section
12:30:24 <kaz> -> https://github.com/w3c/wot-thing-description/pull/1428 PR 1428 - Cleanup Security, Privacy, and IANA Considerations
12:31:17 <JKRhb> ... another issue that broke the diff was that the Thing Model was inbetween Security and Privacy Considerations
12:31:49 <JKRhb> ... also, some rewording was required due to conflicting or contradicting assertions
12:32:52 <JKRhb> ... an example is caching behavior.
12:34:11 <JKRhb> ... a number of assertions regarding, for example, the expansion of JSON-LD or the execution of JavaScript code using eval() were added
12:34:43 <JKRhb> ... please review, I would like to merge it soon, technically the assertions should also be tested
12:35:50 <JKRhb> jr: I already left a couple of review comments
12:37:01 <JKRhb> mm: (goes over the comments)
12:39:02 <JKRhb> s/(goes over the comments)/(goes over the review and adds comments)/
12:45:02 <JKRhb> mm: Seems like a bit of work, but should be able to get done by wednesday
12:46:19 <JKRhb> jr: maybe the section reordering can be done in another PR
12:46:28 <JKRhb> mm: Yeah, would clean up the diffs
12:47:53 <JKRhb> topic: Security Testing Plan
12:48:26 <JKRhb> mm: Would be great if Jiye could have a look on it
12:51:51 <JKRhb> mm: (Edits the testing_2022.md file in the wot-testing repository and adds a link to the WoT Security Testing Guidelines)
12:54:02 <JKRhb> topic: Issues
12:54:26 <JKRhb> subtopic: WoT Architecture Issue 726
12:54:51 <JKRhb> mm: Security and Privacy Considerations overlap with other documents
12:55:08 <JKRhb> ... Architecture document contains subsections for each document
12:55:19 <JKRhb> ... Discovery is not mentioned at all
12:55:26 <JKRhb> ... need to avoid duplication
12:55:53 <JKRhb> ... added a Trusted Environment Risks section, needs to be revisited
12:56:21 <JKRhb> ... issue of missing Discovery section was also raised by Michael Legally
12:56:28 <JKRhb> ... will make a PR addressing this
12:56:41 <JKRhb> ... in the meantime, feel free to add comments to the issue
12:57:19 <kaz> i|Security and P|-> https://github.com/w3c/wot-architecture/issues/726 wot-architecture Issue 726 - Review and Update Security and Privacy Considerations|
12:57:21 <JKRhb> topic: Normative Security and Privacy Considerations
12:57:36 <JKRhb> mm: Should we make the considerations normative in all documents?
12:57:44 <JKRhb> jp: If we can, why not?
12:58:07 <JKRhb> mm: I agree, is also a bit annoying to avoid using assertions in formulations
12:58:23 <JKRhb> ... will upgrade such statements to assertions
12:58:57 <JKRhb> ... (opens an issue related to this in the Discovery Repository)
12:59:43 <JKRhb> -> https://github.com/w3c/wot-discovery/issues/293
13:01:18 <kaz> s/293/293 wot-discovery 293 - Upgrade Security and Privacy Considerations to Normative Sections/
13:01:19 <JKRhb> jr: Should we make a resolution of this?
13:01:24 <kaz> rrsagent, mae log public
13:01:24 <RRSAgent> I'm logging. I don't understand 'mae log public', kaz.  Try /msg RRSAgent help
13:01:26 <JKRhb> mm: We will do that next time
13:01:28 <kaz> rrsagent, draft minutes
13:01:28 <RRSAgent> I have made the request to generate https://www.w3.org/2022/03/28-wot-sec-minutes.html kaz
13:02:23 <JKRhb> rrsagent, make log public
13:03:12 <kaz> ]
13:03:16 <kaz> s/]//
13:03:24 <kaz> [adjourned]
13:03:28 <kaz> rrsagent, draft minutes
13:03:28 <RRSAgent> I have made the request to generate https://www.w3.org/2022/03/28-wot-sec-minutes.html kaz
13:04:14 <sebastia_> sebastia_ has joined #wot-sec
14:00:12 <Mizushima> Mizushima has left #wot-sec
14:42:54 <Zakim> Zakim has left #wot-sec