11:57:45 <RRSAgent> RRSAgent has joined #wot-sec
11:57:45 <RRSAgent> logging to https://www.w3.org/2022/04/11-wot-sec-irc
12:01:33 <kaz> present+ Kaz_Ashimura, Michael_McCool, Philipp_Blum
12:01:46 <kaz> present+ Jan_Romann
12:01:52 <kaz> chair: McCool
12:02:36 <JKRhb> JKRhb has joined #wot-sec
12:02:40 <Mizushima> Mizushima has joined #wot-sec
12:04:36 <McCool> McCool has joined #wot-sec
12:05:23 <kaz> present+ Tomoaki_Mizushima
12:06:00 <JKRhb> https://github.com/w3c/wot-security-best-practices/pull/32
12:06:16 <jiye> jiye has joined #wot-sec
12:06:37 <citrullin> topic: Minutes
12:07:18 <kaz> scribenick: citrullin
12:07:29 <kaz> present+ Jiye_Park
12:10:23 <citrullin> mm: Any objections to publish the minutes?
12:10:31 <citrullin> ... no objections
12:10:59 <citrullin> topic: S&P Considerations
12:11:25 <citrullin> mm: There are two PRs open. One in architecture and one in discovery. Hopefully in an hour we can get it merged.
12:11:35 <kaz> i|Any ob|-> https://www.w3.org/2022/04/04-wot-sec-minutes.html Apr-4|
12:11:45 <citrullin> subtopic: Architecture S&P Considerations
12:12:16 <citrullin> PR 743 -> https://github.com/w3c/wot-architecture/pull/734
12:13:06 <citrullin> mm: I need to think about it more and reorganize things.
12:13:15 <kaz> rrsagent, make log public
12:13:19 <kaz> rrsagent, draft minutes
12:13:19 <RRSAgent> I have made the request to generate https://www.w3.org/2022/04/11-wot-sec-minutes.html kaz
12:13:29 <McCool> https://github.com/w3c/wot-architecture/issues/726
12:13:50 <McCool> https://github.com/w3c/wot-architecture/pull/734
12:14:27 <citrullin> mm: I made security considerations normative.
12:14:30 <kaz> s/https/-> https/
12:14:38 <citrullin> ... privacy was also made normative.
12:14:55 <kaz> s/734/734 wot-architecture PR 734 - Make Security and Privacy Considerations Normative/
12:15:46 <kaz> s|https://github.com/w3c/wot-architecture/issues/726|-> https://github.com/w3c/wot-architecture/issues/726 wot-architecture Issue 726 - Review and Update Security and Privacy Considerations|
12:17:34 <citrullin> mm: I noticed the definiton of private security included keys. We should talk about that.
12:19:14 <citrullin> mm: The original text mixed the midigation with the problem statement. We should fix that. A little more work on that.
12:20:36 <citrullin> mm: WoT Scripting has the problem statement, but no mitigation.
12:20:59 <citrullin> s/midigation/mitigation/
12:21:04 <JKRhb> q+
12:21:11 <JKRhb> q-
12:21:31 <kaz> -> https://pr-preview.s3.amazonaws.com/w3c/wot-architecture/734/7da670c...mmccool:18c46db.html#sec-security-consideration-td-cm preview - 10.1.2 Thing Description Communication Metadata Risk
12:22:04 <citrullin> mm: I need to work more on this. Asking for review and we can discuss this next week.
12:24:48 <citrullin> jr: Scripting is mentioned, but it isn't normative. Is that a problem?
12:25:18 <citrullin> mm: I thought about this as well. It shouldn't be about scripts, instead we should use code.
12:25:37 <citrullin> mm added a comment -> https://github.com/w3c/wot-architecture/pull/734#issuecomment-1094985346
12:26:09 <citrullin> ... we should generalize this. It should be applied to any code on the device.
12:26:17 <citrullin> s/.../mm:/
12:27:48 <citrullin> mm: If there is an additional consideration we need to add, we can do that. But maybe in a second PR.
12:28:47 <citrullin> subtopic: Discovery S&P Considerations
12:29:07 <citrullin> PR 295 -> https://github.com/w3c/wot-discovery/pull/295
12:29:28 <kaz> s/PR 295 //
12:29:48 <citrullin> mm: I haven't added Philipps point yet.
12:29:54 <kaz> s/295/295 wot-discovery PR 295 - Make Security and Privacy Considerations Normative/
12:29:56 <kaz> rrsagent, make log public
12:30:00 <kaz> rrsagent, draft minutes
12:30:00 <RRSAgent> I have made the request to generate https://www.w3.org/2022/04/11-wot-sec-minutes.html kaz
12:30:08 <citrullin> pb: I am not sure if that is fixed yet. I haven't looked too deep into the RFC.
12:33:04 <citrullin> mm adds a comment to PR 295 -> https://github.com/w3c/wot-discovery/pull/295#issuecomment-1094993460
12:34:00 <JKRhb> https://datatracker.ietf.org/doc/html/rfc9000#section-8
12:34:02 <citrullin> mm: The Amplification DDOS only applies to open networks. This isn't clearly defined yet.
12:35:27 <citrullin> s/https:/ RFC 9000 QUIC Address Validation ->https:/
12:39:01 <citrullin> mm: I can use a TLS connection to get a public key and establish a secure local connection.
12:39:15 <kaz> rrsagent, draft minutes
12:39:15 <RRSAgent> I have made the request to generate https://www.w3.org/2022/04/11-wot-sec-minutes.html kaz
12:39:18 <citrullin> pb: This sounds like there should be already an existing solution, or even standard.
12:39:27 <citrullin> mm: Yes, exactly. I have to take a look into this.
12:43:06 <kaz> -> https://pr-preview.s3.amazonaws.com/w3c/wot-discovery/295/12e8d17...mmccool:6e15dcd.html#security-considerations McCool goes through the section "8. Security Considerations" from the preview
12:43:07 <citrullin> mm: I have thought about mentioning OpenID for the auth.
12:43:49 <citrullin> mm: If you have any comments, please add them to the PR.
12:44:14 <citrullin> Update terms and references in Object Security section 32 -> https://github.com/w3c/wot-security-best-practices/pull/32
12:44:50 <citrullin> jr: It's a minor PR. I just removed OSCORE, since it doesn't exist anymore. Removed also some unused references.
12:45:25 <citrullin> mm: I would like to get it in a better shape and publish it as a group note.
12:46:39 <citrullin> mm: Any objections to merge this PR?
12:46:51 <citrullin> ... no objections.
12:47:58 <citrullin> topic: Home Assistant
12:48:40 <citrullin> mm: I have played around with Home Assistant. Trying to convince them to add TDs for the devices they support.
12:49:55 <citrullin> mm: They use bearer token, but no TLS.
12:50:45 <citrullin> mm: I want to fetch the data from their API and give out a TD.
12:51:01 <kaz> i|I have|-> https://developers.home-assistant.io/docs/api/rest/ Home Assistant REST API
12:52:58 <kaz> q+
12:53:39 <JKRhb> q+
12:54:18 <kaz> -> https://en.wikipedia.org/wiki/Matter_(standard) Matter (formally CHIP)
12:54:22 <kaz> ack k
12:54:25 <citrullin> kaz: Home Assistant reminds me of matter. Maybe we can look into recent aproaches.
12:55:32 <kaz> s/approaches/approaches including these guys (=Smart Assitant, Matter, etc.)/
12:55:56 <kaz> s/Smart Asstant/Home Assistant/
12:56:45 <citrullin> jr: Is there an internal format which could be converted to TD?
12:57:01 <citrullin> mm: Not really. It uses a ingress db internally.
12:57:53 <citrullin> pb: Couldn't you add some plugin, read the db and expose a TD?
12:58:28 <citrullin> mm: Yes, they have this and you could. The internal API isn't documented well. So, I have to reverse engineer it.
13:00:12 <citrullin> jr: In the context of Zigbee. There is this project Zigbee to MQTT. You can plug in into HomeAssistant.
13:00:59 <citrullin> mm: Let's pick up this discussion in another meeting. We should close the meeting.
13:01:10 <kaz> [adjourned]
13:01:16 <kaz> rrsagent, draft minutes
13:01:16 <RRSAgent> I have made the request to generate https://www.w3.org/2022/04/11-wot-sec-minutes.html kaz
15:00:03 <Zakim> Zakim has left #wot-sec