12:04:06 RRSAgent has joined #wot-sec 12:04:06 logging to https://www.w3.org/2022/08/22-wot-sec-irc 12:04:15 meeting: WoT Security 12:04:48 present+ Kaz_Ashimura, Michael_McCool, Jiye_Park 12:05:11 agenda: https://www.w3.org/WoT/IG/wiki/WG_WoT_Discovery_WebConf#27_June_2022 12:05:37 s|agenda: https://www.w3.org/WoT/IG/wiki/WG_WoT_Discovery_WebConf#27_June_2022|| 12:07:54 present+ Tomoaki_Mizushima 12:09:00 citrullin has joined #wot-sec 12:09:33 I can do it 12:09:43 My microphone is broken, I know... 12:10:15 McCool has joined #wot-sec 12:10:31 @McCool I can do it. My microphone is just broken. 12:10:43 topic: Minutes 12:10:47 scribenick: citrullin 12:11:19 mm: Can we use Zoom instead of WebEx? 12:11:40 mm: I would like to use Zoom for next week. Kaz, can you look into it? 12:12:01 kaz: Siemens had some issues with Zoom, that's what why we use WebEx for now. 12:12:13 s/what why/why/ 12:12:14 mm: Let's just discuss it in the main call. 12:13:28 s/Siemens/I can provide a Zoom call if needed. However, Siemens and some other participants/ 12:13:28 Minutes -> https://www.w3.org/2022/08/08-wot-sec-minutes.html 12:13:55 mm: Any objections for the minutes? No objections. 12:14:57 topic: policy-like security and privacy assertions 12:15:08 WIP: Adjust policy-like security and privacy assertions -> https://github.com/w3c/wot-architecture/issues/824 12:15:49 agenda: https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#22_August_2022 12:19:22 kaz: There are several options here. We have to clarify what assertion has to be covered and what not. 12:20:00 mm: There are things you can test well and there are things like this that are not testable. 12:21:28 Some discussion between kaz and mm about different scripting api implementations. 12:22:19 and how to organize the testing/not-testing/manual-assertions 12:26:27 s/different scripting api implementations/how to handle the assertions marked by the RFC2119 keywords within the WoT Architecture spec/ 12:27:22 -> https://w3c.github.io/wot-architecture/#sec-security-consideration-device-direct-access WoT Architecture - Section 10.2.2 Physical Device Direct Access Risk as an example which includes RFC 2119 keywords 12:29:45 mm: I don't want to do major restructuring here. So, my conclusions are that these are manual testable. So we could keep them. 12:30:32 mm changes description of #824 -> https://github.com/w3c/wot-architecture/issues/824 12:34:06 mm: the security credential storage part isn't well defined. Securely stored can be interpreted in different ways. There is also a non capitalized assumption. 12:34:26 mm: 10.3.2 needs some work. 12:37:00 mm: except for those points, the other things should be verifiable. 12:37:27 mm: We probably have to mark it at risk anyway. 12:39:30 mm: If we have a private network with more than 2 devices, it's not limited. mTLS would be great in those situations. Pre-shared keys also works. 12:41:58 mm: 10.4 should not be a problem to test. 12:43:41 mm: I am wondering if we have overlaps in the assumptions. 12:46:50 mm changes the descripton of #824 12:48:51 mm: We may have to remove 11.1.1, because it is, more or less, dublicated. 12:50:43 mm: If we use a wot directory to hold the TDs. WoT TD has features like access control etc. in order to stop not authorized access. 12:51:33 mm: Discovery is designed to cover these topics. 12:52:17 mm: I am fine with leaving it in though and it is testable. 12:54:09 mm: 11.2 overlaps a a little with the previous assertions. It's testable. 12:55:18 mm: 11.2 may conflict with some assertions in the TD. Some assertions may be softer in the TD. 12:55:32 mm: I am going to double check, if this is the case. 12:59:53 [adjourned] 13:00:04 rrsagent, make log public 13:00:09 rrsagent, draft minutes 13:00:09 I have made the request to generate https://www.w3.org/2022/08/22-wot-sec-minutes.html kaz 14:35:12 Zakim has left #wot-sec