IRC log of wot-sec on 2023-04-03

Timestamps are in UTC.

12:01:59 [RRSAgent]
RRSAgent has joined #wot-sec
12:02:03 [RRSAgent]
logging to https://www.w3.org/2023/04/03-wot-sec-irc
12:02:12 [kaz]
meeting: WoT Security
12:05:29 [Jiye]
Jiye has joined #wot-sec
12:06:47 [luca_barbato]
scribenick: luca_barbato
12:06:49 [JKRhb]
JKRhb has joined #wot-sec
12:09:10 [luca_barbato]
topic: Review Minutes
12:09:26 [luca_barbato]
mm: Some typos to address
12:09:34 [McCool_]
regarding minutes, a few typos
12:10:22 [kaz]
chair: McCool
12:10:52 [kaz]
present+ Kaz_Ashimura, Michael_McCool, Jan_Romann, Jiye_Park, Luca_Barbato, Tomoaki_Mizushima
12:12:37 [McCool_]
"chater" -> "charter", "sigining" -> "signing", "tls" -> "TLS", then in discussion of "onboarding" I did respond to Kaz saying that I felt we should get started on discussing some of the detailed work planning, but that yes, onboarding does not directly impact the charter
12:13:36 [JKRhb]
rrsagent, draft minutes
12:13:38 [RRSAgent]
I have made the request to generate https://www.w3.org/2023/04/03-wot-sec-minutes.html JKRhb
12:16:56 [luca_barbato]
mm: Consensus on the previous minutes edited?
12:17:09 [luca_barbato]
mm: Published
12:17:36 [kaz]
rrsagent, make log public
12:17:39 [kaz]
rrsagent, draft minutes
12:17:40 [RRSAgent]
I have made the request to generate https://www.w3.org/2023/04/03-wot-sec-minutes.html kaz
12:18:11 [luca_barbato]
topic: Review Architecture Assertion Presentation
12:19:00 [McCool_]
https://w3c.github.io/wot-architecture#arch-security-consideration-segmented-network
12:19:09 [McCool_]
https://docs.google.com/presentation/d/16Ow5rPjnojdl693pqkOhoc5bNCBIMOYZvJQC9wHZGsk/edit#slide=id.g220e7fd12a6_0_13
12:19:19 [luca_barbato]
mm: This assertion is at risk but also easy to implement
12:19:30 [kaz]
s|https://docs.google.com/presentation/d/16Ow5rPjnojdl693pqkOhoc5bNCBIMOYZvJQC9wHZGsk/edit#slide=id.g220e7fd12a6_0_13|-">https://docs.google.com/presentation/d/16Ow5rPjnojdl693pqkOhoc5bNCBIMOYZvJQC9wHZGsk/edit#slide=id.g220e7fd12a6_0_13|-> https://docs.google.com/presentation/d/16Ow5rPjnojdl693pqkOhoc5bNCBIMOYZvJQC9wHZGsk/edit#slide=id.g220e7fd12a6_0_13 Slides on Architecture|
12:19:44 [kaz]
s|https://w3c.github.io/wot-architecture#arch-security-consideration-segmented-network||
12:19:45 [luca_barbato]
mm: How can test this assertion?
12:20:04 [kaz]
i|This ass|-> https://w3c.github.io/wot-architecture#arch-security-consideration-segmented-network arch-security-consideration-segmented-network|
12:21:17 [luca_barbato]
mm: Access to trust environment means access to all the devices
12:22:12 [kaz]
agenda: https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#3_April_2023
12:22:53 [luca_barbato]
mm: The assertion is about the whole system, since it is in architecture
12:23:16 [luca_barbato]
jiye: So it applies to the deployer, not the single device
12:23:59 [luca_barbato]
jiye: The question was about if the device has to be aware it is in a specific segment
12:24:15 [luca_barbato]
jiye: How do we check it is implemented
12:24:18 [luca_barbato]
q+
12:24:37 [luca_barbato]
mm: In this case is the deployer has to confirm
12:24:48 [luca_barbato]
jiye: Then it should not be at risk
12:25:10 [kaz]
q+
12:26:18 [luca_barbato]
jiye: Would be a good idea to write down a comment in the document
12:27:13 [luca_barbato]
jan: Would be a good idea to move this to the best practice section?
12:28:51 [luca_barbato]
mm: The assertions are about the bare minimum for security
12:29:11 [luca_barbato]
.. e.g. guest network vs iot network in a hotel deployment
12:29:20 [kaz]
q?
12:31:42 [kaz]
ack l
12:32:12 [luca_barbato]
kaz: I agree with Jan and Luca, but technically we should, but we cannot do that today
12:32:37 [luca_barbato]
.. this assertion is not a requirement for the architecture itself
12:32:57 [luca_barbato]
q+
12:33:05 [kaz]
ack k
12:33:11 [luca_barbato]
.. those assertions are SHOULD
12:33:25 [luca_barbato]
.. and they are useful to point best practices
12:33:49 [luca_barbato]
mm: This section could be downgraded to informative later
12:35:03 [luca_barbato]
kaz: if we do not have implementations, we can move them to informative
12:35:43 [luca_barbato]
.. we can make an editor's note for those best practices
12:36:05 [luca_barbato]
mm: As long it is not already included in another section
12:37:18 [kaz]
ack k
12:37:44 [luca_barbato]
subtopic: Using PSK
12:37:45 [McCool_]
https://w3c.github.io/wot-architecture#arch-security-consideration-use-psk
12:38:54 [luca_barbato]
mm: Certificates is one way to share pre-shared keys
12:38:58 [kaz]
rrsagent, draft minutes
12:38:59 [RRSAgent]
I have made the request to generate https://www.w3.org/2023/04/03-wot-sec-minutes.html kaz
12:39:05 [luca_barbato]
.. there are other ways to share them
12:39:43 [luca_barbato]
mm: We can add a sentence to say that is not required to use TLS-PSK.
12:40:36 [luca_barbato]
jiye: Browsers cannot use PSK, if we want to support browsers we have to allow other systems
12:41:21 [luca_barbato]
mm: <Issue created about it>
12:41:24 [kaz]
i|arch-security-consideration-segmented-network|subtopic: Segmented network|
12:41:26 [kaz]
rrsagent, draft minutes
12:41:27 [RRSAgent]
I have made the request to generate https://www.w3.org/2023/04/03-wot-sec-minutes.html kaz
12:42:28 [luca_barbato]
mm: Reword to use Certificate instead of pre-shared-key
12:48:24 [McCool_]
https://github.com/w3c/wot-architecture/issues/900
12:48:30 [luca_barbato]
subtopic: Communication Platform
12:48:51 [McCool_]
https://w3c.github.io/wot-architecture#arch-security-consideration-communication-platform
12:49:27 [luca_barbato]
jiye: Ege is not clear on what this assertion is about and I wrote my understanding of it
12:49:54 [luca_barbato]
mm: it boils down to the definition of Platform
12:51:15 [luca_barbato]
.. a weaker bridge cannot be created if the bridged ecosystem requires to have the same level of security (e.g. OCF)
12:53:03 [luca_barbato]
q+
12:54:06 [luca_barbato]
lb: This is a specification of the basic compatibility requirement
12:56:26 [luca_barbato]
lb: How to test it though?
12:57:41 [luca_barbato]
mm: The test would be about the "bridge" more than to the TD, if the "bridge" is compliant, then the TD has only to faithfully describe it
13:02:58 [kaz]
q+
13:03:01 [kaz]
ack l
13:04:09 [kaz]
ack k
13:04:19 [luca_barbato]
kaz: we can open an issue to clarify further
13:06:14 [kaz]
s/clarify further/clarify the relationship between "IoT Ecosystem" and "IoT Platform" here./
13:06:18 [kaz]
[adjourned]
13:06:22 [kaz]
rrsagent, draft minutes
13:06:23 [RRSAgent]
I have made the request to generate https://www.w3.org/2023/04/03-wot-sec-minutes.html kaz
13:35:56 [kaz]
kaz has joined #wot-sec
15:06:40 [Zakim]
Zakim has left #wot-sec