IRC log of wot-sec on 2023-04-03
Timestamps are in UTC.
- 12:01:59 [RRSAgent]
- RRSAgent has joined #wot-sec
- 12:02:03 [RRSAgent]
- logging to https://www.w3.org/2023/04/03-wot-sec-irc
- 12:02:12 [kaz]
- meeting: WoT Security
- 12:05:29 [Jiye]
- Jiye has joined #wot-sec
- 12:06:47 [luca_barbato]
- scribenick: luca_barbato
- 12:06:49 [JKRhb]
- JKRhb has joined #wot-sec
- 12:09:10 [luca_barbato]
- topic: Review Minutes
- 12:09:26 [luca_barbato]
- mm: Some typos to address
- 12:09:34 [McCool_]
- regarding minutes, a few typos
- 12:10:22 [kaz]
- chair: McCool
- 12:10:52 [kaz]
- present+ Kaz_Ashimura, Michael_McCool, Jan_Romann, Jiye_Park, Luca_Barbato, Tomoaki_Mizushima
- 12:12:37 [McCool_]
- "chater" -> "charter", "sigining" -> "signing", "tls" -> "TLS", then in discussion of "onboarding" I did respond to Kaz saying that I felt we should get started on discussing some of the detailed work planning, but that yes, onboarding does not directly impact the charter
- 12:13:36 [JKRhb]
- rrsagent, draft minutes
- 12:13:38 [RRSAgent]
- I have made the request to generate https://www.w3.org/2023/04/03-wot-sec-minutes.html JKRhb
- 12:16:56 [luca_barbato]
- mm: Consensus on the previous minutes edited?
- 12:17:09 [luca_barbato]
- mm: Published
- 12:17:36 [kaz]
- rrsagent, make log public
- 12:17:39 [kaz]
- rrsagent, draft minutes
- 12:17:40 [RRSAgent]
- I have made the request to generate https://www.w3.org/2023/04/03-wot-sec-minutes.html kaz
- 12:18:11 [luca_barbato]
- topic: Review Architecture Assertion Presentation
- 12:19:00 [McCool_]
- https://w3c.github.io/wot-architecture#arch-security-consideration-segmented-network
- 12:19:09 [McCool_]
- https://docs.google.com/presentation/d/16Ow5rPjnojdl693pqkOhoc5bNCBIMOYZvJQC9wHZGsk/edit#slide=id.g220e7fd12a6_0_13
- 12:19:19 [luca_barbato]
- mm: This assertion is at risk but also easy to implement
- 12:19:30 [kaz]
- s|https://docs.google.com/presentation/d/16Ow5rPjnojdl693pqkOhoc5bNCBIMOYZvJQC9wHZGsk/edit#slide=id.g220e7fd12a6_0_13|-">https://docs.google.com/presentation/d/16Ow5rPjnojdl693pqkOhoc5bNCBIMOYZvJQC9wHZGsk/edit#slide=id.g220e7fd12a6_0_13|-> https://docs.google.com/presentation/d/16Ow5rPjnojdl693pqkOhoc5bNCBIMOYZvJQC9wHZGsk/edit#slide=id.g220e7fd12a6_0_13 Slides on Architecture|
- 12:19:44 [kaz]
- s|https://w3c.github.io/wot-architecture#arch-security-consideration-segmented-network||
- 12:19:45 [luca_barbato]
- mm: How can test this assertion?
- 12:20:04 [kaz]
- i|This ass|-> https://w3c.github.io/wot-architecture#arch-security-consideration-segmented-network arch-security-consideration-segmented-network|
- 12:21:17 [luca_barbato]
- mm: Access to trust environment means access to all the devices
- 12:22:12 [kaz]
- agenda: https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#3_April_2023
- 12:22:53 [luca_barbato]
- mm: The assertion is about the whole system, since it is in architecture
- 12:23:16 [luca_barbato]
- jiye: So it applies to the deployer, not the single device
- 12:23:59 [luca_barbato]
- jiye: The question was about if the device has to be aware it is in a specific segment
- 12:24:15 [luca_barbato]
- jiye: How do we check it is implemented
- 12:24:18 [luca_barbato]
- q+
- 12:24:37 [luca_barbato]
- mm: In this case is the deployer has to confirm
- 12:24:48 [luca_barbato]
- jiye: Then it should not be at risk
- 12:25:10 [kaz]
- q+
- 12:26:18 [luca_barbato]
- jiye: Would be a good idea to write down a comment in the document
- 12:27:13 [luca_barbato]
- jan: Would be a good idea to move this to the best practice section?
- 12:28:51 [luca_barbato]
- mm: The assertions are about the bare minimum for security
- 12:29:11 [luca_barbato]
- .. e.g. guest network vs iot network in a hotel deployment
- 12:29:20 [kaz]
- q?
- 12:31:42 [kaz]
- ack l
- 12:32:12 [luca_barbato]
- kaz: I agree with Jan and Luca, but technically we should, but we cannot do that today
- 12:32:37 [luca_barbato]
- .. this assertion is not a requirement for the architecture itself
- 12:32:57 [luca_barbato]
- q+
- 12:33:05 [kaz]
- ack k
- 12:33:11 [luca_barbato]
- .. those assertions are SHOULD
- 12:33:25 [luca_barbato]
- .. and they are useful to point best practices
- 12:33:49 [luca_barbato]
- mm: This section could be downgraded to informative later
- 12:35:03 [luca_barbato]
- kaz: if we do not have implementations, we can move them to informative
- 12:35:43 [luca_barbato]
- .. we can make an editor's note for those best practices
- 12:36:05 [luca_barbato]
- mm: As long it is not already included in another section
- 12:37:18 [kaz]
- ack k
- 12:37:44 [luca_barbato]
- subtopic: Using PSK
- 12:37:45 [McCool_]
- https://w3c.github.io/wot-architecture#arch-security-consideration-use-psk
- 12:38:54 [luca_barbato]
- mm: Certificates is one way to share pre-shared keys
- 12:38:58 [kaz]
- rrsagent, draft minutes
- 12:38:59 [RRSAgent]
- I have made the request to generate https://www.w3.org/2023/04/03-wot-sec-minutes.html kaz
- 12:39:05 [luca_barbato]
- .. there are other ways to share them
- 12:39:43 [luca_barbato]
- mm: We can add a sentence to say that is not required to use TLS-PSK.
- 12:40:36 [luca_barbato]
- jiye: Browsers cannot use PSK, if we want to support browsers we have to allow other systems
- 12:41:21 [luca_barbato]
- mm: <Issue created about it>
- 12:41:24 [kaz]
- i|arch-security-consideration-segmented-network|subtopic: Segmented network|
- 12:41:26 [kaz]
- rrsagent, draft minutes
- 12:41:27 [RRSAgent]
- I have made the request to generate https://www.w3.org/2023/04/03-wot-sec-minutes.html kaz
- 12:42:28 [luca_barbato]
- mm: Reword to use Certificate instead of pre-shared-key
- 12:48:24 [McCool_]
- https://github.com/w3c/wot-architecture/issues/900
- 12:48:30 [luca_barbato]
- subtopic: Communication Platform
- 12:48:51 [McCool_]
- https://w3c.github.io/wot-architecture#arch-security-consideration-communication-platform
- 12:49:27 [luca_barbato]
- jiye: Ege is not clear on what this assertion is about and I wrote my understanding of it
- 12:49:54 [luca_barbato]
- mm: it boils down to the definition of Platform
- 12:51:15 [luca_barbato]
- .. a weaker bridge cannot be created if the bridged ecosystem requires to have the same level of security (e.g. OCF)
- 12:53:03 [luca_barbato]
- q+
- 12:54:06 [luca_barbato]
- lb: This is a specification of the basic compatibility requirement
- 12:56:26 [luca_barbato]
- lb: How to test it though?
- 12:57:41 [luca_barbato]
- mm: The test would be about the "bridge" more than to the TD, if the "bridge" is compliant, then the TD has only to faithfully describe it
- 13:02:58 [kaz]
- q+
- 13:03:01 [kaz]
- ack l
- 13:04:09 [kaz]
- ack k
- 13:04:19 [luca_barbato]
- kaz: we can open an issue to clarify further
- 13:06:14 [kaz]
- s/clarify further/clarify the relationship between "IoT Ecosystem" and "IoT Platform" here./
- 13:06:18 [kaz]
- [adjourned]
- 13:06:22 [kaz]
- rrsagent, draft minutes
- 13:06:23 [RRSAgent]
- I have made the request to generate https://www.w3.org/2023/04/03-wot-sec-minutes.html kaz
- 13:35:56 [kaz]
- kaz has joined #wot-sec
- 15:06:40 [Zakim]
- Zakim has left #wot-sec