12:01:59 RRSAgent has joined #wot-sec 12:02:03 logging to https://www.w3.org/2023/04/03-wot-sec-irc 12:02:12 meeting: WoT Security 12:05:29 Jiye has joined #wot-sec 12:06:47 scribenick: luca_barbato 12:06:49 JKRhb has joined #wot-sec 12:09:10 topic: Review Minutes 12:09:26 mm: Some typos to address 12:09:34 regarding minutes, a few typos 12:10:22 chair: McCool 12:10:52 present+ Kaz_Ashimura, Michael_McCool, Jan_Romann, Jiye_Park, Luca_Barbato, Tomoaki_Mizushima 12:12:37 "chater" -> "charter", "sigining" -> "signing", "tls" -> "TLS", then in discussion of "onboarding" I did respond to Kaz saying that I felt we should get started on discussing some of the detailed work planning, but that yes, onboarding does not directly impact the charter 12:13:36 rrsagent, draft minutes 12:13:38 I have made the request to generate https://www.w3.org/2023/04/03-wot-sec-minutes.html JKRhb 12:16:56 mm: Consensus on the previous minutes edited? 12:17:09 mm: Published 12:17:36 rrsagent, make log public 12:17:39 rrsagent, draft minutes 12:17:40 I have made the request to generate https://www.w3.org/2023/04/03-wot-sec-minutes.html kaz 12:18:11 topic: Review Architecture Assertion Presentation 12:19:00 https://w3c.github.io/wot-architecture#arch-security-consideration-segmented-network 12:19:09 https://docs.google.com/presentation/d/16Ow5rPjnojdl693pqkOhoc5bNCBIMOYZvJQC9wHZGsk/edit#slide=id.g220e7fd12a6_0_13 12:19:19 mm: This assertion is at risk but also easy to implement 12:19:30 s|https://docs.google.com/presentation/d/16Ow5rPjnojdl693pqkOhoc5bNCBIMOYZvJQC9wHZGsk/edit#slide=id.g220e7fd12a6_0_13|-> https://docs.google.com/presentation/d/16Ow5rPjnojdl693pqkOhoc5bNCBIMOYZvJQC9wHZGsk/edit#slide=id.g220e7fd12a6_0_13 Slides on Architecture| 12:19:44 s|https://w3c.github.io/wot-architecture#arch-security-consideration-segmented-network|| 12:19:45 mm: How can test this assertion? 12:20:04 i|This ass|-> https://w3c.github.io/wot-architecture#arch-security-consideration-segmented-network arch-security-consideration-segmented-network| 12:21:17 mm: Access to trust environment means access to all the devices 12:22:12 agenda: https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#3_April_2023 12:22:53 mm: The assertion is about the whole system, since it is in architecture 12:23:16 jiye: So it applies to the deployer, not the single device 12:23:59 jiye: The question was about if the device has to be aware it is in a specific segment 12:24:15 jiye: How do we check it is implemented 12:24:18 q+ 12:24:37 mm: In this case is the deployer has to confirm 12:24:48 jiye: Then it should not be at risk 12:25:10 q+ 12:26:18 jiye: Would be a good idea to write down a comment in the document 12:27:13 jan: Would be a good idea to move this to the best practice section? 12:28:51 mm: The assertions are about the bare minimum for security 12:29:11 .. e.g. guest network vs iot network in a hotel deployment 12:29:20 q? 12:31:42 ack l 12:32:12 kaz: I agree with Jan and Luca, but technically we should, but we cannot do that today 12:32:37 .. this assertion is not a requirement for the architecture itself 12:32:57 q+ 12:33:05 ack k 12:33:11 .. those assertions are SHOULD 12:33:25 .. and they are useful to point best practices 12:33:49 mm: This section could be downgraded to informative later 12:35:03 kaz: if we do not have implementations, we can move them to informative 12:35:43 .. we can make an editor's note for those best practices 12:36:05 mm: As long it is not already included in another section 12:37:18 ack k 12:37:44 subtopic: Using PSK 12:37:45 https://w3c.github.io/wot-architecture#arch-security-consideration-use-psk 12:38:54 mm: Certificates is one way to share pre-shared keys 12:38:58 rrsagent, draft minutes 12:38:59 I have made the request to generate https://www.w3.org/2023/04/03-wot-sec-minutes.html kaz 12:39:05 .. there are other ways to share them 12:39:43 mm: We can add a sentence to say that is not required to use TLS-PSK. 12:40:36 jiye: Browsers cannot use PSK, if we want to support browsers we have to allow other systems 12:41:21 mm: 12:41:24 i|arch-security-consideration-segmented-network|subtopic: Segmented network| 12:41:26 rrsagent, draft minutes 12:41:27 I have made the request to generate https://www.w3.org/2023/04/03-wot-sec-minutes.html kaz 12:42:28 mm: Reword to use Certificate instead of pre-shared-key 12:48:24 https://github.com/w3c/wot-architecture/issues/900 12:48:30 subtopic: Communication Platform 12:48:51 https://w3c.github.io/wot-architecture#arch-security-consideration-communication-platform 12:49:27 jiye: Ege is not clear on what this assertion is about and I wrote my understanding of it 12:49:54 mm: it boils down to the definition of Platform 12:51:15 .. a weaker bridge cannot be created if the bridged ecosystem requires to have the same level of security (e.g. OCF) 12:53:03 q+ 12:54:06 lb: This is a specification of the basic compatibility requirement 12:56:26 lb: How to test it though? 12:57:41 mm: The test would be about the "bridge" more than to the TD, if the "bridge" is compliant, then the TD has only to faithfully describe it 13:02:58 q+ 13:03:01 ack l 13:04:09 ack k 13:04:19 kaz: we can open an issue to clarify further 13:06:14 s/clarify further/clarify the relationship between "IoT Ecosystem" and "IoT Platform" here./ 13:06:18 [adjourned] 13:06:22 rrsagent, draft minutes 13:06:23 I have made the request to generate https://www.w3.org/2023/04/03-wot-sec-minutes.html kaz 13:35:56 kaz has joined #wot-sec 15:06:40 Zakim has left #wot-sec