IRC log of wot-sec on 2023-05-15
Timestamps are in UTC.
- 12:08:01 [RRSAgent]
- RRSAgent has joined #wot-sec
- 12:08:05 [RRSAgent]
- logging to https://www.w3.org/2023/05/15-wot-sec-irc
- 12:08:07 [kaz]
- meeting: WoT Security
- 12:08:17 [kaz]
- chair: McCoo
- 12:08:27 [kaz]
- s/McCoo/McCool/
- 12:08:43 [kaz]
- present+ Kaz_Ashimura, Michael_McCool, Luca_Barbato, Tomoaki_Mizushima
- 12:09:40 [kaz]
- agenda: https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#15_May_2023
- 12:09:57 [McCool]
- McCool has joined #wot-sec
- 12:10:15 [kaz]
- scribenick: kaz
- 12:10:21 [kaz]
- topic: Agenda
- 12:10:28 [kaz]
- mm: look at features at risk
- 12:10:35 [kaz]
- ... and see what is still missing
- 12:10:50 [kaz]
- s/missing/missing around security/
- 12:11:06 [kaz]
- topic: Minutes
- 12:11:14 [kaz]
- mm: no minutes for Apr 17
- 12:11:32 [kaz]
- -> https://www.w3.org/2023/04/03-wot-sec-minutes.html Apr-3
- 12:11:58 [kaz]
- mm: (goes through the minutes)
- 12:12:26 [kaz]
- ... any comments?
- 12:13:35 [kaz]
- ... just one typo around "access to trust environment" to be fixed as "access to trusted environment"
- 12:13:40 [luca_barbato]
- q+
- 12:14:15 [kaz]
- lb: not for the minutes themselves, but we should think about a dedicated secure network
- 12:14:17 [kaz]
- mm: ok
- 12:14:25 [kaz]
- ... let's finalize the minutes themselves
- 12:14:28 [kaz]
- (approved)
- 12:15:17 [kaz]
- topic: Dedicated network for guests
- 12:16:44 [kaz]
- -> https://w3c.github.io/wot-architecture/#sec-security-consideration-trusted-environment-risks WoT Architecture ED - 10.4 Trusted Environment Risks
- 12:17:03 [kaz]
- mm: let's create an issue for WoT Architecture
- 12:19:06 [kaz]
- -> https://github.com/w3c/wot-architecture/issues/908 wot-architecture Issue 908 - Correct statement about "guest" networks
- 12:19:37 [kaz]
- i|let's create|[[ For example, in the home environment, a separate WiFi network can be used for IoT devices, and routers often provide a "guest" network that can be used for this purpose. In commercial and industrial environments, explicit installation of pre-shared keys SHOULD be used to allow browsers to access local services while using TLS. ]]|
- 12:19:47 [kaz]
- rrsagent, make log public
- 12:19:52 [kaz]
- rrsagent, draft minutes
- 12:19:53 [RRSAgent]
- I have made the request to generate https://www.w3.org/2023/05/15-wot-sec-minutes.html kaz
- 12:20:00 [kaz]
- q+
- 12:20:01 [kaz]
- ack l
- 12:21:20 [McCool]
- https://github.com/w3c/wot-architecture/issues/908
- 12:21:42 [kaz]
- kaz: for the next Charter, we need to look into various use case scenarios including potential devices from the other SDOs standards too
- 12:21:59 [kaz]
- topi: Remaining at-risk items
- 12:23:02 [kaz]
- -> https://github.com/w3c/wot-testing/blob/main/events/2023.03.Online/README.md Summary from the latest Testfest
- 12:23:41 [kaz]
- mm: for Architecture
- 12:23:51 [kaz]
- [[
- 12:23:51 [kaz]
- (1) arch-security-consideration-use-psk
- 12:23:52 [kaz]
- (2) arch-security-consideration-dtls-1-3
- 12:23:58 [kaz]
- and
- 12:23:59 [kaz]
- (1) arch-security-consideration-hal-refuse-unsafe
- 12:24:01 [kaz]
- ]]
- 12:24:18 [kaz]
- i/psk/high priority:/
- 12:24:25 [kaz]
- i/unsafe/low priority:/
- 12:24:29 [kaz]
- mm: for TD
- 12:24:31 [kaz]
- [[
- 12:24:37 [kaz]
- low priority:
- 12:24:47 [kaz]
- (2) td-security-oauth2-device-flow (2)
- 12:24:48 [kaz]
- (1) security-server-auth-td
- 12:24:48 [kaz]
- (2) security-context-secure-fetch
- 12:24:48 [kaz]
- (1) security-remote-context
- 12:24:48 [kaz]
- (1) privacy-immutable-id-as-property
- 12:24:48 [kaz]
- ]]
- 12:25:00 [luca_barbato]
- q+
- 12:25:05 [kaz]
- q-
- 12:25:07 [kaz]
- q+
- 12:25:20 [kaz]
- mm: any concern about them?
- 12:25:33 [kaz]
- ... e.g., oauth2-device-flow ?
- 12:26:04 [kaz]
- lb: somebody may use Bluethooth, etc., with wifi connection
- 12:26:33 [kaz]
- ... similar scenarios are possible
- 12:26:51 [kaz]
- mm: it's a bit odd
- 12:27:13 [kaz]
- ... maybe we've been overlooking something...
- 12:27:20 [kaz]
- ... let me check again
- 12:28:18 [kaz]
- kaz: btw, what do the numbers with palens mean, e.g., "(2)"?
- 12:28:32 [kaz]
- mm: number of missing implementations
- 12:28:34 [kaz]
- kaz: ok
- 12:29:00 [kaz]
- ... so the "(2)" at the bottom of "(2) td-security-oauth2-device-flow (2)" is extra
- 12:29:02 [kaz]
- mm: right
- 12:29:09 [kaz]
- rrsagent, make log public
- 12:29:15 [kaz]
- rrsagent, draft minutes
- 12:29:16 [RRSAgent]
- I have made the request to generate https://www.w3.org/2023/05/15-wot-sec-minutes.html kaz
- 12:31:57 [kaz]
- (McCool tries to check the data again, but need some more time)
- 12:32:40 [Jiye]
- Jiye has joined #wot-sec
- 12:32:46 [kaz]
- subtopic: security-server-auth-td
- 12:33:11 [kaz]
- mm: we should have implementations and also this is an easy feature
- 12:33:22 [kaz]
- ... so would make this high priority
- 12:33:28 [kaz]
- (no objections)
- 12:34:00 [kaz]
- i/any concern/subtopic: td-security-oauth2-device-flow/
- 12:34:19 [kaz]
- mm: (makes it high priority)
- 12:34:37 [kaz]
- present+ Jiye_Park
- 12:39:32 [kaz]
- s/mm: (makes it high priority)/mm: would suggest we make the following three features "medium priority"
- 12:39:34 [kaz]
- [[
- 12:39:48 [kaz]
- (1) security-server-auth-td resolution pending
- 12:39:48 [kaz]
- (1) security-remote-context Intel - wot-ha already resolves - resolution pending
- 12:39:48 [kaz]
- (1) privacy-immutable-id-as-property Intel to do
- 12:39:49 [kaz]
- ]]
- 12:39:57 [kaz]
- (no objections)
- 12:40:06 [kaz]
- rrsagent, draft minutes
- 12:40:07 [RRSAgent]
- I have made the request to generate https://www.w3.org/2023/05/15-wot-sec-minutes.html kaz
- 12:40:34 [kaz]
- rrsagent, make log public
- 12:40:36 [kaz]
- rrsagent, draft minutes
- 12:40:37 [RRSAgent]
- I have made the request to generate https://www.w3.org/2023/05/15-wot-sec-minutes.html kaz
- 12:40:59 [kaz]
- s/topi:/topic:/
- 12:41:01 [kaz]
- rrsagent, draft minutes
- 12:41:02 [RRSAgent]
- I have made the request to generate https://www.w3.org/2023/05/15-wot-sec-minutes.html kaz
- 12:41:23 [kaz]
- i/for Architecture/subtopic: Architecture/
- 12:41:37 [kaz]
- i/for TD/subtopic: TD/
- 12:41:45 [kaz]
- rrsagent, draft minutes
- 12:41:46 [RRSAgent]
- I have made the request to generate https://www.w3.org/2023/05/15-wot-sec-minutes.html kaz
- 12:41:58 [kaz]
- subtopic: Discovery
- 12:43:42 [kaz]
- mm: (goes through the remaining features at-risk
- 12:43:47 [kaz]
- s/risk/risk)/
- 12:45:29 [kaz]
- q+
- 12:45:31 [kaz]
- ack l
- 12:46:16 [kaz]
- kaz: how to handle the high/medium priority features?
- 12:46:23 [kaz]
- mm: those are not about security
- 12:46:36 [kaz]
- ... so let's talk about lower priority features now
- 12:46:53 [kaz]
- [[
- 12:46:54 [kaz]
- Lower Priority
- 12:46:54 [kaz]
- These have one implementation but are in security considerations and can be converted into "guidelines", so are a lower priority.
- 12:46:54 [kaz]
- (1) sec-tdd-query-watchdog
- 12:46:54 [kaz]
- (1) sec-tdd-intro-no-multicast
- 12:46:55 [kaz]
- These have two but are also in security/privacy considerations and can be converted into "guidelines", so are also lower priority:
- 12:46:58 [kaz]
- (2) sec-tdd-throttle-queries
- 12:47:00 [kaz]
- (2) sec-tdd-limit-query-complexity
- 12:47:02 [kaz]
- (2) sec-tdd-intro-limit-response-size
- 12:47:04 [kaz]
- (2) sec-tdd-intro-throttling
- 12:47:06 [kaz]
- (1) sec-self-proxy
- 12:47:08 [kaz]
- (2) priv-loc-disable-public-directories
- 12:47:10 [kaz]
- (2) priv-loc-anonymous-tds
- 12:47:14 [kaz]
- (2) priv-loc-gen-ids
- 12:47:16 [kaz]
- (2) priv-loc-explicit-strip
- 12:47:18 [kaz]
- (2) priv-query-anon
- 12:47:20 [kaz]
- This is for security bootstrapping with OAuth, would be useful for onboarding:
- 12:47:22 [kaz]
- (2) exploration-secboot-oauth2-flows
- 12:47:24 [kaz]
- ]]
- 12:47:26 [kaz]
- mm: (goes through the above lower priority features)
- 12:48:20 [kaz]
- ... any opinions to make them higher priority?
- 12:48:22 [kaz]
- (none)
- 12:48:55 [kaz]
- mm: then privacy features
- 12:48:56 [kaz]
- [[
- 12:49:07 [kaz]
- (2) priv-loc-disable-public-directories
- 12:49:07 [kaz]
- (2) priv-loc-anonymous-tds
- 12:49:07 [kaz]
- (2) priv-loc-gen-ids
- 12:49:07 [kaz]
- (2) priv-loc-explicit-strip
- 12:49:07 [kaz]
- (2) priv-query-anon
- 12:49:09 [kaz]
- ]]
- 12:50:26 [kaz]
- i|This is for|@@@ The above priv features to be removed from this section of the minutes, because they're discussed separately later.|
- 12:50:41 [kaz]
- mm: most of them will become informative
- 12:51:18 [kaz]
- ... any objections to keep them as low priority?
- 12:51:23 [kaz]
- (no objections)
- 12:53:33 [kaz]
- mm: then OAuth2 flows next
- 12:53:34 [kaz]
- [[
- 12:53:35 [kaz]
- (2) exploration-secboot-oauth2-flows
- 12:53:36 [kaz]
- ]]
- 12:53:53 [kaz]
- mm: we don't have sufficient implementations for that
- 12:54:16 [kaz]
- ... would have some discussion about this during the Discovery call later
- 12:54:31 [kaz]
- topic: Issues
- 12:54:55 [kaz]
- -> https://github.com/w3c/wot-security/issues Issues
- 12:55:38 [kaz]
- rrsagent, draft minutes
- 12:55:39 [RRSAgent]
- I have made the request to generate https://www.w3.org/2023/05/15-wot-sec-minutes.html kaz
- 12:56:18 [kaz]
- mm: (puts remaining GitHub issues to the agenda for the next week)
- 12:56:24 [kaz]
- s/week/call/
- 12:56:47 [kaz]
- ... please go through the issues for the discussion next week
- 12:57:05 [kaz]
- ... we're making decision for PR transition this week
- 12:57:13 [kaz]
- [adjourned]
- 12:57:17 [kaz]
- rrsagent, draft minutes
- 12:57:18 [RRSAgent]
- I have made the request to generate https://www.w3.org/2023/05/15-wot-sec-minutes.html kaz
- 14:00:28 [Mizushima]
- Mizushima has left #wot-sec
- 14:46:38 [Zakim]
- Zakim has left #wot-sec