12:08:01 RRSAgent has joined #wot-sec 12:08:05 logging to https://www.w3.org/2023/05/15-wot-sec-irc 12:08:07 meeting: WoT Security 12:08:17 chair: McCoo 12:08:27 s/McCoo/McCool/ 12:08:43 present+ Kaz_Ashimura, Michael_McCool, Luca_Barbato, Tomoaki_Mizushima 12:09:40 agenda: https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#15_May_2023 12:09:57 McCool has joined #wot-sec 12:10:15 scribenick: kaz 12:10:21 topic: Agenda 12:10:28 mm: look at features at risk 12:10:35 ... and see what is still missing 12:10:50 s/missing/missing around security/ 12:11:06 topic: Minutes 12:11:14 mm: no minutes for Apr 17 12:11:32 -> https://www.w3.org/2023/04/03-wot-sec-minutes.html Apr-3 12:11:58 mm: (goes through the minutes) 12:12:26 ... any comments? 12:13:35 ... just one typo around "access to trust environment" to be fixed as "access to trusted environment" 12:13:40 q+ 12:14:15 lb: not for the minutes themselves, but we should think about a dedicated secure network 12:14:17 mm: ok 12:14:25 ... let's finalize the minutes themselves 12:14:28 (approved) 12:15:17 topic: Dedicated network for guests 12:16:44 -> https://w3c.github.io/wot-architecture/#sec-security-consideration-trusted-environment-risks WoT Architecture ED - 10.4 Trusted Environment Risks 12:17:03 mm: let's create an issue for WoT Architecture 12:19:06 -> https://github.com/w3c/wot-architecture/issues/908 wot-architecture Issue 908 - Correct statement about "guest" networks 12:19:37 i|let's create|[[ For example, in the home environment, a separate WiFi network can be used for IoT devices, and routers often provide a "guest" network that can be used for this purpose. In commercial and industrial environments, explicit installation of pre-shared keys SHOULD be used to allow browsers to access local services while using TLS. ]]| 12:19:47 rrsagent, make log public 12:19:52 rrsagent, draft minutes 12:19:53 I have made the request to generate https://www.w3.org/2023/05/15-wot-sec-minutes.html kaz 12:20:00 q+ 12:20:01 ack l 12:21:20 https://github.com/w3c/wot-architecture/issues/908 12:21:42 kaz: for the next Charter, we need to look into various use case scenarios including potential devices from the other SDOs standards too 12:21:59 topi: Remaining at-risk items 12:23:02 -> https://github.com/w3c/wot-testing/blob/main/events/2023.03.Online/README.md Summary from the latest Testfest 12:23:41 mm: for Architecture 12:23:51 [[ 12:23:51 (1) arch-security-consideration-use-psk 12:23:52 (2) arch-security-consideration-dtls-1-3 12:23:58 and 12:23:59 (1) arch-security-consideration-hal-refuse-unsafe 12:24:01 ]] 12:24:18 i/psk/high priority:/ 12:24:25 i/unsafe/low priority:/ 12:24:29 mm: for TD 12:24:31 [[ 12:24:37 low priority: 12:24:47 (2) td-security-oauth2-device-flow (2) 12:24:48 (1) security-server-auth-td 12:24:48 (2) security-context-secure-fetch 12:24:48 (1) security-remote-context 12:24:48 (1) privacy-immutable-id-as-property 12:24:48 ]] 12:25:00 q+ 12:25:05 q- 12:25:07 q+ 12:25:20 mm: any concern about them? 12:25:33 ... e.g., oauth2-device-flow ? 12:26:04 lb: somebody may use Bluethooth, etc., with wifi connection 12:26:33 ... similar scenarios are possible 12:26:51 mm: it's a bit odd 12:27:13 ... maybe we've been overlooking something... 12:27:20 ... let me check again 12:28:18 kaz: btw, what do the numbers with palens mean, e.g., "(2)"? 12:28:32 mm: number of missing implementations 12:28:34 kaz: ok 12:29:00 ... so the "(2)" at the bottom of "(2) td-security-oauth2-device-flow (2)" is extra 12:29:02 mm: right 12:29:09 rrsagent, make log public 12:29:15 rrsagent, draft minutes 12:29:16 I have made the request to generate https://www.w3.org/2023/05/15-wot-sec-minutes.html kaz 12:31:57 (McCool tries to check the data again, but need some more time) 12:32:40 Jiye has joined #wot-sec 12:32:46 subtopic: security-server-auth-td 12:33:11 mm: we should have implementations and also this is an easy feature 12:33:22 ... so would make this high priority 12:33:28 (no objections) 12:34:00 i/any concern/subtopic: td-security-oauth2-device-flow/ 12:34:19 mm: (makes it high priority) 12:34:37 present+ Jiye_Park 12:39:32 s/mm: (makes it high priority)/mm: would suggest we make the following three features "medium priority" 12:39:34 [[ 12:39:48 (1) security-server-auth-td resolution pending 12:39:48 (1) security-remote-context Intel - wot-ha already resolves - resolution pending 12:39:48 (1) privacy-immutable-id-as-property Intel to do 12:39:49 ]] 12:39:57 (no objections) 12:40:06 rrsagent, draft minutes 12:40:07 I have made the request to generate https://www.w3.org/2023/05/15-wot-sec-minutes.html kaz 12:40:34 rrsagent, make log public 12:40:36 rrsagent, draft minutes 12:40:37 I have made the request to generate https://www.w3.org/2023/05/15-wot-sec-minutes.html kaz 12:40:59 s/topi:/topic:/ 12:41:01 rrsagent, draft minutes 12:41:02 I have made the request to generate https://www.w3.org/2023/05/15-wot-sec-minutes.html kaz 12:41:23 i/for Architecture/subtopic: Architecture/ 12:41:37 i/for TD/subtopic: TD/ 12:41:45 rrsagent, draft minutes 12:41:46 I have made the request to generate https://www.w3.org/2023/05/15-wot-sec-minutes.html kaz 12:41:58 subtopic: Discovery 12:43:42 mm: (goes through the remaining features at-risk 12:43:47 s/risk/risk)/ 12:45:29 q+ 12:45:31 ack l 12:46:16 kaz: how to handle the high/medium priority features? 12:46:23 mm: those are not about security 12:46:36 ... so let's talk about lower priority features now 12:46:53 [[ 12:46:54 Lower Priority 12:46:54 These have one implementation but are in security considerations and can be converted into "guidelines", so are a lower priority. 12:46:54 (1) sec-tdd-query-watchdog 12:46:54 (1) sec-tdd-intro-no-multicast 12:46:55 These have two but are also in security/privacy considerations and can be converted into "guidelines", so are also lower priority: 12:46:58 (2) sec-tdd-throttle-queries 12:47:00 (2) sec-tdd-limit-query-complexity 12:47:02 (2) sec-tdd-intro-limit-response-size 12:47:04 (2) sec-tdd-intro-throttling 12:47:06 (1) sec-self-proxy 12:47:08 (2) priv-loc-disable-public-directories 12:47:10 (2) priv-loc-anonymous-tds 12:47:14 (2) priv-loc-gen-ids 12:47:16 (2) priv-loc-explicit-strip 12:47:18 (2) priv-query-anon 12:47:20 This is for security bootstrapping with OAuth, would be useful for onboarding: 12:47:22 (2) exploration-secboot-oauth2-flows 12:47:24 ]] 12:47:26 mm: (goes through the above lower priority features) 12:48:20 ... any opinions to make them higher priority? 12:48:22 (none) 12:48:55 mm: then privacy features 12:48:56 [[ 12:49:07 (2) priv-loc-disable-public-directories 12:49:07 (2) priv-loc-anonymous-tds 12:49:07 (2) priv-loc-gen-ids 12:49:07 (2) priv-loc-explicit-strip 12:49:07 (2) priv-query-anon 12:49:09 ]] 12:50:26 i|This is for|@@@ The above priv features to be removed from this section of the minutes, because they're discussed separately later.| 12:50:41 mm: most of them will become informative 12:51:18 ... any objections to keep them as low priority? 12:51:23 (no objections) 12:53:33 mm: then OAuth2 flows next 12:53:34 [[ 12:53:35 (2) exploration-secboot-oauth2-flows 12:53:36 ]] 12:53:53 mm: we don't have sufficient implementations for that 12:54:16 ... would have some discussion about this during the Discovery call later 12:54:31 topic: Issues 12:54:55 -> https://github.com/w3c/wot-security/issues Issues 12:55:38 rrsagent, draft minutes 12:55:39 I have made the request to generate https://www.w3.org/2023/05/15-wot-sec-minutes.html kaz 12:56:18 mm: (puts remaining GitHub issues to the agenda for the next week) 12:56:24 s/week/call/ 12:56:47 ... please go through the issues for the discussion next week 12:57:05 ... we're making decision for PR transition this week 12:57:13 [adjourned] 12:57:17 rrsagent, draft minutes 12:57:18 I have made the request to generate https://www.w3.org/2023/05/15-wot-sec-minutes.html kaz 14:00:28 Mizushima has left #wot-sec 14:46:38 Zakim has left #wot-sec