IRC log of wot-sec on 2023-05-15

Timestamps are in UTC.

12:08:01 [RRSAgent]
RRSAgent has joined #wot-sec
12:08:05 [RRSAgent]
logging to https://www.w3.org/2023/05/15-wot-sec-irc
12:08:07 [kaz]
meeting: WoT Security
12:08:17 [kaz]
chair: McCoo
12:08:27 [kaz]
s/McCoo/McCool/
12:08:43 [kaz]
present+ Kaz_Ashimura, Michael_McCool, Luca_Barbato, Tomoaki_Mizushima
12:09:40 [kaz]
agenda: https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#15_May_2023
12:09:57 [McCool]
McCool has joined #wot-sec
12:10:15 [kaz]
scribenick: kaz
12:10:21 [kaz]
topic: Agenda
12:10:28 [kaz]
mm: look at features at risk
12:10:35 [kaz]
... and see what is still missing
12:10:50 [kaz]
s/missing/missing around security/
12:11:06 [kaz]
topic: Minutes
12:11:14 [kaz]
mm: no minutes for Apr 17
12:11:32 [kaz]
-> https://www.w3.org/2023/04/03-wot-sec-minutes.html Apr-3
12:11:58 [kaz]
mm: (goes through the minutes)
12:12:26 [kaz]
... any comments?
12:13:35 [kaz]
... just one typo around "access to trust environment" to be fixed as "access to trusted environment"
12:13:40 [luca_barbato]
q+
12:14:15 [kaz]
lb: not for the minutes themselves, but we should think about a dedicated secure network
12:14:17 [kaz]
mm: ok
12:14:25 [kaz]
... let's finalize the minutes themselves
12:14:28 [kaz]
(approved)
12:15:17 [kaz]
topic: Dedicated network for guests
12:16:44 [kaz]
-> https://w3c.github.io/wot-architecture/#sec-security-consideration-trusted-environment-risks WoT Architecture ED - 10.4 Trusted Environment Risks
12:17:03 [kaz]
mm: let's create an issue for WoT Architecture
12:19:06 [kaz]
-> https://github.com/w3c/wot-architecture/issues/908 wot-architecture Issue 908 - Correct statement about "guest" networks
12:19:37 [kaz]
i|let's create|[[ For example, in the home environment, a separate WiFi network can be used for IoT devices, and routers often provide a "guest" network that can be used for this purpose. In commercial and industrial environments, explicit installation of pre-shared keys SHOULD be used to allow browsers to access local services while using TLS. ]]|
12:19:47 [kaz]
rrsagent, make log public
12:19:52 [kaz]
rrsagent, draft minutes
12:19:53 [RRSAgent]
I have made the request to generate https://www.w3.org/2023/05/15-wot-sec-minutes.html kaz
12:20:00 [kaz]
q+
12:20:01 [kaz]
ack l
12:21:20 [McCool]
https://github.com/w3c/wot-architecture/issues/908
12:21:42 [kaz]
kaz: for the next Charter, we need to look into various use case scenarios including potential devices from the other SDOs standards too
12:21:59 [kaz]
topi: Remaining at-risk items
12:23:02 [kaz]
-> https://github.com/w3c/wot-testing/blob/main/events/2023.03.Online/README.md Summary from the latest Testfest
12:23:41 [kaz]
mm: for Architecture
12:23:51 [kaz]
[[
12:23:51 [kaz]
(1) arch-security-consideration-use-psk
12:23:52 [kaz]
(2) arch-security-consideration-dtls-1-3
12:23:58 [kaz]
and
12:23:59 [kaz]
(1) arch-security-consideration-hal-refuse-unsafe
12:24:01 [kaz]
]]
12:24:18 [kaz]
i/psk/high priority:/
12:24:25 [kaz]
i/unsafe/low priority:/
12:24:29 [kaz]
mm: for TD
12:24:31 [kaz]
[[
12:24:37 [kaz]
low priority:
12:24:47 [kaz]
(2) td-security-oauth2-device-flow (2)
12:24:48 [kaz]
(1) security-server-auth-td
12:24:48 [kaz]
(2) security-context-secure-fetch
12:24:48 [kaz]
(1) security-remote-context
12:24:48 [kaz]
(1) privacy-immutable-id-as-property
12:24:48 [kaz]
]]
12:25:00 [luca_barbato]
q+
12:25:05 [kaz]
q-
12:25:07 [kaz]
q+
12:25:20 [kaz]
mm: any concern about them?
12:25:33 [kaz]
... e.g., oauth2-device-flow ?
12:26:04 [kaz]
lb: somebody may use Bluethooth, etc., with wifi connection
12:26:33 [kaz]
... similar scenarios are possible
12:26:51 [kaz]
mm: it's a bit odd
12:27:13 [kaz]
... maybe we've been overlooking something...
12:27:20 [kaz]
... let me check again
12:28:18 [kaz]
kaz: btw, what do the numbers with palens mean, e.g., "(2)"?
12:28:32 [kaz]
mm: number of missing implementations
12:28:34 [kaz]
kaz: ok
12:29:00 [kaz]
... so the "(2)" at the bottom of "(2) td-security-oauth2-device-flow (2)" is extra
12:29:02 [kaz]
mm: right
12:29:09 [kaz]
rrsagent, make log public
12:29:15 [kaz]
rrsagent, draft minutes
12:29:16 [RRSAgent]
I have made the request to generate https://www.w3.org/2023/05/15-wot-sec-minutes.html kaz
12:31:57 [kaz]
(McCool tries to check the data again, but need some more time)
12:32:40 [Jiye]
Jiye has joined #wot-sec
12:32:46 [kaz]
subtopic: security-server-auth-td
12:33:11 [kaz]
mm: we should have implementations and also this is an easy feature
12:33:22 [kaz]
... so would make this high priority
12:33:28 [kaz]
(no objections)
12:34:00 [kaz]
i/any concern/subtopic: td-security-oauth2-device-flow/
12:34:19 [kaz]
mm: (makes it high priority)
12:34:37 [kaz]
present+ Jiye_Park
12:39:32 [kaz]
s/mm: (makes it high priority)/mm: would suggest we make the following three features "medium priority"
12:39:34 [kaz]
[[
12:39:48 [kaz]
(1) security-server-auth-td resolution pending
12:39:48 [kaz]
(1) security-remote-context Intel - wot-ha already resolves - resolution pending
12:39:48 [kaz]
(1) privacy-immutable-id-as-property Intel to do
12:39:49 [kaz]
]]
12:39:57 [kaz]
(no objections)
12:40:06 [kaz]
rrsagent, draft minutes
12:40:07 [RRSAgent]
I have made the request to generate https://www.w3.org/2023/05/15-wot-sec-minutes.html kaz
12:40:34 [kaz]
rrsagent, make log public
12:40:36 [kaz]
rrsagent, draft minutes
12:40:37 [RRSAgent]
I have made the request to generate https://www.w3.org/2023/05/15-wot-sec-minutes.html kaz
12:40:59 [kaz]
s/topi:/topic:/
12:41:01 [kaz]
rrsagent, draft minutes
12:41:02 [RRSAgent]
I have made the request to generate https://www.w3.org/2023/05/15-wot-sec-minutes.html kaz
12:41:23 [kaz]
i/for Architecture/subtopic: Architecture/
12:41:37 [kaz]
i/for TD/subtopic: TD/
12:41:45 [kaz]
rrsagent, draft minutes
12:41:46 [RRSAgent]
I have made the request to generate https://www.w3.org/2023/05/15-wot-sec-minutes.html kaz
12:41:58 [kaz]
subtopic: Discovery
12:43:42 [kaz]
mm: (goes through the remaining features at-risk
12:43:47 [kaz]
s/risk/risk)/
12:45:29 [kaz]
q+
12:45:31 [kaz]
ack l
12:46:16 [kaz]
kaz: how to handle the high/medium priority features?
12:46:23 [kaz]
mm: those are not about security
12:46:36 [kaz]
... so let's talk about lower priority features now
12:46:53 [kaz]
[[
12:46:54 [kaz]
Lower Priority
12:46:54 [kaz]
These have one implementation but are in security considerations and can be converted into "guidelines", so are a lower priority.
12:46:54 [kaz]
(1) sec-tdd-query-watchdog
12:46:54 [kaz]
(1) sec-tdd-intro-no-multicast
12:46:55 [kaz]
These have two but are also in security/privacy considerations and can be converted into "guidelines", so are also lower priority:
12:46:58 [kaz]
(2) sec-tdd-throttle-queries
12:47:00 [kaz]
(2) sec-tdd-limit-query-complexity
12:47:02 [kaz]
(2) sec-tdd-intro-limit-response-size
12:47:04 [kaz]
(2) sec-tdd-intro-throttling
12:47:06 [kaz]
(1) sec-self-proxy
12:47:08 [kaz]
(2) priv-loc-disable-public-directories
12:47:10 [kaz]
(2) priv-loc-anonymous-tds
12:47:14 [kaz]
(2) priv-loc-gen-ids
12:47:16 [kaz]
(2) priv-loc-explicit-strip
12:47:18 [kaz]
(2) priv-query-anon
12:47:20 [kaz]
This is for security bootstrapping with OAuth, would be useful for onboarding:
12:47:22 [kaz]
(2) exploration-secboot-oauth2-flows
12:47:24 [kaz]
]]
12:47:26 [kaz]
mm: (goes through the above lower priority features)
12:48:20 [kaz]
... any opinions to make them higher priority?
12:48:22 [kaz]
(none)
12:48:55 [kaz]
mm: then privacy features
12:48:56 [kaz]
[[
12:49:07 [kaz]
(2) priv-loc-disable-public-directories
12:49:07 [kaz]
(2) priv-loc-anonymous-tds
12:49:07 [kaz]
(2) priv-loc-gen-ids
12:49:07 [kaz]
(2) priv-loc-explicit-strip
12:49:07 [kaz]
(2) priv-query-anon
12:49:09 [kaz]
]]
12:50:26 [kaz]
i|This is for|@@@ The above priv features to be removed from this section of the minutes, because they're discussed separately later.|
12:50:41 [kaz]
mm: most of them will become informative
12:51:18 [kaz]
... any objections to keep them as low priority?
12:51:23 [kaz]
(no objections)
12:53:33 [kaz]
mm: then OAuth2 flows next
12:53:34 [kaz]
[[
12:53:35 [kaz]
(2) exploration-secboot-oauth2-flows
12:53:36 [kaz]
]]
12:53:53 [kaz]
mm: we don't have sufficient implementations for that
12:54:16 [kaz]
... would have some discussion about this during the Discovery call later
12:54:31 [kaz]
topic: Issues
12:54:55 [kaz]
-> https://github.com/w3c/wot-security/issues Issues
12:55:38 [kaz]
rrsagent, draft minutes
12:55:39 [RRSAgent]
I have made the request to generate https://www.w3.org/2023/05/15-wot-sec-minutes.html kaz
12:56:18 [kaz]
mm: (puts remaining GitHub issues to the agenda for the next week)
12:56:24 [kaz]
s/week/call/
12:56:47 [kaz]
... please go through the issues for the discussion next week
12:57:05 [kaz]
... we're making decision for PR transition this week
12:57:13 [kaz]
[adjourned]
12:57:17 [kaz]
rrsagent, draft minutes
12:57:18 [RRSAgent]
I have made the request to generate https://www.w3.org/2023/05/15-wot-sec-minutes.html kaz
14:00:28 [Mizushima]
Mizushima has left #wot-sec
14:46:38 [Zakim]
Zakim has left #wot-sec