11:58:39 RRSAgent has joined #wot-sec 11:58:43 logging to https://www.w3.org/2023/07/24-wot-sec-irc 11:58:45 meeting: WoT Security 11:58:53 present+ Kaz_Ashimura 12:01:22 present+ Mahda_Noura, Michael_McCool 12:03:12 q+ 12:03:36 Mizushima has joined #wot-sec 12:04:10 mahdanoura has joined #wot-sec 12:05:17 present+ Tomoaki_Mizushima 12:05:32 https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#24_July_2023 12:05:58 s/https/agenda: https/ 12:07:07 q? 12:07:21 ack k 12:07:31 scribenick: kaz 12:07:36 topic: Minutes 12:07:46 -> https://www.w3.org/2023/05/22-wot-sec-minutes.html May-22 12:07:53 mm: (goes through the minutes) 12:08:42 JKRhb has joined #wot-sec 12:10:12 approved 12:10:16 topic: Logistics 12:10:38 subtopic: Date/time 12:11:27 mm: OK to have the call at this slot? 12:12:04 mn: prefer one hour later 12:12:15 mm: how about you, Kaz? 12:12:36 kaz: should be OK but there is a possibility the MEIG Chairs call will be held at that time 12:13:11 mm: let's start that slot (Monday, one hour later) from Aug 8 then 12:14:30 resolution: WoT Security TF will shift the TF call slot to Monday, one our later than the current slot (=13 UTC) on and after August 8 12:14:56 s|subtopic: Date/time|| 12:15:00 topic: Planning 12:15:44 mm: (explains the structure of security-related documents) 12:16:42 ... current proposed Charter doesn't have WoT Security as a normative deliverable 12:17:00 ... we have to work on bunch of restructuring 12:17:38 ... we couldn't finalize testing on DTLS 1.3 for WoT 1.1 12:18:32 ... we can look at the resources on GitHub 12:18:56 -> https://github.com/w3c/wot/pull/1097 wot PR 1097 - Security Planning 12:19:03 https://github.com/w3c/wot/tree/main/planning/Security 12:19:46 s/https/-> https/ 12:20:46 s|Security|Security wot/planning/Security| 12:21:52 mm: there is another document on WoT Discovery as well 12:22:02 -> https://github.com/w3c/wot/blob/main/planning/Discovery/work-items.md wot/planning/Discovery/work-items.md 12:22:15 mm: (goes through the items) 12:29:19 -> https://github.com/w3c/wot/blob/main/planning/Security/README.md wot/planning/Security 12:29:32 mm: (going back to the Security planning document) 12:30:35 ... (goes through the items) 12:30:53 ... Signing, Extensions, Ease of Use 12:31:00 ... Onboarding 12:33:41 ... (shows wot-wg-2023-details.html) 12:33:56 -> https://w3c.github.io/wot-charter-drafts/wot-wg-2023-details.html wot-wg-2023-details.html 12:34:28 ... (goes through some of the items) 12:34:40 ... Discovery JSON Path Query Language 12:35:12 ... next thing to come, and important for security and privacy purposes 12:36:17 ... Canonicalzation 12:36:41 ... one big thing is related to WoT Profile 12:37:01 ... that is "Cloud Events Payload Binding" 12:37:20 ... believe need to handle security information too 12:38:20 q+ 12:39:05 ack k 12:39:31 kaz: those items are very important, and would require detailed description on use cases and system settings 12:39:45 +1 fot kaz 12:39:49 ... so how to describe the use cases would be one of the keys for the next Charter period 12:39:55 mm: right 12:40:44 ... think probably what we should do is clarifying the necessary information including the motivation 12:41:15 -> https://github.com/w3c/wot-usecases wot-usecases repo 12:42:04 mm: we've not really described necessary mitigations for each risk 12:42:13 s/risk/possible risk/ 12:43:17 mm: (shows the Implementation Report for WoT Thing Description 1.1) 12:44:54 -> https://w3c.github.io/wot-thing-description/testing/report11.html Web of Things (WoT) Thing Description 1.1 Implementation Report 12:45:13 mm: (then shows the WoT Use Cases document) 12:46:00 -> https://w3c.github.io/wot-usecases/ WoT Use Cases and Requirements (Editors Draft) 12:46:21 mm: probably we need to extend the "Security Considerations" section for use case descriptions 12:47:19 present+ Jan_Romann 12:47:24 rrsagent, make log public 12:47:28 rrsagent, draft minutes 12:47:29 I have made the request to generate https://www.w3.org/2023/07/24-wot-sec-minutes.html kaz 12:51:53 mm: (goes back to wot-wg-2023-details.html) 12:52:09 -> https://w3c.github.io/wot-charter-drafts/wot-wg-2023-details.html wot-wg-2023-details.html 12:52:20 mm: we've been mainly working on HTTP 12:53:33 ... for the next step, why don't we look into the Use Cases document? 12:53:59 -> https://w3c.github.io/wot-usecases/ WoT Use Cases and Requirements (Editors Draft) 12:55:34 mm: (then shows the WoT Security Note) 12:55:53 -> https://www.w3.org/TR/wot-security/ WoT Security and Privacy Guidelines 12:56:36 mm: there is some description on possible mitigations within the WoT Discovery spec too 12:57:11 -> https://www.w3.org/TR/wot-discovery/ WoT Discovery spec (which includes Mitigations sections) 12:58:33 mm: would like to update the Use Cases document with updated security consideration descriptions 12:58:38 kaz: that's good 12:59:09 ... but we need to clarify the basic procedure as the whole WoT WG during the main call too 13:00:08 mm: two possible approaches 13:00:22 ... a. adding security considerations to each use case 13:00:38 ... b. having a separate section on security consideration 13:01:31 ... note that DDos is not listed as a threat yet 13:01:44 ... (generate a GitHub Issue on that) 13:02:29 -> https://github.com/w3c/wot-security/issues/221 wot-security Issue 221 - DDoS is not listed as a Threat 13:02:42 ... ah, but an existing issue already... 13:02:50 ... (issue 221 closed) 13:03:22 -> https://github.com/w3c/wot-security/issues/212 wot-security Issue 212 - Add DDoS thread 13:03:33 [adjourned] 13:03:39 rrsagent, make log public 13:03:42 rrsagent, draft minutes 13:03:44 I have made the request to generate https://www.w3.org/2023/07/24-wot-sec-minutes.html kaz 14:59:43 Zakim has left #wot-sec 15:19:59 kaz has joined #wot-sec