13:05:16 RRSAgent has joined #wot-sec 13:05:21 logging to https://www.w3.org/2023/09/18-wot-sec-irc 13:05:28 q+ 13:06:05 ack k 13:06:44 chair: McCool 13:07:20 scribenick: JKRhb 13:07:35 topic: Minutes Review 13:08:04 present+ Kaz_Ashimura, Michael_McCool, Mahda_Noura, Jan_Romann, Tomoaki_Mizushima 13:08:15 mm: (goes over the minutes) 13:08:21 ... we did a few PRs 13:08:24 i|goes|-> https://www.w3.org/2023/09/04-wot-sec-minutes.html Sep-4| 13:08:29 rrsagent, make log public 13:08:31 ... PR #226 was merged 13:08:34 rrsagent, draft utes 13:08:34 I'm logging. I don't understand 'draft utes', kaz. Try /msg RRSAgent help 13:08:46 ... PR 225 is still open, we will discuss it today 13:09:16 ... PR 224 was closed 13:09:24 ... without merging 13:09:38 ... Kaz, can you add that to the minutes? 13:09:44 kaz: Will do 13:09:57 mm: Then we discussed TPAC 13:10:23 ... looks good besides one spelling mistake, will discuss the PR today 13:10:28 Minutes are approved 13:10:34 topic: PRs 13:10:40 subtopic: PR 225 13:10:55 mm: This is in the wot-security repo 13:11:10 ... previously, we only had DoS but not DDoS in the document 13:11:18 ... I added a threat for that 13:11:48 i/Then we/("merged" has been added to PR 226)/ 13:11:56 ... and two examples, amplification attacks and takeovers 13:12:00 s/rrsagent, draft utes// 13:12:04 rrsagent, draft minutes 13:12:06 I have made the request to generate https://www.w3.org/2023/09/18-wot-sec-minutes.html kaz 13:12:24 ... we are also discussing this in the discovery document with regard to CoAP 13:12:47 ... further down in the document, I added additional text regarding the DDoS threat 13:12:50 i|This is in the|-> https://github.com/w3c/wot-security/pull/225 PR 225 - Add DDoS Threats| 13:13:31 ... for corporate environments, I simply refer back to scenario 1 13:13:39 ... any comments? 13:14:29 mm: One more thing: Under industrial critical infrastructure, the limiting of outbound connections is discussed 13:14:43 rrsagent, draft minutes 13:14:44 I have made the request to generate https://www.w3.org/2023/09/18-wot-sec-minutes.html kaz 13:15:20 mn: Just a stylistic comment: "as well as possible" is not a very clear formulation 13:15:43 mm: I'll change it to "should be mitigated" 13:15:48 ... does that fix it? 13:16:02 mn: Yes 13:16:39 mm: Let's not talk too much about mitigations in this PR, we can still add it later 13:16:49 jr: Changes looked good to me as well 13:17:01 mm: Luca also approved it, let's merge it 13:17:06 PR is merged 13:17:14 mm: I think this also closes an issue 13:17:30 ... the issue that is resolved is 212 13:17:38 ... (closes the issue) 13:17:39 https://github.com/w3c/wot-security/issues/212 13:18:09 mm: We should probably review issues at some point, but not today 13:18:16 topic: TPAC followup 13:18:21 s|https://github.com/w3c/wot-security/issues/212|-> https://github.com/w3c/wot-security/issues/212 Issue 212 - Add DDoS threat| 13:18:53 -> https://www.w3.org/2023/09/14-wot-minutes.html Day 1 13:19:05 -> https://www.w3.org/2023/09/15-wot-minutes.html Day 2 13:19:17 mm: Do you have the minutes of the meeting, Kaz? 13:19:27 kaz: (posts the links above) 13:19:55 mm: We can start by looking at the minutes, we discussed security on day 2 13:20:13 ... first part is just me walking through the presentation 13:20:17 ... should be well documented 13:20:21 ... except for comments 13:20:36 rrsagent, draft minutes 13:20:38 I have made the request to generate https://www.w3.org/2023/09/18-wot-sec-minutes.html kaz 13:21:13 ... just to review this quickly: we talked about threat models, which are not consistent yet 13:21:49 ... there should be a .md file somewhere, let me know if you know where to find it 13:22:10 ... then I talked about how we associate features and use cases 13:22:24 ... one thing that's been bugging me: features are different from mitigations 13:22:38 ... and policies are different than technical features 13:22:59 ... technical features support policies, but they are not themselves a feature 13:23:29 ... I have a proposal: We could try to find some categories 13:23:46 ... and then we can try to align it with the discussion 13:24:04 ... a problem is that the discussion took a different path than what's in the presentation 13:25:28 ... (adds a link to the security section in the TPAC minutes to the wiki) 13:26:08 mm: We have two types of notes: the ones from the minutes and the ones I put into the Powerpoint 13:26:18 ... we need to consolidate them 13:26:44 kaz: I can add your summary to the minutes 13:27:01 mm: I want to extract the actionable information 13:27:19 ... we can add a link, but we should extract a summary from the minutes 13:27:52 kaz: From my understanding, your summary included the most important points from the discussion, right? 13:28:32 mm: That was my understanding at the time. However, we should create a separate file with a consolidated summary of both kinds of notes 13:29:23 ... (pastes the notes from the minutes into a new file in the wot repository) 13:29:30 ... I want to summarize this 13:30:31 ... (starts adding bullet points with a summary at the top of the file) 13:30:59 ... the minutes don't really capture more than one category 13:34:13 mm: I guess one criticism we can consider is that the threat model talks about mitigations etc. but the overall structure is not reflected. Could be defined in the use cases and requirements document 13:35:35 ... one thing that I think was brought up by Ege or Luca were safety-critical features and safety-related ontologies 13:36:15 q+ 13:36:37 ... Kaz, I want to summarize your points here 13:37:31 kaz: My point was that many guidelines should be regarded for smart cites, e.g. the Japanese guidelines 13:38:02 ... as a follow-up, we can consider the resources that are available with regard to that topic 13:38:21 mm: Sebastian raised the issue of developer awareness 13:39:13 mm: A lot of the points were that people did not know about the guidelines document 13:39:37 ... they often mentioned links, so I'll add that to the summary as well 13:39:56 mm: Then we had Modbus or rather existing standards 13:41:28 q? 13:41:30 ack k 13:41:32 q+ 13:42:06 ack k 13:42:53 mm: I think I am going to summarize David's point by adding points regarding different domains (smart home vs factory, health as an example that I mentioned during the discussion but was not recorded in the minutes) 13:43:47 ... (adds a link to the newly created file to the TPAC readme) 13:44:53 ... let's take another look at my notes from the slides 13:45:11 ... looks like they are different, let's see if we can merge them 13:45:34 ... (copies them over to the new file) 13:47:05 ... (incorporates new aspects into the summary) 13:48:30 ack k 13:48:31 q+ 13:48:45 ... the two are now merged, looks like the minute taker and I were recording different aspects of the same conversations 13:48:59 kaz: Do you want the link from the minutes to this Markdown? 13:49:04 https://github.com/w3c/wot/blob/main/PRESENTATIONS/2023-09-tpac/2023-09-WoT-TPAC-Security-Discussion.md 13:49:14 mm: Maybe, let me first save this and copy it to the IRC 13:49:30 ... I would put a link to after my slides 13:49:43 ... and I would do the same for discovery 13:50:05 ... and would ask the others to the same 13:50:39 mm: So we have some work to do and I have a plan which involves reviewing the existing documents 13:50:50 ... I personally need to cut a bit back on WoT activities 13:51:29 ... and I think we cannot have security experts do everything 13:51:54 ... so I think we need to create a structure to let people do the security assessment easily 13:52:43 ... a higher level way of organizing is needed. We should also have other people read the threat models and incorporate that into their document 13:53:26 ... regarding the time issue: We need to find more people who want to work on this topic 13:53:47 mn: I think it makes sense to have more people on board who are security experts 13:54:20 mm: Besides Siemens, we also used to have an Intel person on board with regard to security 13:54:55 ... we need to identifiy companies who have a high investment in WoT and want to volunteer security experts to work on this 13:55:37 ... I want to say Microsoft, but is no Microsoft employee attending the calls regularly 13:55:51 kaz: Need to discuss that during the chairs/main call 13:56:03 s/call/calls/ 13:56:10 topic: Issues 13:56:17 subtopic: Issue 223 13:56:27 mm: Just noticed that this issue can also be closed 13:56:49 https://github.com/w3c/wot-security/issues/223 closed, respec warnings fixed with https://github.com/w3c/wot-security/pull/226 13:56:57 ... was resolved by issue 226 13:57:01 Issue is closed 13:57:06 subtopic: Issue 222 13:57:26 mm: I think this issue can also be closed since we noticed that links are actually being created 13:57:28 s/issue 226/PR 226/ 13:58:12 ... (adds a comment to the issue and closes it) 13:58:18 i|I think this issue can also|-> https://github.com/w3c/wot-security/issues/222 Issue 222 - Create Anchors for Threats| 13:58:43 i|Just noticed that|-> https://github.com/w3c/wot-security/issues/223 Issue 223 - Fix ReSpec warning| 13:58:56 https://github.com/w3c/wot-security/issues/222 closed - not an actual problem, see also https://github.com/w3c/wot-security/pull/224, which was closed without merging 13:59:00 s/is no Microsoft employee/no Microsoft employee is/ 13:59:37 mm: Maybe next meeting we should look through the issues and set up a plan in the issue tracker 13:59:50 ... I'll add that to the agenda for next time 14:00:00 [adjourned] 14:00:21 rrsagent, draft minutes 14:00:22 I have made the request to generate https://www.w3.org/2023/09/18-wot-sec-minutes.html kaz 14:04:05 rrsagent, bye 14:04:05 I see no action items