13:02:23 <RRSAgent> RRSAgent has joined #wot-sec
13:02:27 <RRSAgent> logging to https://www.w3.org/2023/09/25-wot-sec-irc
13:02:28 <kaz> meeting: WoT Security
13:03:00 <Mizushima> Mizushima has joined #wot-sec
13:04:09 <McCool> McCool has joined #wot-sec
13:07:34 <kaz> scribenick: kaz
13:07:48 <kaz> agenda: https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#25_September_2023
13:07:51 <kaz> topic: Minutes
13:08:13 <kaz> -> https://www.w3.org/2023/09/18-wot-sec-minutes.html Sep-18
13:08:16 <kaz> mm: looks good
13:08:23 <kaz> ... any objections?
13:08:27 <kaz> (approved)
13:09:43 <kaz> kaz: suggest I send a consolidated email including URLs of draft minutes from the week with URLs of approved minutes from the previous week.
13:09:46 <kaz> mm: sounds good
13:10:12 <kaz> topic: Todo
13:10:15 <mahda-noura> mahda-noura has joined #wot-sec
13:10:23 <kaz> mm: use case discussion to be resumed
13:10:37 <kaz> present+ Kaz_Ashimura, Michael_McCool, Mahda_Noura, Tomoaki_Mizushima
13:10:40 <mahda-noura> present+ Mahda_Noura
13:11:18 <kaz> ... (updates the agenda with "Use Cases and Requirements")
13:11:39 <kaz> ... (also adds "Next agenda")
13:12:20 <kaz> ... (then creates an entry for "Oct 2" on the Security agenda wiki)
13:12:27 <kaz> topic: PRs and Issues
13:13:12 <kaz> subtopic: PR 210
13:13:20 <kaz> -> https://github.com/w3c/wot-security/pull/210 PR 210 - Proposed Changes for 2023 Update
13:13:22 <kaz> q+
13:13:39 <kaz> ack k
13:13:51 <kaz> mm: would close this PR 210 for the 2023 planning
13:13:57 <kaz> kaz: agree to close it
13:14:14 <kaz> ... what is more important at the moment is resuming the discussion on use cases
13:14:43 <kaz> subtopic: Issue 209
13:14:53 <kaz> -> https://github.com/w3c/wot-security/issues/209 Issue 209 - Update "Security and Privacy Guidelines" prior to 2023 PR transitions
13:15:01 <kaz> mm: useful comments here
13:15:10 <McCool> this issue has the list of considerations: https://github.com/w3c/wot-security/issues/209
13:15:13 <kaz> ... (goes through the comments on the issue)
13:15:50 <kaz> ... probably we should go through and make some of them as separate issues
13:15:54 <kaz> s/as //
13:17:30 <kaz> ... (creates another "survey.md" file based on the comments)
13:17:53 <McCool> https://github.com/w3c/wot-security/pull/227
13:17:58 <kaz> ->https://github.com/w3c/wot-security/blob/main/Survey.md Survey.md
13:18:34 <kaz> s|https://github.com/w3c/wot-security/pull/227|-> https://github.com/w3c/wot-security/pull/227 PR 227 - Create Survey.md|
13:18:57 <kaz> subtopic: Issue 206
13:19:12 <kaz> -> https://github.com/w3c/wot-security/issues/206 Issue 206 - Add and Update References
13:19:30 <kaz> mm: discussion when Lagally was around
13:19:38 <kaz> ... need to think about tha
13:19:42 <kaz> s/tha/that/
13:20:16 <kaz> ... not just add references but add description on cloud security
13:20:39 <kaz> ... unfortunately, myself don't have enough time at the moment
13:21:09 <kaz> kaz: so we need some volunteer to handle this
13:21:12 <kaz> mm: good point
13:21:32 <kaz> ... was originally assigned to Jiye
13:21:53 <kaz> kaz: could ask Mahda instead?
13:22:23 <kaz> mn: yeah
13:22:38 <kaz> mm: probably take something straight forward
13:23:29 <McCool> https://github.com/w3c/wot-security/issues/213
13:23:58 <kaz> i|213|subtopic: Issue 213
13:24:25 <kaz> s|https://github.com/w3c/wot-security/issues/213|-> https://github.com/w3c/wot-security/issues/213 Issue 213 - Rename "Requirements" section to "Analysis"
13:24:44 <kaz> mm: would ask Mahda to take Issue 213 for Jiye
13:24:50 <kaz> mn: ok
13:24:54 <kaz> kaz: what about 206?
13:25:03 <kaz> subtopic: Issue 206 - revisited
13:25:24 <kaz> -> https://github.com/w3c/wot-security/issues/206 Issue 206 - Add and Update Cloud and Terminology References
13:25:37 <kaz> mm: would you mind thinking about this Issue 206 as well, Mahda?
13:26:01 <kaz> ... the question is that cloud security would be a big area
13:26:37 <kaz> q+
13:27:19 <kaz> kaz: probably we should clarify our scope for "WoT security" a bit clearer
13:28:18 <kaz> ... some people might expect "WoT should cover cloud security as well as IoT security"
13:28:26 <kaz> mm: that's too broad
13:28:30 <kaz> kaz: yeah
13:29:00 <kaz> ... so we should clarify our scope and how WoT developers are encouraged to use WoT with the other security mechanisms as a guideline
13:29:10 <kaz> rrsagent, make log public
13:29:14 <kaz> rrsagent, draft minutes
13:29:15 <RRSAgent> I have made the request to generate https://www.w3.org/2023/09/25-wot-sec-minutes.html kaz
13:29:22 <kaz> present+ Jan_Romann
13:29:23 <kaz> chair: McCool
13:29:53 <kaz> mm: (creates a separate issue on "IoT-Cloud Integration")
13:30:18 <kaz> -> https://github.com/w3c/wot-security/issues/228 Issue 228 - IoT-Cloud Integration Threat Analysis
13:31:14 <kaz> mm: (also adds comments to Issue 206)
13:31:20 <kaz> -> https://github.com/w3c/wot-security/issues/206#issuecomment-1733713869 McCool's comments
13:31:31 <kaz> [[
13:31:39 <kaz> So probably best to focus this on IoT/Cloud integration, but the above references are about the broader context of cloud security. So we probably want to look for better, more focused references for IoT-Cloud integration. Second we probably want to think about specific threats and risks for cloud integration but that can be a separate issue...
13:31:39 <kaz> #228
13:31:40 <kaz> ]]
13:31:46 <kaz> [[
13:31:58 <kaz> Also, I think we should deal with the "Terminology" reference above separately and focus in this issue on finding an including a good reference for IoT-Cloud integration security.
13:31:58 <kaz> ]]
13:32:17 <kaz> mm: can reuse some of the existing definitions...
13:32:26 <kaz> ... any thoughts on this, Mahda?
13:32:54 <kaz> ... would like to assign this to you, Mahda
13:33:13 <kaz> ... narrow task is finding a nice reference
13:33:59 <kaz> subtopic: Issue 205
13:34:15 <kaz> -> https://github.com/w3c/wot-security/issues/205 Issue 205 - Mapping tuya device
13:34:24 <kaz> mm: think this should be moved to TD
13:34:41 <kaz> q+
13:36:12 <kaz> ack k
13:36:32 <kaz> kaz: kind of similar discussion around node-wot was held during the Scripting API call
13:37:32 <kaz> ... I think we as the WoT WG/IG as a whole should have some discussion about how to deal with input from node-wot developers within the WoT WG/IG Task Forces
13:37:37 <kaz> mm: yeah
13:37:46 <kaz> ... having duplicated discussions would be confusing
13:38:21 <kaz> ... for example, this issue 205 should be transferred to wot-thing-description repository
13:38:22 <kaz> q?
13:39:03 <kaz> ... with a label of "Security"
13:39:04 <kaz> q+
13:39:56 <kaz> ... so that the Security TF are aware them and will review them
13:40:14 <kaz> kaz: think that's kind of similar to the mechanism of the Wide Reviews
13:40:17 <kaz> mm: yeah
13:41:12 <kaz> ... how about adding reviews for issues with "Security" from wot-thing-description repository?
13:41:30 <kaz> s/repository?/repository to the Security TF agenda?/
13:41:35 <kaz> q?
13:42:12 <kaz> kaz: you mean not only for wot-thing-description but also wot-architecture, wot-discovery, etc.?
13:42:14 <kaz> mm: right
13:42:20 <kaz> ... wot-scripting-api as well
13:42:24 <kaz> kaz: ok
13:42:30 <kaz> ack k
13:42:40 <kaz> subtopic: Issue 204
13:42:55 <kaz> -> https://github.com/w3c/wot-security/issues/204 Issue 204 - Review Security Architecture of Home Assistant
13:43:33 <kaz> mm: there was discussion by the WoT CG (during TPAC breakouts) on "Home Assistant"
13:43:43 <kaz> ... they use bearer token
13:44:05 <kaz> ... we could close this issue 204 itself
13:44:07 <kaz> q+
13:44:25 <kaz> ... because I've looked at their approach already
13:44:59 <kaz> ack k
13:45:11 <kaz> kaz: closing this issue itself is fine
13:45:37 <kaz> ... but we should clarify some further mechanism by another issue for binding, etc.?
13:45:48 <kaz> mm: the bottom line is already done
13:45:57 <kaz> ... further research can be done by another issue
13:46:21 <kaz> ... any objections to close Issue 204 itself?
13:46:26 <kaz> (no objections)
13:46:28 <kaz> (closed
13:46:34 <kaz> s/closed/closed)/
13:46:52 <kaz> subtopic: Issue 203
13:47:03 <kaz> -> https://github.com/w3c/wot-security/issues/203 Issue 203 - Consolidate security issues of use cases document
13:47:19 <kaz> mm: now, we should discuss use cases document!
13:47:26 <kaz> rrsagent, draft minutes
13:47:27 <RRSAgent> I have made the request to generate https://www.w3.org/2023/09/25-wot-sec-minutes.html kaz
13:47:54 <kaz> q+
13:48:16 <kaz> ack k
13:48:43 <kaz> kaz: this is also related to the discussion we had 5 mins ago
13:49:20 <kaz> ... putting "Security" label to the issues from all the WoT spec repositories related to WoT Security
13:49:39 <kaz> mm: ok
13:49:46 <kaz> ... let's keep this Issue 203 open
13:50:07 <kaz> -> https://github.com/w3c/wot-security/issues/203#issuecomment-1733750669 McCool's comments
13:50:39 <McCool> https://github.com/w3c/wot-usecases/issues/229
13:51:58 <kaz> mm: (transferred wot-security Issue 203 to wot-usecases Issue 229)
13:52:50 <kaz> topic: Next agenda
13:53:29 <kaz> mm: Next time, let's review issues from other repos related to WoT Security
13:53:40 <kaz> ... e.g., wot-usecases/issues/229
13:54:00 <kaz> topic: TPAC Followup
13:54:13 <kaz> mm: probably we should create a file on our plan
13:54:47 <kaz> ... to update the Use Cases and Requirements document
13:54:49 <kaz> q+
13:55:14 <kaz> ... create issues in wot-usecases repo to execute security revisions
13:55:46 <kaz> ack k
13:55:58 <kaz> kaz: restarting the use cases discussion is great
13:56:14 <kaz> ... but how to deal with the use cases discussion in general is a question
13:56:47 <kaz> ... so if we want to start with the use cases for security during the WoT Security call, we should declare that plan during the main call
13:57:06 <kaz> mm: starting initial discussion on security first
13:57:18 <kaz> ... and think about how to update the use cases document
13:57:52 <kaz> ... will mention the plan during the main call on Wednesday
13:57:56 <kaz> kaz: ok
13:58:03 <kaz> mm: please remind me if I forget :)
13:58:32 <kaz> [adjourned]
13:58:52 <kaz> rrsagent, draft minutes
13:58:53 <RRSAgent> I have made the request to generate https://www.w3.org/2023/09/25-wot-sec-minutes.html kaz