13:01:51 RRSAgent has joined #wot-sec 13:01:55 logging to https://www.w3.org/2023/10/02-wot-sec-irc 13:01:58 meeting: WoT Security 13:02:07 present+ Kaz_Ashimura, Mahda_Noura 13:03:40 McCool has joined #wot-sec 13:04:04 agenda: https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#2_October_2023 13:07:50 scribenick: mahda-noura 13:08:19 -> https://www.w3.org/2023/09/25-wot-sec-minutes.html Sep-25 13:09:45 rrsagent, make log public 13:09:53 rrsagent, draft minutes 13:09:55 I have made the request to generate https://www.w3.org/2023/10/02-wot-sec-minutes.html kaz 13:11:18 mm: review of the minutes 13:11:33 i/Sep-25/topic: Prev minutes/ 13:11:37 (approved) 13:11:45 chair: McCool 13:11:57 present+ Michael_McCool, Tomoaki_Mizushima 13:12:02 present+ Jan_Romann 13:12:10 topic: Issues of Repo 13:12:32 subtopic: TD 13:12:47 -> https://github.com/w3c/wot-thing-description/issues?q=is%3Aopen+label%3ASecurity+sort%3Aupdated-desc wot-thing-description repo - security issues 13:13:02 mm: we can't really close issues in those repo's and closing labels, there are a few security labels and quite a few around 20 of them open 13:13:12 mm: there are stuff specific to a given protocol 13:13:24 ...there are features, marked as proposed closing 13:13:33 ...there are new features 13:14:13 ...there is one related to missing ontology 13:14:52 ...there is one on a general issue, that could be hard to fix, because the API is HTTP specific, maybe it could have an openAPI consistent speicifc security scheme 13:15:07 ...there are a few that are open and marked as deferred 13:15:41 luca_barbato has joined #wot-sec 13:15:54 mm: alot of these issues have been resolved but not closed 13:16:16 present+ Luca_Barbato 13:16:22 s/alot/a lot/ 13:16:25 q+ 13:17:03 -> https://github.com/w3c/wot-thing-description/issues/1394 wot-thing-description Issue 1394 - name and in fields for BasicSecurityScheme and DigestSecurityScheme needed? 13:17:44 mm: we could resolve this by having an extra statement, we need aPR 13:17:54 Jan: I think there is already a PR 13:17:56 s/aPR/a PR/ 13:18:02 mm: make auto the default 13:19:37 mm: comments on the PR: "When we reorganize the security schemes to move protocol-specific schemes to bindings we can clean this up. Really the Basic scheme for HTTP should always use the header specified in the standard and so an "in" field is not required" 13:19:41 q? 13:20:31 kaz: has comments, given that there are many issues that are not security-related, for version 2.0 we clarify use case scenarios and system modules for proposed issue and feature 13:20:36 ack k 13:20:51 mm: in general, we need to at least talk about the process 13:20:56 kaz: that's right 13:21:11 q+ 13:21:22 JKRhb has joined #wot-sec 13:21:46 q+ 13:22:05 mm: in terms of the time spent, my main conern here is that we have some open security issues, I would like to resolve the ones that are not marked as deferred and some of these are going to be resolved by re-organizing things 13:22:22 ...is anybody have a particular issue that they would like to look at now? 13:22:42 kaz: this is similar to what I have in mind 13:23:22 ...if those issues include new features we need to think about use cases 13:23:57 mm: a different procedure for a "bug fix" label than a new feature label 13:24:31 s/this is/Right. Actually, what you mean is/ 13:24:39 ...some require improving the presentation 13:25:28 jan: I have 2 question, should we defer to 2.0 13:25:43 s/if those issues include/if some the remaining issues are bug fixes or editorial fixes, we could apply them without use case clarification. On the other hand, if some others are / 13:26:00 rrsagent, draft minutes 13:26:01 I have made the request to generate https://www.w3.org/2023/10/02-wot-sec-minutes.html kaz 13:26:13 mm: we are past the publication time of TD 1.0 13:26:38 jan: there is one security issue with a label td 1.1. it is implicit password flows 949 13:26:39 s/2 question/2 questions/ 13:27:06 mm: i think there was a render script issue and the ontology was correct 13:27:20 mm: i think this one has been fixed 13:28:02 jan: i think there is another issue 949 13:29:02 mm: another issue for creating an ontology, we decided not to do this 13:30:35 mm: issue has been resolved (or really not an issue) so propose closing it. However, we might still want to create ontology files for other OAuth2 flows, but this should be done as part of our general security/bindings reorg." 13:30:56 i|I have 2|-> https://github.com/w3c/wot-thing-description/issues/949 wot-thing-description Issue 949 - We need extension ontology to include implicit and password flows in OAuth2| 13:30:59 mm: any objections? 13:31:19 topic: Discovery 13:31:37 mm: I think these are all feature proposals 13:31:42 i|Discovery|-> https://github.com/w3c/wot-thing-description/issues/949#issuecomment-1743021807 McCool's comment on Issue 949| 13:32:07 ... to get to kaz's point they should be all connected 13:32:30 ...object security e.g., is another feature 13:32:30 i|I think|-> https://github.com/w3c/wot-discovery/issues?q=is%3Aopen+label%3ASecurity+sort%3Aupdated-desc wot-discovery - Security Issues| 13:32:37 rrsagent, draft minutes 13:32:38 I have made the request to generate https://www.w3.org/2023/10/02-wot-sec-minutes.html kaz 13:32:48 ...is there anything that we should do here at the moment? 13:33:05 ...for architecture we have two things marked as security 13:33:10 s/to get to kaz's point they should be all connected/as Kaz pointed out, we need to clarify use cases for new features./ 13:33:34 ...mm commented on issue 508 13:33:59 i/for archi/subtopic: Architecture/ 13:34:20 i|for archi|-> https://github.com/w3c/wot-architecture/issues?q=is%3Aopen+label%3Asecurity+sort%3Aupdated-desc wot-architecture - Security Issues| 13:34:57 -> https://github.com/w3c/wot-architecture/issues/508#issuecomment-1743028345 McCool's comment on Issue 508| 13:35:03 s/508|/508/ 13:35:07 rrsagent, draft minutes 13:35:08 I have made the request to generate https://www.w3.org/2023/10/02-wot-sec-minutes.html kaz 13:35:14 mm: issue 553 is more complicated, they want to have a clear information on how information is managed 13:35:51 i|issue 553|-> https://github.com/w3c/wot-architecture/issues/553 wot-architecture Issue 553 - Information lifecycle 13:35:53 rrsagent, draft minutes 13:35:54 I have made the request to generate https://www.w3.org/2023/10/02-wot-sec-minutes.html kaz 13:36:31 ... we need to have an explanatory note on how information is managed 13:36:31 topic: profiles 13:36:31 mm: it's going to be hard to make progress on Profiles 13:36:34 s/Issues of Repo/Issues on the other TF's repos labeled as "Security"/ 13:36:46 s/topic: Discovery/subtopic: Discovery/ 13:36:47 rrsagent, draft minutes 13:36:49 I have made the request to generate https://www.w3.org/2023/10/02-wot-sec-minutes.html kaz 13:37:29 i|it's going|-> https://github.com/w3c/wot-profile/issues?q=is%3Aopen+label%3Asecurity+sort%3Aupdated-desc wot-profile - Security Issues| 13:37:45 ...a general issue SSE, and WebHook are easier to fix and harder in some ways 13:38:42 jan: is this a recommended security issue number 6 13:39:26 mm: I think we did already some of these, the problem is that there was parallel re-org, and I lost track where things were going 13:40:20 mm: I think some of the issues here will go away once we reorganize security schemes to only be applicable in particular bindings 13:40:45 i|a general|-> https://github.com/w3c/wot-profile/issues/6 wot-profile Issue 6 - Recommended Security| 13:40:47 rrsagent, draft minutes 13:40:48 I have made the request to generate https://www.w3.org/2023/10/02-wot-sec-minutes.html kaz 13:41:18 -> https://github.com/w3c/wot-profile/issues/6#issuecomment-1743039322 McCool's comment to Issue 6 13:42:42 ...these labels security-tracker and security-needs-resolutions need to be used by general review and the security groups inside the w3c 13:42:57 ...the annoying thing with these labels is that you can add them, but you can't remove them 13:43:24 i|these labels|subtopic: Scripting API| 13:43:30 ...we should either use a new label and ask them not to do this 13:45:06 i|these labels|-> https://github.com/w3c/wot-scripting-api/labels/security-tracker wot-scripting-api - security-tracker Issues| 13:45:19 mm: he commented on issue number 315 13:46:18 jan: so the security-tracker label, we removed? 13:46:44 s|-> https://github.com/w3c/wot-scripting-api/labels/security-tracker wot-scripting-api - security-tracker Issues|-> https://github.com/w3c/wot-scripting-api/labels?q=security security-related labels on the wot-scripting-api repo| 13:46:53 mm: if you want an external reviewer to review an issue you can use the "security-issue" tracker 13:46:55 q+ 13:47:04 ... we can't remove it, we should use another label 13:47:31 kaz: maybe we can remove them with the delete the button 13:47:52 mm: it used to be that when trying to remove the label, a bot is triggered which returns the label 13:48:07 mm: maybe they fixed it now 13:48:22 s|with the delete the button|again on https://github.com/w3c/wot-scripting-api/labels?q=security| 13:48:38 rrsagent, draft minutes 13:48:40 I have made the request to generate https://www.w3.org/2023/10/02-wot-sec-minutes.html kaz 13:49:28 kaz: we can simply copy the issue to another new issue, if needed 13:49:39 mm: yes 13:49:48 subtopic: use cases and requirements 13:51:00 mm: for use cases we need a seperate label 13:51:04 s/subtopic: use cases and requirements/subtopic: Usage of labels/ 13:51:43 ...we should have one label for security and one for privacy 13:51:52 s/for use cases/for use case discussion on the wot-usecases repo,/ 13:52:02 s/and one/and another/ 13:53:15 subtopic: wot-security issues 13:53:25 mm: we have three PR's 13:53:34 s/for use case/there was a "security-privacy" label for the wot-usecases repo, but for use case/ 13:53:37 rrsagent, draft minutes 13:53:38 I have made the request to generate https://www.w3.org/2023/10/02-wot-sec-minutes.html kaz 13:53:55 s/subtopic: wot-s/topic: wot-s/ 13:53:57 rrsagent, draft minutes 13:53:58 I have made the request to generate https://www.w3.org/2023/10/02-wot-sec-minutes.html kaz 13:54:35 jan: philip raised an issue couple of years ago, remove rawgit links from README issue 230, it's a trivial PR 13:54:35 mm: any objections to merge this PR? 13:54:35 https://github.com/w3c/wot-security/pull/230 13:55:10 i|philip raised|subtopic: PR 230| 13:55:14 s|https://github.com/w3c/wot-security/pull/230|| 13:55:36 i|philip raised|-> https://github.com/w3c/wot-security/pull/230 PR 230 - Remove rawgit links from README| 13:55:37 https://github.com/w3c/wot-security/pull/227 13:55:45 i/227/(merged)/ 13:55:54 i/227/subtopic: PR 227/ 13:56:25 s|https://github.com/w3c/wot-security/pull/227|-> https://github.com/w3c/wot-security/pull/227 PR 227 - Create Survey.md| 13:56:33 (merged) 13:56:38 subtopic: PR 229 13:57:05 -> https://github.com/w3c/wot-security/pull/229 PR 229 - Rename Requirements section to Analysis #213 13:57:15 rrsagent, draft minutes 13:57:16 I have made the request to generate https://www.w3.org/2023/10/02-wot-sec-minutes.html kaz 13:57:47 (deferred to the next time) 13:57:49 mm: next time we should prioritize the use cases process and not do the PR every time 13:57:54 [adjourned] 13:57:56 rrsagent, draft minutes 13:57:57 I have made the request to generate https://www.w3.org/2023/10/02-wot-sec-minutes.html kaz 16:00:14 Zakim has left #wot-sec