[wot-security] minutes - 6 September 2021 from Kazuyuki Ashimura on 2021-09-20 (public-wot-ig@w3.org from September 2021)

From: Kazuyuki Ashimura <ashimura@w3.org>
Date: Mon, 20 Sep 2021 20:12:07 +0900
To: public-wot-ig@w3.org, public-wot-wg@w3.org
Message-ID: <87v92vo60o.wl-ashimura@w3.org>
available at:
  https://www.w3.org/2021/09/06-wot-sec-minutes.html

also as text below.

Thanks,

Kazuyuki

---
   [1]W3C

      [1] https://www.w3.org/

                              WoT Security

06 September 2021

   [2]Agenda. [3]IRC log.

      [2] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#6_September_2021
      [3] https://www.w3.org/2021/09/06-wot-sec-irc

Attendees

   Present
          Kaz_Ashimura, Michael_McCool, Oliver_Pfaff,
          Philipp_Blum, Tomoaki_Mizushima

   Regrets
          -

   Chair
          McCool

   Scribe
          kaz

Contents

    1. [4]Minutes
    2. [5]Signatures
    3. [6]Issue 16
    4. [7]Issue 14

Meeting minutes

  Minutes

   [8]Aug-30

      [8] https://www.w3.org/2021/08/30-wot-sec-minutes.html

   McCool: minutes looks OK

   Kaz: will just fix the style (because we forgot to specify the
   scribenick for citrullin)

  Signatures

   [9]wot-thing-description PR 1151 - WIP: TD Signatures

      [9] https://github.com/w3c/wot-thing-description/pull/1151

   McCool: (describes the summary)
   … discussion on the relationship with XML Signature

   [10]Oliver's comments

     [10] https://github.com/w3c/wot-thing-description/pull/1151#issuecomment-909073912

   McCool: would like to summarize the points maybe using a table
   … a concern is what IETF is doing recently
   … don't know people think what kind of strategy

   Oliver: good summary
   … 3 actions to do here
   … 1. work on description
   … 2. need for interoperable implementations
   … 3. clarifying IETF's approach
   … there is a gap in JWS
   … Plugfest could be used to check the interoperability
   … and we could give some suggestion to IETF

   McCool: one possible thing
   … signature as an experimental extension
   … then later on, could change it based on IETF's work

   Oliver: IETF JOSE is a closed WG but COSE WG is still open
   … it's working on CBOR, though

   McCool: COSE is mandate for CBOR
   … not necessarily correct for JOSE
   … my feeling is we need much modularity
   … if we did it as an extension, push off the feature till the
   next spec
   … we could write a context file which use it
   … recommend some method to handle the signature
   … not MUST but simply recommend
   … and for the next Charter we'll make commitment

   Oliver: people would like to focus on the signature part
   … regardless of the TD part

   Philipp: make sense to describe that within the Security Best
   Practices document?

   McCool: would make sense

   Kaz: would agree with that direction for this Charter period

   McCool: ok
   … (describes updated actions)
   … extract the current spec for signatures and put it in a
   separate document

   Kaz: where to put that?

   McCool: maybe under my private repo?

   Kaz: maybe a bit confusing
   … would be better to create yet another dedicated repo for that
   purpose

   McCool: ok
   … what would be a good name?

   Kaz: simply a subdirectory of wot-security, e.g., signature?

   McCool: would have trouble with HTML rendering...

   (some more discussion on the possible name for the repo)

   Kaz: btw, we should have some more discussion with the TAG and
   the Security groups too

   McCool: yeah, the question here is when we want to use it

   [11]fyi, XML Signature Syntax and Processing Version 2.0 REC

     [11] https://www.w3.org/TR/2015/NOTE-xmldsig-core2-20150723/

   Kaz: think we should start with discussion with PLH and Ralph

   McCool: (adds some more comments on expected actions)
   … we need to collaborate with IETF too
   … when is there next meeting?

   [12]IETF meetings

     [12] https://www.ietf.org/how/meetings/upcoming/

   McCool: IETF 112 will be held Nov 6-12

   Kaz: technically, we can invite somebody from IETF to our vF2F
   during TPAC

   McCool: yeah, we can do that too
   … e.g., Carsten Bormann
   … we need at least one implementation for IETF, and two if we
   want to make it a W3C REC
   … wondering if we want to include this into our next WoT WG
   Charter
   … not crit for TD 2.0.ical if it becomes an IETF RFC and we
   simply cite it
   … for TD 1.x, it would be optional/experimental and invokable
   by using an extension vocabulary.

   [13]McCool's updated comments

     [13] https://github.com/w3c/wot-thing-description/pull/1151#issuecomment-913621245

  Issue 16

   [14]Issue 16 - Expand Acknowledgements

     [14] https://github.com/w3c/wot-security-best-practices/issues/16

   McCool: need to check who made contributions
   … (checks the GitHub repository)

   [15]McCool's comments

     [15] https://github.com/w3c/wot-security-best-practices/issues/16#issuecomment-913626699

  Issue 14

   [16]Issue 14 - TD Signatures, Key Management, and Object
   Security

     [16] https://github.com/w3c/wot-security-best-practices/issues/14

   <citrullin> [17]related PR 1151 on the wot-thing-description
   repo

     [17] https://github.com/w3c/wot-thing-description/pull/1151

   [18]McCool's comments to Issue 14

     [18] https://github.com/w3c/wot-security-best-practices/issues/14#issuecomment-913628134

   [19]also another comment to TD PR 1151

     [19] https://github.com/w3c/wot-thing-description/pull/1151#issuecomment-913628939

   [adjourned]


    Minutes manually created (not a transcript), formatted by
    [20]scribe.perl version 136 (Thu May 27 13:50:24 2021 UTC).

     [20] https://w3c.github.io/scribe2/scribedoc.html
Received on Monday, 20 September 2021 11:12:14 UTC