- From: Kazuyuki Ashimura <ashimura@w3.org>
- Date: Mon, 10 Jan 2022 17:41:00 +0900
- To: public-wot-ig@w3.org, public-wot-wg@w3.org
available at:
https://www.w3.org/2021/09/20-wot-sec-minutes.html
also as text below.
Thanks,
Kazuyuki
---
[1]W3C
[1] https://www.w3.org/
WoT Security
20 September 2021
[2]IRC log.
[2] https://www.w3.org/2021/09/20-wot-sec-irc
Attendees
Present
Kaz_Ashimura, Michael_McCool Philipp_Blum,
Tomoaki_Mizushima
Regrets
-
Chair
McCool
Scribe
kaz
Contents
1. [3]Preliminary
2. [4]Minutes
3. [5]Best Practices document
4. [6]DID-related issues
5. [7]Signature
6. [8]Best Practices (revisited)
7. [9]Signature (revisited)
Meeting minutes
Preliminary
McCool: would cancel the calls during Plugfest and vF2F weeks
[10]meeting cancellations
[10] https://www.w3.org/WoT/IG/wiki/IG_Security_WebConf#Cancellations
Minutes
[11]Sep-13
[11] https://www.w3.org/2021/09/13-wot-sec-minutes.html
McCool: detailed issues on signature?
Kaz: on TD issue 1151
[12]TD Issue 1151
[12] https://github.com/w3c/wot-thing-description/pull/1151
<McCool> [13]https://github.com/w3c/wot-thing-description/pull/
1151#issuecomment-913621245
[13] https://github.com/w3c/wot-thing-description/pull/1151#issuecomment-913621245
1. (Kaz) Set up a repo for the new document. Something generic
like enveloped-json-signatures; note, not associated with wot.
If using wot prefix is required, then it can be
wot-enveloped-json-signatures (or how about wot-ejs, since will
be easier to share).
2. (McCool) Extract the current spec for signatures and put it
in a separate document. Will just copy the TD spec, delete
everything not related to signatures, make it a W3C (Draft)
Note, etc.
3. (McCool) Cleanup, following Oliver's suggestions. In
particular, relate explicitly to XML Signatures and JWS,
explain motivation, put in tables to compare and map features,
etc.
4. (Kaz, McCool) Reach out to W3C TAG to discuss.
5. (Oliver, McCool) Reach out to IETF, JOSE/COSE/JWS community
to get alignment, and converge on a standard. IETF 112 is Nov
6-12, and/or we could invite someone (Carsten Bormann would be
good to reach out to) to our F2F.
We still want implementations for IETF "working code" process.
Need at least one to drive discussion at IETF, two if we want
to proceed to a W3C REC. Two would be a good idea to test
interop even if doing an IETF RFC.
Discuss (e.g. at F2F) whether this should go into our next WoT
WG charter. McCool's opinion: not critical to be in our charter
if our goal is to make it an IETF RFC that we can just cite,
then our only action will be to cite it for TD 2.0. For TD 1.x
it would be optional/experimental and invokable by using an
extension vocabulary.
]]
McCool: Kaz did 1
… myself did 2
McCool: (creates another issue on wot-ejs itself)
[14]wot-ejs Issue 6 - Cleanup (referring to the TD Issue 1151's
action items)
[14] https://github.com/w3c/wot-ejs/issues/6
McCool: (continues to review the prev minutes)
… minutes seem to be fine
… any objections?
<McCool> change "contribution" to "contribution to
wot-security-best-practices acks"
(the above clarification added)
and minutes approved
Best Practices document
[15]PR 25 - Add content to Acks
[15] https://github.com/w3c/wot-security-best-practices/pull/25
McCool: (goes through the PR)
… reasonably accurate
<citrullin> Philipp-Alexander Blum
Philipp: to be strict, my official name is "Philipp_Alexander"
:)
McCool: ok
… fixed
… and merged
DID-related issues
McCool: added "DID" label to Issue 14 and 13
[16]Issue 14 - TD Signatures, Key Management, and Object
Security
[16] https://github.com/w3c/wot-security-best-practices/issues/14
[17]Issue 13 - Update Secure Local Transport
[17] https://github.com/w3c/wot-security-best-practices/issues/13
[18]related wot issue 982 - Joint call with DID
[18] https://github.com/w3c/wot/issues/982
McCool: would discuss those points during the joint call at
TPAC
… any other groups for security discussion?
Kaz: not specifically
… had a chat with Ajitomi-san and Igarashi-san as the co-Chairs
of the HTTP Local CG
… they were also interested in this topic, though they didn't
think a separate meeting with the CG would be needed
McCool: ok
Signature
[19]wot-ejs repo
[19] https://github.com/w3c/wot-ejs
McCool: have updated the repo
… GH pages is also available now
[20]GH page version
[20] https://w3c.github.io/wot-ejs/
McCool: there is a vocabulary
… and processing procedure
… wondering about "canonical TD" at step 4 and 5
… the Acknowledgements section has Ege and Oliver now
… will add Philipp
[21]Issue 7 - Update Acks (to include Philipp-Alexander)
[21] https://github.com/w3c/wot-ejs/issues/7
McCool: also context URL to be defined
[22]Issue 8 - Define context URL
[22] https://github.com/w3c/wot-ejs/issues/8
Best Practices (revisited)
[23]Issue 13 - Update Secure Local Transport
[23] https://github.com/w3c/wot-security-best-practices/issues/13
McCool: looked at the DID Test Suite
[24]DID Test Suite
[24] https://w3c.github.io/did-test-suite/
McCool: which methods listed here would make sense for WoT
Philipp: would get suggestions from the DID WG guys
[25]4.3 Summary by Method Implementation
[25] https://w3c.github.io/did-test-suite/#implementation-summary
Signature (revisited)
[26]Issue 5 - Consider extending to also supporting enveloping
signatures
[26] https://github.com/w3c/wot-ejs/issues/5
McCool: change the title to "Extended JSON Signature", etc.?
… would suggest "Embedded JSON Signature"
… (adds an example code on Issue 5)
[27]McCool's comments including example codes
[27] https://github.com/w3c/wot-ejs/issues/5#issuecomment-922896640
McCool: (adds clarification that for TD, we'd use the 2nd
example)
Kaz: do you have anybody from the IETF side to discuss this
topic with?
McCool: no, not yet
… would start with Carsten, Ari, etc.
Kaz: will we mention this point as well during the expected
joint meeting with DID?
McCool: good point
[adjourned]
Minutes manually created (not a transcript), formatted by
[28]scribe.perl version 136 (Thu May 27 13:50:24 2021 UTC).
[28] https://w3c.github.io/scribe2/scribedoc.html
Received on Monday, 10 January 2022 08:41:06 UTC