[wot-security] minutes - 8 November 2021 from Kazuyuki Ashimura on 2022-01-10 (public-wot-ig@w3.org from January 2022)

From: Kazuyuki Ashimura <ashimura@w3.org>
Date: Mon, 10 Jan 2022 17:47:46 +0900
To: public-wot-ig@w3.org, public-wot-wg@w3.org
Message-ID: <87ilus0yfh.wl-ashimura@w3.org>
available at:
  https://www.w3.org/2021/11/08-wot-sec-minutes.html

also as text below.

Thanks,

Kazuyuki

---
   [1]W3C

      [1] https://www.w3.org/

                              WoT Security

15 November 2021

   [2]IRC log.

      [2] https://www.w3.org/2021/11/15-wot-sec-irc

Attendees

   Present
          Jiye_Park, Kaz_Ashimura, Michael_McCool,
          Tomoaki_Mizushima

   Regrets
          -

   Chair
          McCool

   Scribe
          kaz

Contents

    1. [3]Minutes
    2. [4]PR and Issue

Meeting minutes

  Minutes

   [5]Nov-8

      [5] https://www.w3.org/2021/11/08-wot-sec-minutes.html

   McCool: think the requirements for the possible management API
   is for the next Charter period

   Kaz: agree

   McCool: (adds note on wot-scripting issue 298 to the
   wot-security-best-practices draft)

   [6]wot-scripting-api issue 298

      [6] https://github.com/w3c/wot-scripting-api/issues/298

   Jiye: wondering about the draft

   McCool: need to create an actual Pullrequest later
   … think the minutes themselves are OK

   (approved)

  PR and Issue

   <McCool> [7]PR 28 - Local transport and secure onboarding

      [7] https://github.com/w3c/wot-security-best-practices/pull/28

   McCool: related to issue 27 and 13
   … issue 13 is about local transport

   [8]issue 13 - Update Secure Local Transport

      [8] https://github.com/w3c/wot-security-best-practices/issues/13

   McCool: the easiest to handle those two issues at once
   … give you a general idea and ask you for opinions
   … not directly merged today

   [9]Preview - 2. Secure Transport

      [9] https://pr-preview.s3.amazonaws.com/mmccool/wot-security-best-practices/pull/28.html#secure-transport

   McCool: extended the section 2
   … we have to revisit the description, e.g., about TLS 1.3
   … then two sections
   … 2.1 Global Networks
   … and
   … 2.2 Offline and Local Networks
   … pretty straightforward
   … how to deal with offline networks is the question
   … no connection with the Internet
   … like a factory network
   … or partial connection like home networks
   … need to establish keys
   … missing part is onboarding process
   … then another paragraph here
   … about onboarding practice as a first option
   … then 2nd option
   … exposing a limited number of secure endpoints
   … 2nd option would be better, I think
   … then "3. Onboarding"
   … need to look into IETF draft on bootstrapping
   … the bottom line is that we need to know something about
   onboarding

   Jiye: any kind of assumption for WoT devices?

   McCool: we don't have all the control
   … probably need to divide the spec into two pieces, brownfield
   devices and greenfield devices
   … e.g., we can't control devices conforming to the other
   standards like ECHONET
   … (adds references to the "3. Onboarding" section)

   <McCool> [10]https://datatracker.ietf.org/doc/html/
   draft-sarikaya-t2trg-sbootstrapping-11

     [10] https://datatracker.ietf.org/doc/html/draft-sarikaya-t2trg-sbootstrapping-11

   <McCool> [11]https://datatracker.ietf.org/doc/
   draft-lear-brski-pop/

     [11] https://datatracker.ietf.org/doc/draft-lear-brski-pop/

   <McCool> [12]https://datatracker.ietf.org/doc/html/rfc8572

     [12] https://datatracker.ietf.org/doc/html/rfc8572

   <McCool> [13]https://datatracker.ietf.org/doc/html/rfc8995

     [13] https://datatracker.ietf.org/doc/html/rfc8995

   <McCool> [14]https://datatracker.ietf.org/doc/html/
   draft-irtf-t2trg-secure-bootstrapping

     [14] https://datatracker.ietf.org/doc/html/draft-irtf-t2trg-secure-bootstrapping

   McCool: please make comments on the PR

   [15]PR 28 - Local transport and secure onboarding

     [15] https://github.com/w3c/wot-security-best-practices/pull/28

   McCool: we need to look into issue 13, 14 and 27
   … would start with 13 and 27

   [16]issue 13 - Update Secure Local Transport

     [16] https://github.com/w3c/wot-security-best-practices/issues/13

   [17]issue 27 - Add Onboarding/Key Distribution Section

     [17] https://github.com/w3c/wot-security-best-practices/issues/27

   McCool: (adds "BRSKI, DID/VC, Anima" as well)
   … regarding "4. Authentication and Access Control"
   … we only have OAuth
   … need to go through "psk, public, or cert security schemes"
   again
   … section "6. Object Security" has the same issue

   Jiye: will go through the PR

   McCool: yes, please look at it in detail
   … will fix the style as well

   [adjourned]


    Minutes manually created (not a transcript), formatted by
    [18]scribe.perl version 159 (Fri Nov 5 17:37:14 2021 UTC).

     [18] https://w3c.github.io/scribe2/scribedoc.html
Received on Monday, 10 January 2022 08:47:52 UTC