[wot-security] minutes - 22 November 2021

available at:
  https://www.w3.org/2021/11/22-wot-sec-minutes.html

also as text below.

Thanks a lot for taking the minutes, Philipp!

Kazuyuki

---
   [1]W3C

      [1] https://www.w3.org/

                              WoT Security

22 November 2021

   [2]IRC log.

      [2] https://www.w3.org/2021/11/22-wot-sec-irc

Attendees

   Present
          Jiye_Park, Kaz_Ashimura, Michael_McCool, Philipp_Blum,
          Tomoaki_Mizushima

   Regrets
          -

   Chair
          McCool

   Scribe
          citrullin

Contents

    1. [3]Minutes review
    2. [4]Local transport and secure onboarding
    3. [5]Summary of action items

Meeting minutes

  Minutes review

   <McCool> [6]https://www.w3.org/2021/11/15-wot-sec-minutes.html

      [6] https://www.w3.org/2021/11/15-wot-sec-minutes.html

   McCool: I looked into several IETF documents.
   … having some thoughts how to proceed with it.

   McCool: Anyone having objections?

   no objections.

  Local transport and secure onboarding

   [7]https://github.com/w3c/wot-security-best-practices/pull/28

      [7] https://github.com/w3c/wot-security-best-practices/pull/28

   McCool: I read the IETF specification and added a PR for the
   security-best-practices accordingly.

   McCool: Problem is that TLS 1.3 has been released, but DTLS 1.3
   hasn't been released yet.

   Jiye: For TLS1.3 this privacy expose risk is not happening?

   McCool: I don't know if that is a problem in TLS1.3.

   McCool: Offline and local networks are different. Local
   networks only have a NAT, while offline networks don't have a
   connection to the Internet at all. We should split that up in
   different sections.

   <McCool> [8]https://datatracker.ietf.org/doc/html/
   draft-ietf-ace-oauth-authz

      [8] https://datatracker.ietf.org/doc/html/draft-ietf-ace-oauth-authz

   Jiye: I wanted to talk about the onboarding stuff.

   mm added a comment to PR #28

   [9]https://github.com/w3c/wot-security-best-practices/pull/
   28#issuecomment-975534690

      [9] https://github.com/w3c/wot-security-best-practices/pull/28#issuecomment-975534690

   McCool: I think the terminology is confusing.

   Jiye: I agree. What is the onboarding, config, certificates? We
   should clarify the context.

   McCool: The context should be WoT. We can assume that the
   certificates situation is solved.

   Jiye: In order to setup the device we may want to use a mobile
   phone.

   McCool: We have a lifecycle section in the architecture
   section. It is a bit contradicting and too short anyways.

   McCool: We have the problem that the term "onboarding" is used
   for a lot of things in the industry.

   McCool: There is also a discussion about group keys.

   McCool: In general groups keys are problematic and have holes
   in them. They are also difficult to update.

   McCool adds a comment to #28

   [10]https://github.com/w3c/wot-security-best-practices/pull/
   28#issuecomment-975547662

     [10] https://github.com/w3c/wot-security-best-practices/pull/28#issuecomment-975547662

   McCool: I need to re-read the specification. I am going to add
   all the references when I find them to the comments.

   ACTION: Separate local and offline sections.

   ACTION: deal with TLS1.3 and DTLS1.3

   ACTION: finish reading DID, VC, SZTP, BRSKI, Authz, EST

   ACTION: Also should look at MUDs to document trust
   relationships

   <kaz> [adjourned]

Summary of action items

    1. [11]Separate local and offline sections.
    2. [12]deal with TLS1.3 and DTLS1.3
    3. [13]finish reading DID, VC, SZTP, BRSKI, Authz, EST
    4. [14]Also should look at MUDs to document trust
       relationships


    Minutes manually created (not a transcript), formatted by
    [15]scribe.perl version 159 (Fri Nov 5 17:37:14 2021 UTC).

     [15] https://w3c.github.io/scribe2/scribedoc.html

Received on Monday, 10 January 2022 08:55:07 UTC