- From: Kazuyuki Ashimura <ashimura@w3.org>
- Date: Mon, 10 Jan 2022 17:55:00 +0900
- To: public-wot-ig@w3.org, public-wot-wg@w3.org
available at:
https://www.w3.org/2021/11/22-wot-sec-minutes.html
also as text below.
Thanks a lot for taking the minutes, Philipp!
Kazuyuki
---
[1]W3C
[1] https://www.w3.org/
WoT Security
22 November 2021
[2]IRC log.
[2] https://www.w3.org/2021/11/22-wot-sec-irc
Attendees
Present
Jiye_Park, Kaz_Ashimura, Michael_McCool, Philipp_Blum,
Tomoaki_Mizushima
Regrets
-
Chair
McCool
Scribe
citrullin
Contents
1. [3]Minutes review
2. [4]Local transport and secure onboarding
3. [5]Summary of action items
Meeting minutes
Minutes review
<McCool> [6]https://www.w3.org/2021/11/15-wot-sec-minutes.html
[6] https://www.w3.org/2021/11/15-wot-sec-minutes.html
McCool: I looked into several IETF documents.
… having some thoughts how to proceed with it.
McCool: Anyone having objections?
no objections.
Local transport and secure onboarding
[7]https://github.com/w3c/wot-security-best-practices/pull/28
[7] https://github.com/w3c/wot-security-best-practices/pull/28
McCool: I read the IETF specification and added a PR for the
security-best-practices accordingly.
McCool: Problem is that TLS 1.3 has been released, but DTLS 1.3
hasn't been released yet.
Jiye: For TLS1.3 this privacy expose risk is not happening?
McCool: I don't know if that is a problem in TLS1.3.
McCool: Offline and local networks are different. Local
networks only have a NAT, while offline networks don't have a
connection to the Internet at all. We should split that up in
different sections.
<McCool> [8]https://datatracker.ietf.org/doc/html/
draft-ietf-ace-oauth-authz
[8] https://datatracker.ietf.org/doc/html/draft-ietf-ace-oauth-authz
Jiye: I wanted to talk about the onboarding stuff.
mm added a comment to PR #28
[9]https://github.com/w3c/wot-security-best-practices/pull/
28#issuecomment-975534690
[9] https://github.com/w3c/wot-security-best-practices/pull/28#issuecomment-975534690
McCool: I think the terminology is confusing.
Jiye: I agree. What is the onboarding, config, certificates? We
should clarify the context.
McCool: The context should be WoT. We can assume that the
certificates situation is solved.
Jiye: In order to setup the device we may want to use a mobile
phone.
McCool: We have a lifecycle section in the architecture
section. It is a bit contradicting and too short anyways.
McCool: We have the problem that the term "onboarding" is used
for a lot of things in the industry.
McCool: There is also a discussion about group keys.
McCool: In general groups keys are problematic and have holes
in them. They are also difficult to update.
McCool adds a comment to #28
[10]https://github.com/w3c/wot-security-best-practices/pull/
28#issuecomment-975547662
[10] https://github.com/w3c/wot-security-best-practices/pull/28#issuecomment-975547662
McCool: I need to re-read the specification. I am going to add
all the references when I find them to the comments.
ACTION: Separate local and offline sections.
ACTION: deal with TLS1.3 and DTLS1.3
ACTION: finish reading DID, VC, SZTP, BRSKI, Authz, EST
ACTION: Also should look at MUDs to document trust
relationships
<kaz> [adjourned]
Summary of action items
1. [11]Separate local and offline sections.
2. [12]deal with TLS1.3 and DTLS1.3
3. [13]finish reading DID, VC, SZTP, BRSKI, Authz, EST
4. [14]Also should look at MUDs to document trust
relationships
Minutes manually created (not a transcript), formatted by
[15]scribe.perl version 159 (Fri Nov 5 17:37:14 2021 UTC).
[15] https://w3c.github.io/scribe2/scribedoc.html
Received on Monday, 10 January 2022 08:55:07 UTC