See also: IRC log
<inserted> scribenick: kaoru
Oliver, Siemens: rather security than wot
Kaoru, Lepidum: oauth, openid
Qing An
Matsuki, Hitachi: software development, compilers, etc.
James, HP: application security testing
Daniel, @: IoT last 10 years, low level stacks, security key-exchange
Carsten, @: 3 decades on iot, system quality and information security
Oliver presents slides https://www.w3.org/WoT/IG/wiki/images/e/ea/Landscape_of_Security_%26_Privacy_Means.pdf
Oliver:
https://www.w3.org/WoT/IG/wiki/Landscape_of_Security&Privacy_Means
...
https://www.w3.org/WoT/IG/wiki/Design-Time_Security%26Privacy_Means
... Various technology is surveyed in a uniform structure in
this page.
... Design-time is analyze what tools are available and
usable.
... Runtime means you must monitor how system goes
... Most landscape we focus are in design-time
James: Functionally, design-/run-time have some overlaps.
Oliver: Customers ask security
functionality and products, but not experts on TLS, OAuth, etc.
We find technologies they should invest. Mechanisms are mostly
in design phase.
... @@ are design-time deliverables. Then implement.
... Runtime is something you test. E.g. how TLS/SSL is
configured
... Overview of WoT as distributed systems
... Things, user agents, intermediaries
... They are always distributed.
... Distributed system study started 60/70ies. Protection of DS
has a lot of prior arts.
... Five disciplines: Privacy, Authorization, Authentication,
Secure communications and storage, Provisioning and
credentialing
Granting an access to an online bank account is either authorizing or credentialing?
James: Both provisioning an account and then giving an authorization.
Oliver: Branch manager is not relevant in this scenario.
Carsten: I'm trying to understand difference between provisioning and authorization
Oliver: Provisioning is just a preparation. To register a user into the database.
Carsten: Doesn't that already give authorization?
Oliver: at this time, no.
... Usually authentication goes under this. No money to manege
yet.
... Suppose now we have $1000 in the balance database. We want
to transfer money.
... One pain point is explaining what's the authorization here
in natural language.
... Next pain is to decribe owner resource model. That's by
linking the account to the balance.
... Giving credentials to the account for future
authorizations
... We have to describe this scenario in pattern level and
technoligy level.
Slide 6
Oliver:
Characteristics/dependencies of the disciplines.
... Privacy is human-centric in definition
James: Privacy vs confidentiality?
Oliver: secure communication helps privacy
James: Secure comm and storage
are tools to control privacy. Privacy is by definition not
related for corporations
... We need someting like privacy for companies, I don't know
what we call that
Oliver: Authroization is
different for legal entity vs. individually-owned
resources
... Authentication is most complicated
... Trusted 3rd-party called IdP, OP establishes initial
authentication. Then it transfers the result as a security
token to who whats the authentication (RP)
Daniel: Sometimes, authentication must be established without Internet connection.
Carsten: You skipped an aspects on mutual authentication?
Oliver: for now, yes.
... secure communications/storage is very much like protocol
stack layer
Slide 7
Oliver: Aspects of these
Disiplines. These are described in wiki pages.
... Do we have sufficient collection of topics to talk to other
TFs?
Page 9: WoT specifics
Oliver: Big question: can we
reuse the prior arts from distributed systems protection?
... Inclusion of physical goods: this is a fundamental thing.
Copying/relocating is very hard.
... Constrained devices: physical goods do not scale
easily.
... Constrained networks.
... Non-human actors. Automated controllers grows
authentication request around 10s in number.
... Not only IT-applications: who are requested authentication
increases by factor of 10000.
... can PKI handle this number of servers?
... Connectivity: UAs from public networks -> more attack
surface (not really WoT-specific)
Matsuki: How about the time constraints. Response on time is important.
Oliver: We might include this into constrained devices. Crypto computations, etc.
Daniel: Network latency is also relevant
Slide 10
Oliver: Digital vs physical goods: reproduction, relocation of item instances at almost no cost
Carsten: Bank account is also digital.
Oliver: Technically, yes.
... aspects: static/dynamic, human-/machine-readable
... Physical goods: reproduction, relocation of item instances
at cost
... aspects: consumer vs investment,
individual-/company-owned
Slide 11
Technology Generations in these 30-40 years.
Oliver: Classic: technology
invented before 2010. mostly in enterprise/office
environments
... examples: Kerberos, LDAP, P3P, PKIX, S/MIME, SAML,
SSL/TLS
... possible only partial/no fit for WoT/IoT
... New technologies: born in 2010-2015. not native to WoT/IoT
- possibly no or only a partial for WoT/Iot
... examples: FIDO, JOSE, OAuth, OIDC, SCIM
... These are designed to be run in a datacenter. There is no
guarantee that these technoligies run on constrained
devices.
... Future (3rd-generation) technologies: invented in
future
... Native to WoT/Iot
... Examples: ACE
Slide 12: Interoperability
Oliver: WoT security and privacy
solution can be either Silo'ed or Interoperable.
... in Silo'ed solution, a manufacturer provides everything. No
standard needed.
... Interoperable solution are required for cross-domain
scenarios. Standards for S&P are mandatory.
Interoperability AND reuse.
... Hypothesis: current IoT/WoT projects either neglect S&P
or create silo'ed solution.
James: Propriatary standard as a hub is not completely silo'ed but somewhat not open enough.
Oliver: We don't have well-known standard.
Slide 13: Silo'ed vs Interoperable for Traditional Web
Oliver: DIY (ubiquitous) or P3P
(some)
... Authorization: DIY. There is no standard that is commonly
accepted.
... Authentication: server authN: SSL/TLS (ubiquitous); User or
client authN: Initial authentication is DIY, or HTTP
Basic/Digest
... subsequent AuthN in DIY ("SSO Cookies" ubiquitous) or
SAML/WS-Fed/OIDC (some)
... Secure comm and storage: transport is protected with
TLS(ubiq). Information bound by PKCS#7/CMS or XML
signature(some)
... Provisioning and credentialing: DIY(ubiq) only small
CMP/KeyProv/PKCS
CMP: credential definition protocol defined in PKIX
Slide 14
Oliver: Filter S&P in
traditional Web that are standard and ubiquitous is only one
mechanism: SSL/TLS
... secure comm and server authn is supported; but no privacy,
authZ, user auth, provisioning/credentialing
... Most security functionality is DIY
... Key question: is DIY S&P viable for WoT?
Carsten: TLS includes protocol and PKI. We must be careful not to confuse these two.
Oliver: DIY is not viable with
new application styles like, "I want office24.com to print my
photos storeed at Google Drive"
... Two entities in a single transaction is not well handled in
OAuth currently.
... SSL/TLS client certificate did not succeed in
reality.
... HTTP level password is possible but banks want fancier
things.
... If browser-side JS and server is both from you, any private
protocol can assure user authentication.
... This picture does'nt work once browser client is made by
3rd-party.
... Any kind of standard either in HTTP stack or TLS stack is
necessary.
... Three options: 1. no security at all. 2. minimal set of
security standards (SSL/TLS only). 3. full set of
standards
... Traditional Web has 2. minimal set standards + a lot of
DIY.
<scribe> ... New application styles, 2. SSL/TLS only is not suffcient. We need more standards than TLS.
UNKNOWN_SPEAKER: What about WoT.
Even further standardization is necessary.
... Maybe we cannot reach 3, but we need to proceed
... We have two questions here. 1. Do we have it (something
beyond TLS)?
... Let's clarify gaps between what we have and what's needed
to have
Carsten: New app style is only part of WoT. We might have other styles.
James: We may be extending existing standards.
Daniel: It's like a moving target.
Matsuki: Standard is a boundary between cooperation and competition. Depending on domains, the border varies.
Oliver: We don't ask all projects
for the same level of standardization. Providing suites with
3-4 technologies from IETF/W3C is good that implementers can
choose from them.
... We need to recognize the gap between what we have and
what's needed.
Kaoru: Not only the technology but policy about what to protect should be considered as part of stardards.
Oliver: Different profiles shoud be defined and provided so that use cases can choose necessary protection level.
Slide 15: impact
Oliver: We might add security in
the next plugfest, but doing DTLS/CoAP only is not the way we
should go.
... Conclusions - Maturity, Usage, WoT Fitness
... Classic style: Maturity is very high, usage good, but not
fit to WoT
<scribe> ... New style: maturity high, usage good, but WoT fintess limited.
UNKNOWN_SPEAKER: Future: maturity
is low because just started. Usage is expermental or not yet.
WoT fitness is high.
... Here we find a dillema, if we want interoperable S&P
solutions for WoT
... If silo'ed solution is OK, just go ahead. But when someone
start selling that, problem arises.
Slide 24: White spots
Oliver: IETF ACE is started but
not many people know it.
... Discovery authorization have not been explored.
... APIs should pay more attention to S&P so that the
client developers are not necessary to be S&P experts.
Slide 25 wrap-up
Oliver: Suggest a trusted 4th party that helps requesting party.
s|... New application styles, 2. SSL|Oliver: New application styles, 2. SSL|
Oliver: Trusted Fourth Party
(TFP) and T Third Party (TTP) can be shared in a domain. One
TFP and many rps, one TTP and many service provides.
... provisioning and credentialing should be explored.
Daniel: "Christmas problem", that
having a lot of new device, make them join the home automation
network.
... TTP and devices don't have communication method.
Carsten: This problem is known as "network onboarding". Extremely important problem esp. regarding parameters.
Oliver: The question is not how to do that but how to change it.
Carsten: Vertical onboarding might not be cross-domain but be cross-vendor.
Next steps
Oliver: We had a rough consensus on what's on wiki and the slides.
<scribe> ACTION: double check and review the rough consensus on wiki page [recorded in http://www.w3.org/2015/10/30-wot-sp-minutes.html#action01]
<scribe> ACTION: Oliver, to update the overview part and lessons learned today [recorded in http://www.w3.org/2015/10/30-wot-sp-minutes.html#action02]
<scribe> ACTION: everyone to double check the update on wiki [recorded in http://www.w3.org/2015/10/30-wot-sp-minutes.html#action03]
<scribe> ACTION: what to do in the next plugfest [recorded in http://www.w3.org/2015/10/30-wot-sp-minutes.html#action04]
<scribe> ACTION: IG facing [recorded in http://www.w3.org/2015/10/30-wot-sp-minutes.html#action05]
<scribe> ACTION: actual deliverables [recorded in http://www.w3.org/2015/10/30-wot-sp-minutes.html#action06]
This is scribe.perl Revision: 1.140 of Date: 2014-11-06 18:16:30 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: RRSAgent_Text_Format (score 1.00) Succeeded: s/iot/wot/ Succeeded: i/Oliver, /scribenick: kaoru Succeeded: i|Oliver, Siemens|Topic: Breakout TF-Security&Privacy Succeeded: s|kaz, yes. we are in briefing room 4, second floor|| Succeeded: s/Topic:/Meeting:/ Succeeded: s/... New/Oliver: New/ Succeeded: i|Oliver presents|Topic: Landscape of Security and Privacy in WoT FAILED: s/... New application styles/Oliver: New application styles/ Succeeded: s|s/... New application styles/Oliver: New application styles/|| FAILED: s|... New application styles, 2. SSL|Oliver: New application styles, 2. SSL| Succeeded: s/smart home/home automation/ Found ScribeNick: kaoru Inferring Scribes: kaoru Present: Oliver James Daniel Carsten Kaoru QingAn Matsuki Yasunori Got date from IRC log name: 30 Oct 2015 Guessing minutes URL: http://www.w3.org/2015/10/30-wot-sp-minutes.html People with action items: actual double everyone ig oliver what[End of scribe.perl diagnostic output]