00:29:53 RRSAgent has joined #wot-sp 00:29:53 logging to http://www.w3.org/2015/10/30-wot-sp-irc 00:31:54 Oliver, Siemens: rather security than iot 00:31:59 s/iot/wot/ 00:32:46 Kaoru, Lepidum: oauth, openid 00:32:58 Qing An 00:33:21 Matsuki, Hitachi: software development, compilers, etc. 00:33:51 i/Oliver, /scribenick: kaoru/ 00:34:10 James, HP: application security testing 00:34:20 rrsagent, draft minutes 00:34:20 I have made the request to generate http://www.w3.org/2015/10/30-wot-sp-minutes.html kaoru 00:34:55 Daniel, @: IoT last 10 years, low level stacks, security key-exchange 00:35:37 Carsten, @: 3 decades on iot, system quality and information security 00:36:09 Oliver presents slides https://www.w3.org/WoT/IG/wiki/images/e/ea/Landscape_of_Security_%26_Privacy_Means.pdf 00:37:05 Oliver: https://www.w3.org/WoT/IG/wiki/Landscape_of_Security&Privacy_Means 00:37:22 rrsagent, make logs public 00:38:39 ... https://www.w3.org/WoT/IG/wiki/Design-Time_Security%26Privacy_Means 00:39:04 ... Various technology is surveyed in a uniform structure in this page. 00:40:36 ... Design-time is analyze what tools are available and usable. 00:41:23 ... Runtime means you must monitor how system goes 00:41:49 ... Most landscape we focus are in design-time 00:42:20 James: Functionally, design-/run-time have some overlaps. 00:42:57 Yuki_Matsuda has joined #wot-sp 00:43:31 QingAn has joined #wot-sp 00:45:12 Oliver: Customers ask security functionality and products, but not experts on TLS, OAuth, etc. We find technologies they should invest. Mechanisms are mostly in design phase. 00:45:45 ... @@ are design-time deliverables. Then implement. 00:46:32 ... Runtime is something you test. E.g. how TLS/SSL is configured 00:47:35 Oliver: Overview of WoT as distributed systems 00:48:17 ... Things, user agents, intermediaries 00:48:27 ... They are always distributed. 00:49:08 ... Distributed system study started 60/70ies. Protection of DS has a lot of prior arts. 00:49:47 kaz has joined #wot-sp 00:49:47 ... Five disciplines: Privacy, Authorization, Authentication, Secure communications and storage, Provisioning and credentialing 00:50:20 rrsagent, draft minutes 00:50:20 I have made the request to generate http://www.w3.org/2015/10/30-wot-sp-minutes.html kaoru 00:51:26 kaz, yes. we are in briefing room 4, second floor 00:51:59 i|Oliver, Siemens|Topic: Breakout TF-Security&Privacy| 00:52:11 s|kaz, yes. we are in briefing room 4, second floor|| 00:52:51 rrsagent, draft minutes 00:52:51 I have made the request to generate http://www.w3.org/2015/10/30-wot-sp-minutes.html kaoru 00:56:13 Granting an access to an online bank account is either authorizing or credentialing? 00:57:04 James: Both provisioning an account and then giving an authorization. 00:57:43 Oliver: Branch manager is not relevant in this scenario. 00:58:03 Carsten: I'm trying to understand difference between provisioning and authorization 00:59:39 Oliver: Provisioning is just a preparation. To register a user into the database. 00:59:56 Carsten: Doesn't that already give authorization? 01:00:01 Oliver: at this time, no. 01:00:26 ... Usually authentication goes under this. No money to manege yet. 01:02:26 ... Suppose now we have $1000 in the balance database. We want to transfer money. 01:02:45 ... One pain point is explaining what's the authorization here in natural language. 01:04:22 ... Next pain is to decribe owner resource model. That's by linking the account to the balance. 01:05:15 ... Giving credentials to the account for future authorizations 01:05:45 Oliver: We have to describe this scenario in pattern level and technoligy level. 01:05:57 Slide 6 01:06:17 Oliver: Characteristics/dependencies of the disciplines. 01:06:37 ... Privacy is human-centric in definition 01:06:55 s/Topic:/Meeting:/ 01:07:03 Chair: Oliver 01:07:56 James: Privacy vs confidentiality? 01:08:03 Oliver: secure communication helps privacy 01:08:53 James: Secure comm and storage are tools to control privacy. Privacy is by definition not related for corporations 01:09:58 ... We need someting like privacy for companies, I don't know what we call that 01:10:38 Oliver: Authroization is different for legal entity vs. individually-owned resources 01:10:51 ... Authentication is most complicated 01:14:04 ... Trusted 3rd-party called IdP, OP establishes initial authentication. Then it transfers the result as a security token to who whats the authentication (RP) 01:14:17 rrsagent, draft minutes 01:14:17 I have made the request to generate http://www.w3.org/2015/10/30-wot-sp-minutes.html kaoru 01:15:38 Daniel: Sometimes, authentication must be established without Internet connection. 01:16:23 Carsten: You skipped an aspects on mutual authentication? 01:16:31 Oliver: for now, yes. 01:17:20 Oliver: secure communications/storage is very much like protocol stack layer 01:17:23 Slide 7 01:18:10 Oliver: Aspects of these Disiplines. These are described in wiki pages. 01:19:36 ... Do we have sufficient collection of topics to talk to other TFs? 01:20:04 Page 9: WoT specifics 01:20:39 Oliver: Big question: can we reuse the prior arts from distributed systems protection? 01:21:29 ... Inclusion of physical goods: this is a fundamental thing. Copying/relocating is very hard. 01:22:22 ... Constrained devices: physical goods do not scale easily. 01:22:30 ... Constrained networks. 01:23:29 ... Non-human actors. Automated controllers grows authentication request around 10s in number. 01:24:33 ... Not only IT-applications: who are requested authentication increases by factor of 10000. 01:25:23 ... can PKI handle this number of servers? 01:26:10 ... Connectivity: UAs from public networks -> more attack surface (not really WoT-specific) 01:27:08 Matsuki: How about the time constraints. Response on time is important. 01:27:44 Oliver: We might include this into constrained devices. Crypto computations, etc. 01:28:04 Daniel: Network latency is also relevant 01:28:57 Slide 10 01:29:50 Oliver: Digital vs physical goods: reproduction, relocation of item instances at almost no cost 01:30:08 Carsten: Bank account is also digital. 01:30:19 Oliver: Technically, yes. 01:30:59 Oliver: aspects: static/dynamic, human-/machine-readable 01:31:34 ... Physical goods: reproduction, relocation of item instances at cost 01:31:57 ... aspects: consumer vs investment, individual-/company-owned 01:32:03 Slide 11 01:32:25 Technology Generations in these 30-40 years. 01:33:23 Oliver: Classic: technology invented before 2010. mostly in enterprise/office environments 01:33:52 ... examples: Kerberos, LDAP, P3P, PKIX, S/MIME, SAML, SSL/TLS 01:34:18 ... possible only partial/no fit for WoT/IoT 01:35:13 ... New technologies: born in 2010-2015. not native to WoT/IoT - possibly no or only a partial for WoT/Iot 01:35:26 ... examples: FIDO, JOSE, OAuth, OIDC, SCIM 01:35:52 rrsagent, draft minutes 01:35:52 I have made the request to generate http://www.w3.org/2015/10/30-wot-sp-minutes.html kaoru 01:36:57 s/... New/Oliver: New/ 01:37:43 Oliver: These are designed to be run in a datacenter. There is no guarantee that these technoligies run on constrained devices. 01:38:08 Oliver: Future (3rd-generation) technologies: invented in future 01:38:15 ... Native to WoT/Iot 01:38:19 ... Examples: ACE 01:38:35 Slide 12: Interoperability 01:38:46 rrsagent, draft minutes 01:38:46 I have made the request to generate http://www.w3.org/2015/10/30-wot-sp-minutes.html kaoru 01:39:17 knagano has joined #wot-sp 01:40:44 Oliver: WoT security and privacy solution can be either Silo'ed or Interoperable. 01:41:30 ... in Silo'ed solution, a manufacturer provides everything. No standard needed. 01:42:35 ... Interoperable solution are required for cross-domain scenarios. Standards for S&P are mandatory. Interoperability AND reuse. 01:43:17 ... Hypothesis: current IoT/WoT projects either neglect S&P or create silo'ed solution. 01:44:26 James: Propriatary standard as a hub is not completely silo'ed but somewhat not open enough. 01:44:31 kc___ has joined #wot-sp 01:45:45 tomoyuki has joined #wot-sp 01:45:51 Oliver: We don't have well-known standard. 01:46:22 Slide 13: Silo'ed vs Interoperable for Traditional Web 01:46:57 Oliver: DIY (ubiquitous) or P3P (some) 01:47:40 ... Authorization: DIY. There is no standard that is commonly accepted. 01:48:23 ... Authentication: server authN: SSL/TLS (ubiquitous); User or client authN: Initial authentication is DIY, or HTTP Basic/Digest 01:49:01 ... subsequent AuthN in DIY ("SSO Cookies" ubiquitous) or SAML/WS-Fed/OIDC (some) 01:50:06 ... Secure comm and storage: transport is protected with TLS(ubiq). Information bound by PKCS#7/CMS or XML signature(some) 01:50:50 ... Provisioning and credentialing: DIY(ubiq) only small CMP/KeyProv/PKCS 01:51:08 CMP: credential definition protocol defined in PKIX 01:51:27 rrsagent, draft minutes 01:51:27 I have made the request to generate http://www.w3.org/2015/10/30-wot-sp-minutes.html kaoru 01:51:56 Slide 14 01:52:36 Oliver: Filter S&P in traditional Web that are standard and ubiquitous is only one mechanism: SSL/TLS 01:53:30 ... secure comm and server authn is supported; but no privacy, authZ, user auth, provisioning/credentialing 01:53:57 ... Most security functionality is DIY 01:54:10 ... Key question: is DIY S&P viable for WoT? 01:55:33 Carsten: TLS includes protocol and PKI. We must be careful not to confuse these two. 01:58:33 Oliver: DIY is not viable with new application styles like, "I want office24.com to print my photos storeed at Google Drive" 02:01:01 ... Two entities in a single transaction is not well handled in OAuth currently. 02:08:16 ... SSL/TLS client certificate did not succeed in reality. 02:09:34 ... HTTP level password is possible but banks want fancier things. 02:10:35 ... If browser-side JS and server is both from you, any private protocol can assure user authentication. 02:11:16 ... This picture does'nt work once browser client is made by 3rd-party. 02:11:39 ... Any kind of standard either in HTTP stack or TLS stack is necessary. 02:14:24 ... Three options: 1. no security at all. 2. minimal set of security standards (SSL/TLS only). 3. full set of standards 02:15:14 ... Traditional Web has 2. minimal set standards + a lot of DIY. 02:16:45 ... New application styles, 2. SSL/TLS only is not suffcient. We need more standards than TLS. 02:17:10 ... What about WoT. Even further standardization is necessary. 02:18:42 ... Maybe we cannot reach 3, but we need to proceed 02:19:24 ... We have two questions here. 1. Do we have it (something beyond TLS)? 02:21:42 ... Let's clarify gaps between what we have and what's needed to have 02:23:18 Carsten: New app style is only part of WoT. We might have other styles. 02:24:24 James: We may be extending existing standards. 02:24:44 Daniel: It's like a moving target. 02:26:47 Matsuki: Standard is a boundary between cooperation and competition. Depending on domains, the border varies. 02:29:39 Oliver: We don't ask all projects for the same level of standardization. Providing suites with 3-4 technologies from IETF/W3C is good that implementers can choose from them. 02:31:16 ... We need to recognize the gap between what we have and what's needed. 02:32:03 rrsagent, draft minutes 02:32:03 I have made the request to generate http://www.w3.org/2015/10/30-wot-sp-minutes.html kaoru 02:35:39 cabo1 has joined #wot-sp 02:36:20 Kaoru: Not only the technology but policy about what to protect should be considered as part of stardards. 02:37:10 Oliver: Different profiles shoud be defined and provided so that use cases can choose necessary protection level. 02:37:47 Slide 15: impact 02:39:11 Oliver: We might add security in the next plugfest, but doing DTLS/CoAP only is not the way we should go. 02:40:21 present+ Oliver, James, Daniel, Carsten, Kaoru, QingAn, Matsuki, Yasunori 02:40:29 rrsagent, draft minutes 02:40:29 I have made the request to generate http://www.w3.org/2015/10/30-wot-sp-minutes.html kaoru 02:48:25 i|Oliver presents|Topic: Landscape of Security and Privacy in WoT| 02:50:10 s/... New application styles/Oliver: New application styles/ 02:50:31 rrsagent, draft minutes 02:50:31 I have made the request to generate http://www.w3.org/2015/10/30-wot-sp-minutes.html kaoru 02:51:32 Oliver: Conclusions - Maturity, Usage, WoT Fitness 02:52:22 ... Classic style: Maturity is very high, usage good, but not fit to WoT 02:53:16 ... New style: maturity high, usage good, but WoT fintess limited. 02:54:05 ... Future: maturity is low because just started. Usage is expermental or not yet. WoT fitness is high. 02:54:58 ... Here we find a dillema, if we want interoperable S&P solutions for WoT 02:55:46 ... If silo'ed solution is OK, just go ahead. But when someone start selling that, problem arises. 02:56:46 Slide 24: White spots 02:57:27 Oliver: IETF ACE is started but not many people know it. 02:58:48 ... Discovery authorization have not been explored. 03:00:20 ... APIs should pay more attention to S&P so that the client developers are not necessary to be S&P experts. 03:00:53 s|s/... New application styles/Oliver: New application styles/|| 03:02:18 Slide 25 wrap-up 03:02:29 rrsagent, draft minutes 03:02:29 I have made the request to generate http://www.w3.org/2015/10/30-wot-sp-minutes.html kaoru 03:05:41 Oliver: Suggest a trusted 4th party that helps requesting party. 03:06:46 s|... New application styles, 2. SSL|Oliver: New application styles, 2. SSL| 03:08:45 Oliver: Trusted Fourth Party (TFP) and T Third Party (TTP) can be shared in a domain. One TFP and many rps, one TTP and many service provides. 03:09:59 Oliver: provisioning and credentialing should be explored. 03:11:10 Daniel: "Christmas problem", that having a lot of new device, make them join the smart home network. 03:11:33 s/smart home/home automation/ 03:14:27 Daniel: TTP and devices don't have communication method. 03:15:02 Carsten: This problem is known as "network onboarding". Extremely important problem esp. regarding parameters. 03:15:58 Oliver: The question is not how to do that but how to change it. 03:17:39 Carsten: Vertical onboarding might not be cross-domain but be cross-vendor. 03:19:01 rrsagent, draft minutes 03:19:01 I have made the request to generate http://www.w3.org/2015/10/30-wot-sp-minutes.html kaoru 03:19:48 Next steps 03:20:22 Oliver: We had a rough consensus on what's on wiki and the slides. 03:21:09 ACTION: double check and review the rough consensus on wiki page 03:23:11 ACTION: Oliver, to update the overview part and lessons learned today 03:23:35 ACTION: everyone to double check the update on wiki 03:24:04 ACTION: what to do in the next plugfest 03:24:14 rrsagent, draft minutes 03:24:14 I have made the request to generate http://www.w3.org/2015/10/30-wot-sp-minutes.html kaoru 03:31:27 ACTION: IG facing 03:31:35 ACTION: actual deliverables 03:32:43 rrsagent, draft minutes 03:32:43 I have made the request to generate http://www.w3.org/2015/10/30-wot-sp-minutes.html kaoru 04:03:02 tomoyuki has joined #wot-sp 04:25:36 kaz has joined #wot-sp 04:33:50 yingying has joined #wot-sp 04:37:08 cabo has joined #wot-sp 04:38:09 knagano has joined #wot-sp 04:55:32 kaz has joined #wot-sp 06:46:26 yuki_ has joined #wot-sp 06:50:12 yuki_ has joined #wot-sp