IRC log of wot-sp on 2015-10-30
Timestamps are in UTC.
- 00:29:53 [RRSAgent]
- RRSAgent has joined #wot-sp
- 00:29:53 [RRSAgent]
- logging to http://www.w3.org/2015/10/30-wot-sp-irc
- 00:31:54 [kaoru]
- Oliver, Siemens: rather security than iot
- 00:31:59 [kaoru]
- s/iot/wot/
- 00:32:46 [kaoru]
- Kaoru, Lepidum: oauth, openid
- 00:32:58 [kaoru]
- Qing An
- 00:33:21 [kaoru]
- Matsuki, Hitachi: software development, compilers, etc.
- 00:33:51 [kaoru]
- i/Oliver, /scribenick: kaoru/
- 00:34:10 [kaoru]
- James, HP: application security testing
- 00:34:20 [kaoru]
- rrsagent, draft minutes
- 00:34:20 [RRSAgent]
- I have made the request to generate http://www.w3.org/2015/10/30-wot-sp-minutes.html kaoru
- 00:34:55 [kaoru]
- Daniel, @: IoT last 10 years, low level stacks, security key-exchange
- 00:35:37 [kaoru]
- Carsten, @: 3 decades on iot, system quality and information security
- 00:36:09 [kaoru]
- Oliver presents slides https://www.w3.org/WoT/IG/wiki/images/e/ea/Landscape_of_Security_%26_Privacy_Means.pdf
- 00:37:05 [kaoru]
- Oliver: https://www.w3.org/WoT/IG/wiki/Landscape_of_Security&Privacy_Means
- 00:37:22 [kaoru]
- rrsagent, make logs public
- 00:38:39 [kaoru]
- ... https://www.w3.org/WoT/IG/wiki/Design-Time_Security%26Privacy_Means
- 00:39:04 [kaoru]
- ... Various technology is surveyed in a uniform structure in this page.
- 00:40:36 [kaoru]
- ... Design-time is analyze what tools are available and usable.
- 00:41:23 [kaoru]
- ... Runtime means you must monitor how system goes
- 00:41:49 [kaoru]
- ... Most landscape we focus are in design-time
- 00:42:20 [kaoru]
- James: Functionally, design-/run-time have some overlaps.
- 00:42:57 [Yuki_Matsuda]
- Yuki_Matsuda has joined #wot-sp
- 00:43:31 [QingAn]
- QingAn has joined #wot-sp
- 00:45:12 [kaoru]
- Oliver: Customers ask security functionality and products, but not experts on TLS, OAuth, etc. We find technologies they should invest. Mechanisms are mostly in design phase.
- 00:45:45 [kaoru]
- ... @@ are design-time deliverables. Then implement.
- 00:46:32 [kaoru]
- ... Runtime is something you test. E.g. how TLS/SSL is configured
- 00:47:35 [kaoru]
- Oliver: Overview of WoT as distributed systems
- 00:48:17 [kaoru]
- ... Things, user agents, intermediaries
- 00:48:27 [kaoru]
- ... They are always distributed.
- 00:49:08 [kaoru]
- ... Distributed system study started 60/70ies. Protection of DS has a lot of prior arts.
- 00:49:47 [kaz]
- kaz has joined #wot-sp
- 00:49:47 [kaoru]
- ... Five disciplines: Privacy, Authorization, Authentication, Secure communications and storage, Provisioning and credentialing
- 00:50:20 [kaoru]
- rrsagent, draft minutes
- 00:50:20 [RRSAgent]
- I have made the request to generate http://www.w3.org/2015/10/30-wot-sp-minutes.html kaoru
- 00:51:26 [kaoru]
- kaz, yes. we are in briefing room 4, second floor
- 00:51:59 [kaoru]
- i|Oliver, Siemens|Topic: Breakout TF-Security&Privacy|
- 00:52:11 [kaoru]
- s|kaz, yes. we are in briefing room 4, second floor||
- 00:52:51 [kaoru]
- rrsagent, draft minutes
- 00:52:51 [RRSAgent]
- I have made the request to generate http://www.w3.org/2015/10/30-wot-sp-minutes.html kaoru
- 00:56:13 [kaoru]
- Granting an access to an online bank account is either authorizing or credentialing?
- 00:57:04 [kaoru]
- James: Both provisioning an account and then giving an authorization.
- 00:57:43 [kaoru]
- Oliver: Branch manager is not relevant in this scenario.
- 00:58:03 [kaoru]
- Carsten: I'm trying to understand difference between provisioning and authorization
- 00:59:39 [kaoru]
- Oliver: Provisioning is just a preparation. To register a user into the database.
- 00:59:56 [kaoru]
- Carsten: Doesn't that already give authorization?
- 01:00:01 [kaoru]
- Oliver: at this time, no.
- 01:00:26 [kaoru]
- ... Usually authentication goes under this. No money to manege yet.
- 01:02:26 [kaoru]
- ... Suppose now we have $1000 in the balance database. We want to transfer money.
- 01:02:45 [kaoru]
- ... One pain point is explaining what's the authorization here in natural language.
- 01:04:22 [kaoru]
- ... Next pain is to decribe owner resource model. That's by linking the account to the balance.
- 01:05:15 [kaoru]
- ... Giving credentials to the account for future authorizations
- 01:05:45 [kaoru]
- Oliver: We have to describe this scenario in pattern level and technoligy level.
- 01:05:57 [kaoru]
- Slide 6
- 01:06:17 [kaoru]
- Oliver: Characteristics/dependencies of the disciplines.
- 01:06:37 [kaoru]
- ... Privacy is human-centric in definition
- 01:06:55 [kaoru]
- s/Topic:/Meeting:/
- 01:07:03 [kaoru]
- Chair: Oliver
- 01:07:56 [kaoru]
- James: Privacy vs confidentiality?
- 01:08:03 [kaoru]
- Oliver: secure communication helps privacy
- 01:08:53 [kaoru]
- James: Secure comm and storage are tools to control privacy. Privacy is by definition not related for corporations
- 01:09:58 [kaoru]
- ... We need someting like privacy for companies, I don't know what we call that
- 01:10:38 [kaoru]
- Oliver: Authroization is different for legal entity vs. individually-owned resources
- 01:10:51 [kaoru]
- ... Authentication is most complicated
- 01:14:04 [kaoru]
- ... Trusted 3rd-party called IdP, OP establishes initial authentication. Then it transfers the result as a security token to who whats the authentication (RP)
- 01:14:17 [kaoru]
- rrsagent, draft minutes
- 01:14:17 [RRSAgent]
- I have made the request to generate http://www.w3.org/2015/10/30-wot-sp-minutes.html kaoru
- 01:15:38 [kaoru]
- Daniel: Sometimes, authentication must be established without Internet connection.
- 01:16:23 [kaoru]
- Carsten: You skipped an aspects on mutual authentication?
- 01:16:31 [kaoru]
- Oliver: for now, yes.
- 01:17:20 [kaoru]
- Oliver: secure communications/storage is very much like protocol stack layer
- 01:17:23 [kaoru]
- Slide 7
- 01:18:10 [kaoru]
- Oliver: Aspects of these Disiplines. These are described in wiki pages.
- 01:19:36 [kaoru]
- ... Do we have sufficient collection of topics to talk to other TFs?
- 01:20:04 [kaoru]
- Page 9: WoT specifics
- 01:20:39 [kaoru]
- Oliver: Big question: can we reuse the prior arts from distributed systems protection?
- 01:21:29 [kaoru]
- ... Inclusion of physical goods: this is a fundamental thing. Copying/relocating is very hard.
- 01:22:22 [kaoru]
- ... Constrained devices: physical goods do not scale easily.
- 01:22:30 [kaoru]
- ... Constrained networks.
- 01:23:29 [kaoru]
- ... Non-human actors. Automated controllers grows authentication request around 10s in number.
- 01:24:33 [kaoru]
- ... Not only IT-applications: who are requested authentication increases by factor of 10000.
- 01:25:23 [kaoru]
- ... can PKI handle this number of servers?
- 01:26:10 [kaoru]
- ... Connectivity: UAs from public networks -> more attack surface (not really WoT-specific)
- 01:27:08 [kaoru]
- Matsuki: How about the time constraints. Response on time is important.
- 01:27:44 [kaoru]
- Oliver: We might include this into constrained devices. Crypto computations, etc.
- 01:28:04 [kaoru]
- Daniel: Network latency is also relevant
- 01:28:57 [kaoru]
- Slide 10
- 01:29:50 [kaoru]
- Oliver: Digital vs physical goods: reproduction, relocation of item instances at almost no cost
- 01:30:08 [kaoru]
- Carsten: Bank account is also digital.
- 01:30:19 [kaoru]
- Oliver: Technically, yes.
- 01:30:59 [kaoru]
- Oliver: aspects: static/dynamic, human-/machine-readable
- 01:31:34 [kaoru]
- ... Physical goods: reproduction, relocation of item instances at cost
- 01:31:57 [kaoru]
- ... aspects: consumer vs investment, individual-/company-owned
- 01:32:03 [kaoru]
- Slide 11
- 01:32:25 [kaoru]
- Technology Generations in these 30-40 years.
- 01:33:23 [kaoru]
- Oliver: Classic: technology invented before 2010. mostly in enterprise/office environments
- 01:33:52 [kaoru]
- ... examples: Kerberos, LDAP, P3P, PKIX, S/MIME, SAML, SSL/TLS
- 01:34:18 [kaoru]
- ... possible only partial/no fit for WoT/IoT
- 01:35:13 [kaoru]
- ... New technologies: born in 2010-2015. not native to WoT/IoT - possibly no or only a partial for WoT/Iot
- 01:35:26 [kaoru]
- ... examples: FIDO, JOSE, OAuth, OIDC, SCIM
- 01:35:52 [kaoru]
- rrsagent, draft minutes
- 01:35:52 [RRSAgent]
- I have made the request to generate http://www.w3.org/2015/10/30-wot-sp-minutes.html kaoru
- 01:36:57 [kaoru]
- s/... New/Oliver: New/
- 01:37:43 [kaoru]
- Oliver: These are designed to be run in a datacenter. There is no guarantee that these technoligies run on constrained devices.
- 01:38:08 [kaoru]
- Oliver: Future (3rd-generation) technologies: invented in future
- 01:38:15 [kaoru]
- ... Native to WoT/Iot
- 01:38:19 [kaoru]
- ... Examples: ACE
- 01:38:35 [kaoru]
- Slide 12: Interoperability
- 01:38:46 [kaoru]
- rrsagent, draft minutes
- 01:38:46 [RRSAgent]
- I have made the request to generate http://www.w3.org/2015/10/30-wot-sp-minutes.html kaoru
- 01:39:17 [knagano]
- knagano has joined #wot-sp
- 01:40:44 [kaoru]
- Oliver: WoT security and privacy solution can be either Silo'ed or Interoperable.
- 01:41:30 [kaoru]
- ... in Silo'ed solution, a manufacturer provides everything. No standard needed.
- 01:42:35 [kaoru]
- ... Interoperable solution are required for cross-domain scenarios. Standards for S&P are mandatory. Interoperability AND reuse.
- 01:43:17 [kaoru]
- ... Hypothesis: current IoT/WoT projects either neglect S&P or create silo'ed solution.
- 01:44:26 [kaoru]
- James: Propriatary standard as a hub is not completely silo'ed but somewhat not open enough.
- 01:44:31 [kc___]
- kc___ has joined #wot-sp
- 01:45:45 [tomoyuki]
- tomoyuki has joined #wot-sp
- 01:45:51 [kaoru]
- Oliver: We don't have well-known standard.
- 01:46:22 [kaoru]
- Slide 13: Silo'ed vs Interoperable for Traditional Web
- 01:46:57 [kaoru]
- Oliver: DIY (ubiquitous) or P3P (some)
- 01:47:40 [kaoru]
- ... Authorization: DIY. There is no standard that is commonly accepted.
- 01:48:23 [kaoru]
- ... Authentication: server authN: SSL/TLS (ubiquitous); User or client authN: Initial authentication is DIY, or HTTP Basic/Digest
- 01:49:01 [kaoru]
- ... subsequent AuthN in DIY ("SSO Cookies" ubiquitous) or SAML/WS-Fed/OIDC (some)
- 01:50:06 [kaoru]
- ... Secure comm and storage: transport is protected with TLS(ubiq). Information bound by PKCS#7/CMS or XML signature(some)
- 01:50:50 [kaoru]
- ... Provisioning and credentialing: DIY(ubiq) only small CMP/KeyProv/PKCS
- 01:51:08 [kaoru]
- CMP: credential definition protocol defined in PKIX
- 01:51:27 [kaoru]
- rrsagent, draft minutes
- 01:51:27 [RRSAgent]
- I have made the request to generate http://www.w3.org/2015/10/30-wot-sp-minutes.html kaoru
- 01:51:56 [kaoru]
- Slide 14
- 01:52:36 [kaoru]
- Oliver: Filter S&P in traditional Web that are standard and ubiquitous is only one mechanism: SSL/TLS
- 01:53:30 [kaoru]
- ... secure comm and server authn is supported; but no privacy, authZ, user auth, provisioning/credentialing
- 01:53:57 [kaoru]
- ... Most security functionality is DIY
- 01:54:10 [kaoru]
- ... Key question: is DIY S&P viable for WoT?
- 01:55:33 [kaoru]
- Carsten: TLS includes protocol and PKI. We must be careful not to confuse these two.
- 01:58:33 [kaoru]
- Oliver: DIY is not viable with new application styles like, "I want office24.com to print my photos storeed at Google Drive"
- 02:01:01 [kaoru]
- ... Two entities in a single transaction is not well handled in OAuth currently.
- 02:08:16 [kaoru]
- ... SSL/TLS client certificate did not succeed in reality.
- 02:09:34 [kaoru]
- ... HTTP level password is possible but banks want fancier things.
- 02:10:35 [kaoru]
- ... If browser-side JS and server is both from you, any private protocol can assure user authentication.
- 02:11:16 [kaoru]
- ... This picture does'nt work once browser client is made by 3rd-party.
- 02:11:39 [kaoru]
- ... Any kind of standard either in HTTP stack or TLS stack is necessary.
- 02:14:24 [kaoru]
- ... Three options: 1. no security at all. 2. minimal set of security standards (SSL/TLS only). 3. full set of standards
- 02:15:14 [kaoru]
- ... Traditional Web has 2. minimal set standards + a lot of DIY.
- 02:16:45 [kaoru]
- ... New application styles, 2. SSL/TLS only is not suffcient. We need more standards than TLS.
- 02:17:10 [kaoru]
- ... What about WoT. Even further standardization is necessary.
- 02:18:42 [kaoru]
- ... Maybe we cannot reach 3, but we need to proceed
- 02:19:24 [kaoru]
- ... We have two questions here. 1. Do we have it (something beyond TLS)?
- 02:21:42 [kaoru]
- ... Let's clarify gaps between what we have and what's needed to have
- 02:23:18 [kaoru]
- Carsten: New app style is only part of WoT. We might have other styles.
- 02:24:24 [kaoru]
- James: We may be extending existing standards.
- 02:24:44 [kaoru]
- Daniel: It's like a moving target.
- 02:26:47 [kaoru]
- Matsuki: Standard is a boundary between cooperation and competition. Depending on domains, the border varies.
- 02:29:39 [kaoru]
- Oliver: We don't ask all projects for the same level of standardization. Providing suites with 3-4 technologies from IETF/W3C is good that implementers can choose from them.
- 02:31:16 [kaoru]
- ... We need to recognize the gap between what we have and what's needed.
- 02:32:03 [kaoru]
- rrsagent, draft minutes
- 02:32:03 [RRSAgent]
- I have made the request to generate http://www.w3.org/2015/10/30-wot-sp-minutes.html kaoru
- 02:35:39 [cabo1]
- cabo1 has joined #wot-sp
- 02:36:20 [kaoru]
- Kaoru: Not only the technology but policy about what to protect should be considered as part of stardards.
- 02:37:10 [kaoru]
- Oliver: Different profiles shoud be defined and provided so that use cases can choose necessary protection level.
- 02:37:47 [kaoru]
- Slide 15: impact
- 02:39:11 [kaoru]
- Oliver: We might add security in the next plugfest, but doing DTLS/CoAP only is not the way we should go.
- 02:40:21 [kaoru]
- present+ Oliver, James, Daniel, Carsten, Kaoru, QingAn, Matsuki, Yasunori
- 02:40:29 [kaoru]
- rrsagent, draft minutes
- 02:40:29 [RRSAgent]
- I have made the request to generate http://www.w3.org/2015/10/30-wot-sp-minutes.html kaoru
- 02:48:25 [kaoru]
- i|Oliver presents|Topic: Landscape of Security and Privacy in WoT|
- 02:50:10 [kaoru]
- s/... New application styles/Oliver: New application styles/
- 02:50:31 [kaoru]
- rrsagent, draft minutes
- 02:50:31 [RRSAgent]
- I have made the request to generate http://www.w3.org/2015/10/30-wot-sp-minutes.html kaoru
- 02:51:32 [kaoru]
- Oliver: Conclusions - Maturity, Usage, WoT Fitness
- 02:52:22 [kaoru]
- ... Classic style: Maturity is very high, usage good, but not fit to WoT
- 02:53:16 [kaoru]
- ... New style: maturity high, usage good, but WoT fintess limited.
- 02:54:05 [kaoru]
- ... Future: maturity is low because just started. Usage is expermental or not yet. WoT fitness is high.
- 02:54:58 [kaoru]
- ... Here we find a dillema, if we want interoperable S&P solutions for WoT
- 02:55:46 [kaoru]
- ... If silo'ed solution is OK, just go ahead. But when someone start selling that, problem arises.
- 02:56:46 [kaoru]
- Slide 24: White spots
- 02:57:27 [kaoru]
- Oliver: IETF ACE is started but not many people know it.
- 02:58:48 [kaoru]
- ... Discovery authorization have not been explored.
- 03:00:20 [kaoru]
- ... APIs should pay more attention to S&P so that the client developers are not necessary to be S&P experts.
- 03:00:53 [kaoru]
- s|s/... New application styles/Oliver: New application styles/||
- 03:02:18 [kaoru]
- Slide 25 wrap-up
- 03:02:29 [kaoru]
- rrsagent, draft minutes
- 03:02:29 [RRSAgent]
- I have made the request to generate http://www.w3.org/2015/10/30-wot-sp-minutes.html kaoru
- 03:05:41 [kaoru]
- Oliver: Suggest a trusted 4th party that helps requesting party.
- 03:06:46 [kaoru]
- s|... New application styles, 2. SSL|Oliver: New application styles, 2. SSL|
- 03:08:45 [kaoru]
- Oliver: Trusted Fourth Party (TFP) and T Third Party (TTP) can be shared in a domain. One TFP and many rps, one TTP and many service provides.
- 03:09:59 [kaoru]
- Oliver: provisioning and credentialing should be explored.
- 03:11:10 [kaoru]
- Daniel: "Christmas problem", that having a lot of new device, make them join the smart home network.
- 03:11:33 [kaoru]
- s/smart home/home automation/
- 03:14:27 [kaoru]
- Daniel: TTP and devices don't have communication method.
- 03:15:02 [kaoru]
- Carsten: This problem is known as "network onboarding". Extremely important problem esp. regarding parameters.
- 03:15:58 [kaoru]
- Oliver: The question is not how to do that but how to change it.
- 03:17:39 [kaoru]
- Carsten: Vertical onboarding might not be cross-domain but be cross-vendor.
- 03:19:01 [kaoru]
- rrsagent, draft minutes
- 03:19:01 [RRSAgent]
- I have made the request to generate http://www.w3.org/2015/10/30-wot-sp-minutes.html kaoru
- 03:19:48 [kaoru]
- Next steps
- 03:20:22 [kaoru]
- Oliver: We had a rough consensus on what's on wiki and the slides.
- 03:21:09 [kaoru]
- ACTION: double check and review the rough consensus on wiki page
- 03:23:11 [kaoru]
- ACTION: Oliver, to update the overview part and lessons learned today
- 03:23:35 [kaoru]
- ACTION: everyone to double check the update on wiki
- 03:24:04 [kaoru]
- ACTION: what to do in the next plugfest
- 03:24:14 [kaoru]
- rrsagent, draft minutes
- 03:24:14 [RRSAgent]
- I have made the request to generate http://www.w3.org/2015/10/30-wot-sp-minutes.html kaoru
- 03:31:27 [kaoru]
- ACTION: IG facing
- 03:31:35 [kaoru]
- ACTION: actual deliverables
- 03:32:43 [kaoru]
- rrsagent, draft minutes
- 03:32:43 [RRSAgent]
- I have made the request to generate http://www.w3.org/2015/10/30-wot-sp-minutes.html kaoru
- 04:03:02 [tomoyuki]
- tomoyuki has joined #wot-sp
- 04:25:36 [kaz]
- kaz has joined #wot-sp
- 04:33:50 [yingying]
- yingying has joined #wot-sp
- 04:37:08 [cabo]
- cabo has joined #wot-sp
- 04:38:09 [knagano]
- knagano has joined #wot-sp
- 04:55:32 [kaz]
- kaz has joined #wot-sp
- 06:46:26 [yuki_]
- yuki_ has joined #wot-sp
- 06:50:12 [yuki_]
- yuki_ has joined #wot-sp