IRC log of wot-sp on 2015-10-30

Timestamps are in UTC.

00:29:53 [RRSAgent]
RRSAgent has joined #wot-sp
00:29:53 [RRSAgent]
logging to http://www.w3.org/2015/10/30-wot-sp-irc
00:31:54 [kaoru]
Oliver, Siemens: rather security than iot
00:31:59 [kaoru]
s/iot/wot/
00:32:46 [kaoru]
Kaoru, Lepidum: oauth, openid
00:32:58 [kaoru]
Qing An
00:33:21 [kaoru]
Matsuki, Hitachi: software development, compilers, etc.
00:33:51 [kaoru]
i/Oliver, /scribenick: kaoru/
00:34:10 [kaoru]
James, HP: application security testing
00:34:20 [kaoru]
rrsagent, draft minutes
00:34:20 [RRSAgent]
I have made the request to generate http://www.w3.org/2015/10/30-wot-sp-minutes.html kaoru
00:34:55 [kaoru]
Daniel, @: IoT last 10 years, low level stacks, security key-exchange
00:35:37 [kaoru]
Carsten, @: 3 decades on iot, system quality and information security
00:36:09 [kaoru]
Oliver presents slides https://www.w3.org/WoT/IG/wiki/images/e/ea/Landscape_of_Security_%26_Privacy_Means.pdf
00:37:05 [kaoru]
Oliver: https://www.w3.org/WoT/IG/wiki/Landscape_of_Security&Privacy_Means
00:37:22 [kaoru]
rrsagent, make logs public
00:38:39 [kaoru]
... https://www.w3.org/WoT/IG/wiki/Design-Time_Security%26Privacy_Means
00:39:04 [kaoru]
... Various technology is surveyed in a uniform structure in this page.
00:40:36 [kaoru]
... Design-time is analyze what tools are available and usable.
00:41:23 [kaoru]
... Runtime means you must monitor how system goes
00:41:49 [kaoru]
... Most landscape we focus are in design-time
00:42:20 [kaoru]
James: Functionally, design-/run-time have some overlaps.
00:42:57 [Yuki_Matsuda]
Yuki_Matsuda has joined #wot-sp
00:43:31 [QingAn]
QingAn has joined #wot-sp
00:45:12 [kaoru]
Oliver: Customers ask security functionality and products, but not experts on TLS, OAuth, etc. We find technologies they should invest. Mechanisms are mostly in design phase.
00:45:45 [kaoru]
... @@ are design-time deliverables. Then implement.
00:46:32 [kaoru]
... Runtime is something you test. E.g. how TLS/SSL is configured
00:47:35 [kaoru]
Oliver: Overview of WoT as distributed systems
00:48:17 [kaoru]
... Things, user agents, intermediaries
00:48:27 [kaoru]
... They are always distributed.
00:49:08 [kaoru]
... Distributed system study started 60/70ies. Protection of DS has a lot of prior arts.
00:49:47 [kaz]
kaz has joined #wot-sp
00:49:47 [kaoru]
... Five disciplines: Privacy, Authorization, Authentication, Secure communications and storage, Provisioning and credentialing
00:50:20 [kaoru]
rrsagent, draft minutes
00:50:20 [RRSAgent]
I have made the request to generate http://www.w3.org/2015/10/30-wot-sp-minutes.html kaoru
00:51:26 [kaoru]
kaz, yes. we are in briefing room 4, second floor
00:51:59 [kaoru]
i|Oliver, Siemens|Topic: Breakout TF-Security&Privacy|
00:52:11 [kaoru]
s|kaz, yes. we are in briefing room 4, second floor||
00:52:51 [kaoru]
rrsagent, draft minutes
00:52:51 [RRSAgent]
I have made the request to generate http://www.w3.org/2015/10/30-wot-sp-minutes.html kaoru
00:56:13 [kaoru]
Granting an access to an online bank account is either authorizing or credentialing?
00:57:04 [kaoru]
James: Both provisioning an account and then giving an authorization.
00:57:43 [kaoru]
Oliver: Branch manager is not relevant in this scenario.
00:58:03 [kaoru]
Carsten: I'm trying to understand difference between provisioning and authorization
00:59:39 [kaoru]
Oliver: Provisioning is just a preparation. To register a user into the database.
00:59:56 [kaoru]
Carsten: Doesn't that already give authorization?
01:00:01 [kaoru]
Oliver: at this time, no.
01:00:26 [kaoru]
... Usually authentication goes under this. No money to manege yet.
01:02:26 [kaoru]
... Suppose now we have $1000 in the balance database. We want to transfer money.
01:02:45 [kaoru]
... One pain point is explaining what's the authorization here in natural language.
01:04:22 [kaoru]
... Next pain is to decribe owner resource model. That's by linking the account to the balance.
01:05:15 [kaoru]
... Giving credentials to the account for future authorizations
01:05:45 [kaoru]
Oliver: We have to describe this scenario in pattern level and technoligy level.
01:05:57 [kaoru]
Slide 6
01:06:17 [kaoru]
Oliver: Characteristics/dependencies of the disciplines.
01:06:37 [kaoru]
... Privacy is human-centric in definition
01:06:55 [kaoru]
s/Topic:/Meeting:/
01:07:03 [kaoru]
Chair: Oliver
01:07:56 [kaoru]
James: Privacy vs confidentiality?
01:08:03 [kaoru]
Oliver: secure communication helps privacy
01:08:53 [kaoru]
James: Secure comm and storage are tools to control privacy. Privacy is by definition not related for corporations
01:09:58 [kaoru]
... We need someting like privacy for companies, I don't know what we call that
01:10:38 [kaoru]
Oliver: Authroization is different for legal entity vs. individually-owned resources
01:10:51 [kaoru]
... Authentication is most complicated
01:14:04 [kaoru]
... Trusted 3rd-party called IdP, OP establishes initial authentication. Then it transfers the result as a security token to who whats the authentication (RP)
01:14:17 [kaoru]
rrsagent, draft minutes
01:14:17 [RRSAgent]
I have made the request to generate http://www.w3.org/2015/10/30-wot-sp-minutes.html kaoru
01:15:38 [kaoru]
Daniel: Sometimes, authentication must be established without Internet connection.
01:16:23 [kaoru]
Carsten: You skipped an aspects on mutual authentication?
01:16:31 [kaoru]
Oliver: for now, yes.
01:17:20 [kaoru]
Oliver: secure communications/storage is very much like protocol stack layer
01:17:23 [kaoru]
Slide 7
01:18:10 [kaoru]
Oliver: Aspects of these Disiplines. These are described in wiki pages.
01:19:36 [kaoru]
... Do we have sufficient collection of topics to talk to other TFs?
01:20:04 [kaoru]
Page 9: WoT specifics
01:20:39 [kaoru]
Oliver: Big question: can we reuse the prior arts from distributed systems protection?
01:21:29 [kaoru]
... Inclusion of physical goods: this is a fundamental thing. Copying/relocating is very hard.
01:22:22 [kaoru]
... Constrained devices: physical goods do not scale easily.
01:22:30 [kaoru]
... Constrained networks.
01:23:29 [kaoru]
... Non-human actors. Automated controllers grows authentication request around 10s in number.
01:24:33 [kaoru]
... Not only IT-applications: who are requested authentication increases by factor of 10000.
01:25:23 [kaoru]
... can PKI handle this number of servers?
01:26:10 [kaoru]
... Connectivity: UAs from public networks -> more attack surface (not really WoT-specific)
01:27:08 [kaoru]
Matsuki: How about the time constraints. Response on time is important.
01:27:44 [kaoru]
Oliver: We might include this into constrained devices. Crypto computations, etc.
01:28:04 [kaoru]
Daniel: Network latency is also relevant
01:28:57 [kaoru]
Slide 10
01:29:50 [kaoru]
Oliver: Digital vs physical goods: reproduction, relocation of item instances at almost no cost
01:30:08 [kaoru]
Carsten: Bank account is also digital.
01:30:19 [kaoru]
Oliver: Technically, yes.
01:30:59 [kaoru]
Oliver: aspects: static/dynamic, human-/machine-readable
01:31:34 [kaoru]
... Physical goods: reproduction, relocation of item instances at cost
01:31:57 [kaoru]
... aspects: consumer vs investment, individual-/company-owned
01:32:03 [kaoru]
Slide 11
01:32:25 [kaoru]
Technology Generations in these 30-40 years.
01:33:23 [kaoru]
Oliver: Classic: technology invented before 2010. mostly in enterprise/office environments
01:33:52 [kaoru]
... examples: Kerberos, LDAP, P3P, PKIX, S/MIME, SAML, SSL/TLS
01:34:18 [kaoru]
... possible only partial/no fit for WoT/IoT
01:35:13 [kaoru]
... New technologies: born in 2010-2015. not native to WoT/IoT - possibly no or only a partial for WoT/Iot
01:35:26 [kaoru]
... examples: FIDO, JOSE, OAuth, OIDC, SCIM
01:35:52 [kaoru]
rrsagent, draft minutes
01:35:52 [RRSAgent]
I have made the request to generate http://www.w3.org/2015/10/30-wot-sp-minutes.html kaoru
01:36:57 [kaoru]
s/... New/Oliver: New/
01:37:43 [kaoru]
Oliver: These are designed to be run in a datacenter. There is no guarantee that these technoligies run on constrained devices.
01:38:08 [kaoru]
Oliver: Future (3rd-generation) technologies: invented in future
01:38:15 [kaoru]
... Native to WoT/Iot
01:38:19 [kaoru]
... Examples: ACE
01:38:35 [kaoru]
Slide 12: Interoperability
01:38:46 [kaoru]
rrsagent, draft minutes
01:38:46 [RRSAgent]
I have made the request to generate http://www.w3.org/2015/10/30-wot-sp-minutes.html kaoru
01:39:17 [knagano]
knagano has joined #wot-sp
01:40:44 [kaoru]
Oliver: WoT security and privacy solution can be either Silo'ed or Interoperable.
01:41:30 [kaoru]
... in Silo'ed solution, a manufacturer provides everything. No standard needed.
01:42:35 [kaoru]
... Interoperable solution are required for cross-domain scenarios. Standards for S&P are mandatory. Interoperability AND reuse.
01:43:17 [kaoru]
... Hypothesis: current IoT/WoT projects either neglect S&P or create silo'ed solution.
01:44:26 [kaoru]
James: Propriatary standard as a hub is not completely silo'ed but somewhat not open enough.
01:44:31 [kc___]
kc___ has joined #wot-sp
01:45:45 [tomoyuki]
tomoyuki has joined #wot-sp
01:45:51 [kaoru]
Oliver: We don't have well-known standard.
01:46:22 [kaoru]
Slide 13: Silo'ed vs Interoperable for Traditional Web
01:46:57 [kaoru]
Oliver: DIY (ubiquitous) or P3P (some)
01:47:40 [kaoru]
... Authorization: DIY. There is no standard that is commonly accepted.
01:48:23 [kaoru]
... Authentication: server authN: SSL/TLS (ubiquitous); User or client authN: Initial authentication is DIY, or HTTP Basic/Digest
01:49:01 [kaoru]
... subsequent AuthN in DIY ("SSO Cookies" ubiquitous) or SAML/WS-Fed/OIDC (some)
01:50:06 [kaoru]
... Secure comm and storage: transport is protected with TLS(ubiq). Information bound by PKCS#7/CMS or XML signature(some)
01:50:50 [kaoru]
... Provisioning and credentialing: DIY(ubiq) only small CMP/KeyProv/PKCS
01:51:08 [kaoru]
CMP: credential definition protocol defined in PKIX
01:51:27 [kaoru]
rrsagent, draft minutes
01:51:27 [RRSAgent]
I have made the request to generate http://www.w3.org/2015/10/30-wot-sp-minutes.html kaoru
01:51:56 [kaoru]
Slide 14
01:52:36 [kaoru]
Oliver: Filter S&P in traditional Web that are standard and ubiquitous is only one mechanism: SSL/TLS
01:53:30 [kaoru]
... secure comm and server authn is supported; but no privacy, authZ, user auth, provisioning/credentialing
01:53:57 [kaoru]
... Most security functionality is DIY
01:54:10 [kaoru]
... Key question: is DIY S&P viable for WoT?
01:55:33 [kaoru]
Carsten: TLS includes protocol and PKI. We must be careful not to confuse these two.
01:58:33 [kaoru]
Oliver: DIY is not viable with new application styles like, "I want office24.com to print my photos storeed at Google Drive"
02:01:01 [kaoru]
... Two entities in a single transaction is not well handled in OAuth currently.
02:08:16 [kaoru]
... SSL/TLS client certificate did not succeed in reality.
02:09:34 [kaoru]
... HTTP level password is possible but banks want fancier things.
02:10:35 [kaoru]
... If browser-side JS and server is both from you, any private protocol can assure user authentication.
02:11:16 [kaoru]
... This picture does'nt work once browser client is made by 3rd-party.
02:11:39 [kaoru]
... Any kind of standard either in HTTP stack or TLS stack is necessary.
02:14:24 [kaoru]
... Three options: 1. no security at all. 2. minimal set of security standards (SSL/TLS only). 3. full set of standards
02:15:14 [kaoru]
... Traditional Web has 2. minimal set standards + a lot of DIY.
02:16:45 [kaoru]
... New application styles, 2. SSL/TLS only is not suffcient. We need more standards than TLS.
02:17:10 [kaoru]
... What about WoT. Even further standardization is necessary.
02:18:42 [kaoru]
... Maybe we cannot reach 3, but we need to proceed
02:19:24 [kaoru]
... We have two questions here. 1. Do we have it (something beyond TLS)?
02:21:42 [kaoru]
... Let's clarify gaps between what we have and what's needed to have
02:23:18 [kaoru]
Carsten: New app style is only part of WoT. We might have other styles.
02:24:24 [kaoru]
James: We may be extending existing standards.
02:24:44 [kaoru]
Daniel: It's like a moving target.
02:26:47 [kaoru]
Matsuki: Standard is a boundary between cooperation and competition. Depending on domains, the border varies.
02:29:39 [kaoru]
Oliver: We don't ask all projects for the same level of standardization. Providing suites with 3-4 technologies from IETF/W3C is good that implementers can choose from them.
02:31:16 [kaoru]
... We need to recognize the gap between what we have and what's needed.
02:32:03 [kaoru]
rrsagent, draft minutes
02:32:03 [RRSAgent]
I have made the request to generate http://www.w3.org/2015/10/30-wot-sp-minutes.html kaoru
02:35:39 [cabo1]
cabo1 has joined #wot-sp
02:36:20 [kaoru]
Kaoru: Not only the technology but policy about what to protect should be considered as part of stardards.
02:37:10 [kaoru]
Oliver: Different profiles shoud be defined and provided so that use cases can choose necessary protection level.
02:37:47 [kaoru]
Slide 15: impact
02:39:11 [kaoru]
Oliver: We might add security in the next plugfest, but doing DTLS/CoAP only is not the way we should go.
02:40:21 [kaoru]
present+ Oliver, James, Daniel, Carsten, Kaoru, QingAn, Matsuki, Yasunori
02:40:29 [kaoru]
rrsagent, draft minutes
02:40:29 [RRSAgent]
I have made the request to generate http://www.w3.org/2015/10/30-wot-sp-minutes.html kaoru
02:48:25 [kaoru]
i|Oliver presents|Topic: Landscape of Security and Privacy in WoT|
02:50:10 [kaoru]
s/... New application styles/Oliver: New application styles/
02:50:31 [kaoru]
rrsagent, draft minutes
02:50:31 [RRSAgent]
I have made the request to generate http://www.w3.org/2015/10/30-wot-sp-minutes.html kaoru
02:51:32 [kaoru]
Oliver: Conclusions - Maturity, Usage, WoT Fitness
02:52:22 [kaoru]
... Classic style: Maturity is very high, usage good, but not fit to WoT
02:53:16 [kaoru]
... New style: maturity high, usage good, but WoT fintess limited.
02:54:05 [kaoru]
... Future: maturity is low because just started. Usage is expermental or not yet. WoT fitness is high.
02:54:58 [kaoru]
... Here we find a dillema, if we want interoperable S&P solutions for WoT
02:55:46 [kaoru]
... If silo'ed solution is OK, just go ahead. But when someone start selling that, problem arises.
02:56:46 [kaoru]
Slide 24: White spots
02:57:27 [kaoru]
Oliver: IETF ACE is started but not many people know it.
02:58:48 [kaoru]
... Discovery authorization have not been explored.
03:00:20 [kaoru]
... APIs should pay more attention to S&P so that the client developers are not necessary to be S&P experts.
03:00:53 [kaoru]
s|s/... New application styles/Oliver: New application styles/||
03:02:18 [kaoru]
Slide 25 wrap-up
03:02:29 [kaoru]
rrsagent, draft minutes
03:02:29 [RRSAgent]
I have made the request to generate http://www.w3.org/2015/10/30-wot-sp-minutes.html kaoru
03:05:41 [kaoru]
Oliver: Suggest a trusted 4th party that helps requesting party.
03:06:46 [kaoru]
s|... New application styles, 2. SSL|Oliver: New application styles, 2. SSL|
03:08:45 [kaoru]
Oliver: Trusted Fourth Party (TFP) and T Third Party (TTP) can be shared in a domain. One TFP and many rps, one TTP and many service provides.
03:09:59 [kaoru]
Oliver: provisioning and credentialing should be explored.
03:11:10 [kaoru]
Daniel: "Christmas problem", that having a lot of new device, make them join the smart home network.
03:11:33 [kaoru]
s/smart home/home automation/
03:14:27 [kaoru]
Daniel: TTP and devices don't have communication method.
03:15:02 [kaoru]
Carsten: This problem is known as "network onboarding". Extremely important problem esp. regarding parameters.
03:15:58 [kaoru]
Oliver: The question is not how to do that but how to change it.
03:17:39 [kaoru]
Carsten: Vertical onboarding might not be cross-domain but be cross-vendor.
03:19:01 [kaoru]
rrsagent, draft minutes
03:19:01 [RRSAgent]
I have made the request to generate http://www.w3.org/2015/10/30-wot-sp-minutes.html kaoru
03:19:48 [kaoru]
Next steps
03:20:22 [kaoru]
Oliver: We had a rough consensus on what's on wiki and the slides.
03:21:09 [kaoru]
ACTION: double check and review the rough consensus on wiki page
03:23:11 [kaoru]
ACTION: Oliver, to update the overview part and lessons learned today
03:23:35 [kaoru]
ACTION: everyone to double check the update on wiki
03:24:04 [kaoru]
ACTION: what to do in the next plugfest
03:24:14 [kaoru]
rrsagent, draft minutes
03:24:14 [RRSAgent]
I have made the request to generate http://www.w3.org/2015/10/30-wot-sp-minutes.html kaoru
03:31:27 [kaoru]
ACTION: IG facing
03:31:35 [kaoru]
ACTION: actual deliverables
03:32:43 [kaoru]
rrsagent, draft minutes
03:32:43 [RRSAgent]
I have made the request to generate http://www.w3.org/2015/10/30-wot-sp-minutes.html kaoru
04:03:02 [tomoyuki]
tomoyuki has joined #wot-sp
04:25:36 [kaz]
kaz has joined #wot-sp
04:33:50 [yingying]
yingying has joined #wot-sp
04:37:08 [cabo]
cabo has joined #wot-sp
04:38:09 [knagano]
knagano has joined #wot-sp
04:55:32 [kaz]
kaz has joined #wot-sp
06:46:26 [yuki_]
yuki_ has joined #wot-sp
06:50:12 [yuki_]
yuki_ has joined #wot-sp