[WoT IG] Kicking-off work on Security&Privacy

Hi,
I'd like to kick-off some work on security&privacy for WoT.

Let me start with a snapshot on my mindset concerning security&privacy for WoT:

-          There will be NO one-size-fits-all solution for security&privacy it WoT - use cases and constraints do vary too much along WoT scenarios

-          Work does NOT start with an empty page - there are patterns, (standard) protocols, components that can be re-used (with or without adaptation)

-          Work can NOT assume to find reusables for every security&privacy requirement - the set of available offerings will have whitespots
So I'm not thinking in terms of a (single) reference architecture for security&privacy in WoT, but rather a chocolate box of assorted security&privacy artifacts from which WoT products/projects can serve themselves

>From what we discussed during the WoT F2F it's our job to come up with such a box of assorted artifacts for security&privacy in WoT - see attachment ;-) (Picture taken at the venue of the WoT F2F meeting, Siemens Forum Munich)

For the next phase (say until Sept/Oct this year) I'd propose to jointly work on following artifacts - as initial deliverables:

1.       Glossary for Security&Privacy: a means to define the meaning of the usual shorthand terms such as "role". In the first place this is not meant to be a deliverable to an external community but a means for housekeeping among the Security&Privacy contributors in the W3C IG WoT

2.       References in Security&Privacy: Diffie-Hellman and Rivest-Shamir-Adleman deserve any credit but I'd be more interested in hidden gems such as "Who goes there - Authentication through the lens of privacy". I have some and am sure you do have some others too. I think it would be helpful to share them. That is suggested as another means for coordination among the Security&Privacy stakeholders in the W3C IG WoT, not as deliverable to an external audience

3.       Catalog of Security&Privacy requirements: meant to be a service document for the WoT use case authors/owners. They should be able to identify the security&privacy requirements by referring to this catalog (rather than being required to create free-formed text from scratch) e.g. "data confidentiality" in "transport-bound" fashion (where data confidentiality", "transport-bound" are explained in the catalog). The catalog should evolve iteratively (i. security&privacy 'group' suggests a first draft version, ii. use case owners use it and give feedback on whitespots etc. iii. security&privacy 'group' suggests a second draft version etc.)

4.       Candidates of Security&Privacy mechanisms: that's meant to be a document which identifies and assesses security&privacy mechanisms of eligible bodies (e.g. IETF) with respect to their fitness to deliver security&privacy functionality for WoT. This identification and assessment would be relative to the requirements catalog.

5.       Advanced/abstract concepts in security&privacy: not sure about title and exact form-factor of delivery (own document vs. attachment to another). However since deliverable#3 intentionally takes an atomic view there should be something that complements deliverable#3 with a composite view. The notion of end-to-end security is an example of an abstract concept i.e. something that requires some definition as well as some explanation (how to combine security&privacy mechanism [candidates] in order to...)

6.       Challenges in security&privacy: I frequently encounter audiences throwing an WhyWorryThisIsAllThereAlreadyException and then refer to e.g. security best practices in office IT solutions. I think is naïve to assume that a copy&paste of office IT best practices will do the trick for WoT - there are new security&privacy challenges in WoT. I'd like to have a digest on that which reflects the views of a variety of use cases and companies. That digest should address the challenges/problems in a solution-neutral way i.e. should reflect the catalog of security&privacy requirements but not the mechanism candidates

7.       ...

The deliverables should be created in close interaction with other task forces in the WoT IG. I don't want to suggest a working mode right now and only try to identify some concerns that are common with them:

-          Use cases and requirements across business sector: our "customer" (they use Catalog of Security&Privacy requirements)

-          Liaison with external organisations: we could be their "customers" (when underpin "eligible bodies" when identifying Candidates of Security&Privacy mechanisms)

-          Web of Things Framework: a WoT security&privacy framework (3-6 resp. follow-ups to these deliverables) obviously need to match the overall WoT framework

-          Business to Consumer: that's the case of "consumer goods" as e.g.. WoT devices (such as: health wristband). The listing 1-6 above does not reveal it but I assume that we'll need to distinguish WoT resources into consumer vs. investment good. Both cases need authorization but authorization is different in case of consumer goods (individually owned) vs. investment goods (legal entity-owned)

-          Business to Business: that's the complementary case of "investment goods" as e.g. WoT devices (such as: industrial controller)

-          WoT Devices: similar as for Web of Things Framework

And thereafter?
I could think of steps thereafter but believe subsequent deliverables can be better discussed after there are draft versions on 1-6 (or whatever will result as the list of initial deliverables after discussion)

Please take that as a proposal for kicking-off work on security&privacy. In case you have suggestions, change requests or objections please speak up.

In particular I'm addressing the group of people who signalized interest in participating in work on WoT security&privacy during the F2F in Munich. But this is of course not limited to them: everybody interested in WoT security&privacy is invited to participate and contribute!

Best regards,
Oliver



Dr. Oliver Pfaff - Principal, IT-Security
Siemens AG
Corporate Technology
Research and Technology Center
CT RTC ITS
Otto-Hahn-Ring 6
81739 Munich
Tel.: +49 89 636-633607<tel:%2B49%2089%20636-633607>
mailto:oliver.pfaff@siemens.com<mailto:sebastian.ries@siemens.com>

Siemens Aktiengesellschaft: Vorsitzender des Aufsichtsrats: Gerhard Cromme; Vorstand: Joe Kaeser, Vorsitzender; Roland Busch, Lisa Davis, Klaus Helmrich, Hermann Requardt, Siegfried Russwurm, Ralf P. Thomas; Sitz der Gesellschaft: Berlin und München, Deutschland; Registergericht: Berlin Charlottenburg, HRB 12300, München, HRB 6684; WEEE-Reg.-Nr. DE 23691322