- From: Kazuyuki Ashimura <ashimura@w3.org>
- Date: Wed, 27 Apr 2016 00:52:23 +0900
- To: public-automotive <public-automotive@w3.org>
- Message-ID: <CAJ8iq9VhYge129Fpfsk==xG7n766pW454UTh_-LH36Gi=BK+UA@mail.gmail.com>
available at:
https://www.w3.org/2016/04/26-auto-minutes.html
also as text below.
Thanks a lot for scribing, Ted!
Kazuyuki
---
[1]W3C
[1] http://www.w3.org/
- DRAFT -
Automotive WG - Security Day
26 Apr 2016
See also: [2]IRC log
[2] http://www.w3.org/2016/04/26-auto-irc
Attendees
Present
Kaz_Ashimura(W3C), Tatsuhiko_Hirabayashi(KDDI),
Junichi_Hashimoto(KDDI), Paul_Boyes(INRIX),
Osamu_Nakamura(W3C), Powell_Kinney(Vinli),
Magnus_Gunnarson(Melco), Peter_Winzell(Melco),
Yasuyuki_Komatsu(Honda), Shinjira_Urata(Access),
Hirokazu_Hayashi(Sony), Wonsuk_Lee(ETRI),
Ted_Guild(W3C), Rudolf_Streif(JLR), Adam_Crofts(JLR;
remote), Kevin_Gavigan(JLR; remote)
Regrets
Chair
Paul
Scribe
kaz, ted
Contents
* [3]Topics
1. [4]Introduction
2. [5]Security Consideration (Hashimoto-san)
3. [6]Mitsubishi presentation
* [7]Summary of Action Items
* [8]Summary of Resolutions
__________________________________________________________
<inserted> scribenick: kaz
Introduction
around the table
Security Consideration (Hashimoto-san)
junichi: background
... creating vehicle api
... 2 specs: vehicle information access api + vehicle data
... many stakeholders who have various concerns
... esp. in Europe concern on privacy
... data integrity
... OEM most interested in safety
... so need for security considerations
... p3: Security and Privacy TF
... revising the section 3 of the spec
... during the f2f in Sapporo
... there was discussion
... we need to describe access control
... how OEMs restrict restrict access
... 2 specs on the left side: access API and data
... on the right side, security and privacy consideration
... informative at the moment, and normative recommendation in
the future
... p4: Drafting Note
... draft includes both English and Japanese
... can be switched by pushing "t" button
... how to prevent malicious codes from the outside
<wonsuk> Security and Privacy Consideration on Vehicle APIs:
[9]http://sou3ilow.github.io/autosec/index.html
[9] http://sou3ilow.github.io/autosec/index.html
junichi: there should be some exception on privacy
... would like to discuss discuss the key points today
... and would like to put into the GitHub by May 11
... p5: Key points
... Scope of Note
... vehicle apis for IVI
... web runtime and its environment
... Protection agains malicious codes
... protecting I/F between IVI and Internet plus the one
between IVI and CAN
... basic tech of web security
... system updatability
... Access control
... market, white list, proxy, etc.
paul: will create a wiki?
junichi: would like to have discussion on the GitHub
paul: ok
... we'll put this on the GitHub
kaz: so Hashimoto-san, you want to hold the discussion with the
HTML as the starting point?
junichi: yes
kaz: so we'll move the HTML from Junichi's repo to the W3C repo
... and start the actual discussion
junichi: please give your comments
peter: we should present a document based on the HTML?
... separate document?
junichi: a separate document including security/privacy and
architecture
wonsuk: how to handle different scenarios for security?
junichi: didn't include use cases in this draft yet
... do you think we should include use cases as well?
peter: would be better to include general description
wonsuk: would be better to include different architecture
variations and scenarios
... in case of current use cases
... we could briefly describe them
... some of the vehicle apis cover them
... different possible architectures
... e.g., application talks with the gateway
... we can think about possible variety of connection
paul: we had discussions using Google spreadsheet before
wonsuk: some of the security use cases could be different from
general IVI use cases
paul: he started use case discussion for security
<Paul>
[10]https://docs.google.com/spreadsheets/d/14ij-2I-H4HbilVQ_muC
mUayVqmVfdbkoke690MA0kdo/edit#gid=0
[10]
https://docs.google.com/spreadsheets/d/14ij-2I-H4HbilVQ_muCmUayVqmVfdbkoke690MA0kdo/edit#gid=0
hira: we came up with 50 of use cases for security
... and he categorized them into 5-6 categories
... he can document them
kaz: within the HTML on the GitHub?
junichi: wondering how to put the Google spreadsheet things
into the HTML
paul: some possible tools including respec.js
kaz: you can talk about the concrete method later
<Paul> [11]https://www.w3.org/respec/
[11] https://www.w3.org/respec/
junichi: another comment?
wonsuk: the scope of this note is focused on webruntime-based
apis
... but in the WG, we're discussion JS api and RESTful API
... so wondering about the security for the RESTful discussion
part
junichi: would like to support both the cases
kaz: probably you should start with the JS api first
... and extend the scope later
wonsuk: TAG suggested RESTful api would fit the Web ecosystem
better
... so wondering how to handle it
... maybe we could start with the RESTful I/F first
->
[12]https://lists.w3.org/Archives/Public/public-automotive/2016
Apr/att-0022/20160425-paris-security-privacy.pdf
Hashimoto-san's slides
[12]
https://lists.w3.org/Archives/Public/public-automotive/2016Apr/att-0022/20160425-paris-security-privacy.pdf
paul: we have to have discussion to figure out how to handle
the REST I/F
wonsuk: in case of security consideration
... the current scope is focused on JS api
paul: we have to talk about security consideration
... we've been discussing the vehicle api spec
kaz: we'll have a session about the REST I/F after this, won't
we?
paul: also that is the main topic for Thursday
... Kevin showed architecture design
... Philippe Colliot also showed an architecture design
peter: what is the deliverable?
... security consideration for JS API? or REST I/F?
... the style of the API
... the data format could be JSON in the both cases, though
paul: implementers have implemented systems using websocket and
some protocols
rudi: transport and services
... what kind of services are exposed?
kaz: we've started architecture discussion already
... we can see what the differences between JS API and REST API
are like based on that discussion
... and after that we can tell what need to be added for
RESTful API
junichi: p7: Overall Architectures
... combinations of API formats and APY types
... 1. WebIDLxDOM
... 2. RESTxDOM
... 3. RESTxWeb(local)
... 4. RESTxWeb(cloud)
... applications are downloaded from some server
... Web browser requires HTTPS for that connection
... so the local server needs to have HTTPS capability
... and we need to handle certification on the local side
rudi: the 4th one have disadvantage
paul: also privacy issue
rudi: people need to have datamodel
paul: difference between 2 and 3?
wonsuk: the 1st case (1) is our vehicle api
... (2) is websocket i/f
... endpoint description
... data for the websocket connection
... we don't need to add any additional information
junichi: 2 uses dedicated apis
paul: so variation of 1?
... build on the top of browser?
urata: dedicated websocket api is 2
paul: to me 3 seems to be #81 proposal
urata: the difference between 2 and 3 is native vs. pollyfill
wonsuk: in case of 2, websocket api for browser
... and send request to the server
[ discussion on security architecture ]
[13]architecture diagram on the flipchart
[13] https://www.w3.org/auto-f2f/26/DSC_0063.JPG
Architecture diagram on the flipchart
[ break ]
<ted> scribenick: ted
-> [14]http://sou3ilow.github.io/autosec/index.html Junichi's
note
[14] http://sou3ilow.github.io/autosec/index.html
junichi: section 3 on web security
... use t to toggle language between japanese and english
... it describes basic techniques
... section 4 goes into privacy protection, ability to
invalidate old data, see what is sent and collected
... section 5 is on best practices for access control
... including proxy, oauth and cors
[agreement to provide feedback offline in github or mailing
list]
Mitsubishi presentation
(slides in gotomeeting and will be shared later)
magnus: looking at integrity
... inter-process communication, inter-ECU communication,
internet communication are the three main use cases
... leaving authentication out of scope for the moment
(for ECU)
magnus: the web socket solution can support all three of these
depending on the architecture used
... the main difference between wss is no http beyond the
initial handshake at which point you can keep an open
connection in both directions
... CIA security model. confidentiality, integrity and
availability
... IPC - you want availability and integrity. you want to
protect against spoofed data
... IEC - same concerns if you have access to the car, ability
to replay or send faked signal data
... internet UC, the problem is that someone can try to
intercept and modify off vehicle network traffic
... encrypting with a private key helps
... big problem is ssl hijacking techniques
... i wanted to bring up certificate pinning
... pinning prevents various mitm techniques
... you should always pin in an untrusted network
... certificates do expire, you need an update mechanism anyway
... I recommend the RFC and OWASP for reading further
... we do not know the scope for the API yet, how much you want
to consider in the specification
[15]https://www.w3.org/2016/04/guidelines-article.html
[15] https://www.w3.org/2016/04/guidelines-article.html
<kaz> ted: generating a guideline article on "Securing
Connected Vehicles on the Web"
<kaz> ... SSL certificate maintained by some packaging system
<kaz> ... what each application does
<kaz> ... trying to pull Web security people to the Automotive
discussion
<kaz> powell: why don't we simply use a whitelist of secure
servers?
powell: there is a strong chance that the server certificate
will need to be changed out
magnus: you will need some sort of update option for
maintaining that
rudi: you can have certificates updates from ota updates
magnus: (earlier) a WAF might be processor intensive
paul: you wanted to bring something up about protecting the
json as well?
peter: we could have payload signing of the json itself
powell: ssl should be enough
... you need confirmation you are talking to the right remote
system though
... hawk does the same thing but is meant for things that can't
be signed or encrypted any other way
ted: for off vehicle data sources you might still want it
... number of ways to do it including w3c webcrypto api and it
provides a 2fa style confirmation - harder to steal both in a
mitm
[summary: clear need for guidelines, best to start regular
security calls to further that, start with junichi's document,
number seem in favor of socket approach for security benefits
over webidl approach]
[discussion of decisions to be reached this week, websocket vs
webidl approach and mapping data spec to genivi rvi model or
adopt it]
<kaz> kaz: want to remind that we should think about the
architecture diagram whenever we discuss security and APIs,
because sometimes some people think about this area and others
think about another area
<kaz> paul: right. so Kevin will send his diagram out on
Thursday
<kaz> [discussion on the BG report during the GENIVI AMM
tomorrow morning]
<junichi-hashimoto> [16]http://sou3ilow.github.io/autosec
[16] http://sou3ilow.github.io/autosec
<junichi-hashimoto> repository
[17]https://github.com/sou3ilow/autosec
[17] https://github.com/sou3ilow/autosec
<kaz> [18]Security repo on the W3C GitHub
[18]
https://github.com/w3c/automotive/tree/gh-pages/vehicle_data/security
Summary of Action Items
Summary of Resolutions
[End of minutes]
__________________________________________________________
Minutes formatted by David Booth's [19]scribe.perl version
1.144 ([20]CVS log)
$Date: 2016/04/26 15:49:18 $
[19] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
[20] http://dev.w3.org/cvsweb/2002/scribe/
--
Kaz Ashimura, W3C Staff Contact for Auto, WoT, TV, MMI and Geo
Tel: +81 3 3516 2504
Received on Tuesday, 26 April 2016 15:53:35 UTC