[IG-SP] Memo of Joint IRTF T2T/W3C WoT Meeting in Prague, July 18/19 (here: security&privacy matters) from Pfaff, Oliver on 2015-07-21 (public-wot-ig@w3.org from July 2015)

From: Pfaff, Oliver <oliver.pfaff@siemens.com>
Date: Tue, 21 Jul 2015 06:29:51 +0000
To: "public-wot-ig@w3.org" <public-wot-ig@w3.org>
Message-ID: <B842481327FC5344B501EC1921E8538E01345601@DEFTHW99EL2MSX.ww902.siemens.net>
This is a memo of the discussion on security&privacy during the joint IRTF T2T/W3C WoT Meeting in Prague, July 18/19

>From the side of the W3C WoT IG, Edoardo and I participated. Starting points are:
-       W3C page: https://www.w3.org/WoT/IG/wiki/Joint_IRTF_T2T_RG_/_W3C_WoT_IG_meeting_18-19_July_2015_in_Prague,_Czech_Republic
-       IRTF page: https://github.com/t2trg/2015-ietf93/blob/master/agenda.md

There were 2 breakout sessions in a group of people interested in security&privacy. These breakouts were moderated by Carsten Bormann:
-       Long breakout (ca. 4 hours) on Saturday to discuss the state-of-the-art (see W3C page for a short description of the breakout slots B1..B5):
o       B1: Security & Privacy Features in Current IoT Projects<https://github.com/t2trg/2015-ietf93/raw/master/slides/32-Security-and-Privacy-Features-in-Current-IoT-Projects-.pdf> (discussion with the breakout participants based on some questions prepared beforehand) - see below for my compilation of the findings
o       B2: Existing Infrastructure vs. New Challenges<https://github.com/t2trg/2015-ietf93/raw/master/slides/33-Existing-Infrastructure-vs.-New-Challenges-.pdf> (Oliver Pfaff, Siemens AG)
o       B3: Access Control on Multiprotocol Networks<https://github.com/t2trg/2015-ietf93/raw/master/slides/31-IETF-93-T2TRG-Pablo.pdf> (Pablo Puñal Pereira, LTU)
o       B3: WiFi Alliance Device Provisioning (ad-hoc talk by Mohit)
o       B4: Highlights from the ACE WG<https://github.com/t2trg/2015-ietf93/raw/master/slides/34-ace.pdf> (Olaf Bergmann, TZI/Uni Bremen)
o       B4: Interaction of "Things" with the "big" Internet: Authentication and Authorization<https://github.com/t2trg/2015-ietf93/raw/master/slides/36-openidcaf_irtf_ietf93.pdf> (Stefanie Gerdes, TZI/Uni Bremen)
o       B5: no time left, skipped
-       Short breakout (ca. 2 hours) on Sunday to discuss next steps
o       The T2TWG plans to consider the use cases "Home Automation" and "Building Automation" (possibly some others too) in order to 1st provide a frame from a SP perspective (requirements), 2nd to ask each interested party to throw their preferred SP mechanisms at this and 3rd to see what sticks in order to derive patterns and identify white-spots. I think this is a good complement to what we are doing in W3C WoT SP and you might want to watch/contribute to this. My understanding is that this work will be conducted under the umbrella of the T2TRG at IRTF/IETF i.e. this does not present an SP agenda change for the W3C WoT IG. Please track the T2TRG Web page (https://datatracker.ietf.org/rg/t2trg/charter/) and mailing list (t2trg@irtf.org<mailto:t2trg@irtf.org> resp. http://www.ietf.org/mail-archive/web/t2trg/) if interested. The discussion during this breakout also was interesting. It was scribed by Carsten Bormann but I did not yet find it on the IRTF page (can update you after I know where it is)

The following snippet is my compilation of the main B1 results that were also offered to the moderator:

       Findings/surprises:
-       More capital goods projects than consumer goods (in W3C WoT the impression is vice versa)
-       Actual thing usually is of low value but controls (parts of) a high value asset
-       Preference for cross-domain scenarios (not all components from the same provider)
-       Most projects already implement some authz. In absence (as of now) of a standard authz solution for things the current solutions are ad-hoc resp. DIY. That's an apparent contradiction: DIY solutions are a valid same-domain approach (one vendor/provider controls all components) but not for cross-domain
-       Preference is on symmetric cryptography (here: schemes that hit devices). If asymmetric schemes are used then in the 'raw' form factor. Public key cryptography with public key certificates is avoided

   I guess the same vs cross domain question is an interesting one to track:
-       If same-domain is/stays a valid proposition for IoT projects then a standard solution gives reuse. Things could be done without
-       If cross-domain is aimed at (by a relevant subset of the projects) then a standard solution gives interop AND reuse. Things cannot be done without

Please note that this reflects the projects that were present in the breakout and should not be assumed to be representative for an industry - anyhow I think there is a message

Best regards,
Oliver
Received on Tuesday, 21 July 2015 06:31:22 UTC