[wot-security] minutes - 30 March 2020

available at:
  https://www.w3.org/2020/03/30-wot-sec-minutes.html

also as text below.

Thanks a lot for taking the minutes, Oliver!

Kazuyuki

---
   [1]W3C

      [1] http://www.w3.org/

                               - DRAFT -

                              WoT Security

30 Mar 2020

Attendees

   Present
          Kaz_Ashimura, Michael_McCool, Elena_Reshetova,
          Oliver_Pfaff, Tomoaki_Mizushima

   Regrets

   Chair
          McCool

   Scribe
          Oliver

Contents

     * [2]Topics
         1. [3]Previous minutes
         2. [4]Lifecycle - Anima mapping
         3. [5]PRs
     * [6]Summary of Action Items
     * [7]Summary of Resolutions
     __________________________________________________________

   <kaz> scribenick: Oliver

Previous minutes

   <McCool> [8]https://www.w3.org/2020/03/23-wot-sec-minutes.html

      [8] https://www.w3.org/2020/03/23-wot-sec-minutes.html

   Minutes from 2020-03-23 were reviewed and accepted as okay
   (modulo some typos)

   <kaz> [typos fixed]

Lifecycle - Anima mapping

   [9]Elena's updated lifecycle diagram

      [9] https://github.com/w3c/wot-architecture/blob/master/proposals/WoT lifecycle diagram-WoT new lifecycle.svg

   Elena presented proposal for Thing lifecycle with a focus on
   lifecycle stages

   Original proposal allows a good mapping to IETF Anima

   Having a dedicated block "Bootstrapping/Onboarding" rather than
   an arrow-onyl seems a good improvement

   Mappings against IETF Anima should also consider
   [10]https://tools.ietf.org/html/draft-ietf-anima-bootstrapping-
   keyinfra-38#section-2.1

     [10] https://tools.ietf.org/html/draft-ietf-anima-bootstrapping-keyinfra-38#section-2.1

   Lifecycle as illustrated in slides "Bootstrapping IoT Security
   - The IETF Anima and OPC-UA Recipes" have their backing in work
   from IRTF T2TRG (was also mapped with some Operational
   Technology)

   Manufacturer keys/credentials shall be distinguished from site
   keys/credentials

   The former are regarded optional. The latter may incarnate
   multiply (per application domain)

   3 families of keys/credentials can play a role: manufacturer
   key/credential (0..1 per Thing), site key/credential (0..1 per
   Thing), application keys/credentials (0/1..n per Thing)

   Manufacturer keys/credentials are supplied (if supplied) in the
   manufacturing phase

   Site key/credentals are supplied (if supplied) in the
   bootstrapping/onboarding phase

   Application keys/credentials are supplied in the
   bootstrapping/onboarding and/or maintenance phases (depending
   on the maintenance mode)

   Manufacturer keys/credentials can contain what the manufacturer
   knows (production date/location...); issuance under
   manufacturer control

   Site keys/credentials can also contain what the user/operator
   knows about the Thing (independent from an application domain);
   issuance under site-control

   Application keys/credentials can also contain what an
   appliaction domain expects to find (e.g. DNS name in
   SubjectAltName); issuance under site-control

PRs

   <kaz> [11]PR 164

     [11] https://github.com/w3c/wot-security/pull/164

   PR 164 needs an editorial update. Can not be done in the GitHub
   Web UI. Needs to be followed-up...

   Progress made in lifecycle discussion esp. regarding its states
   and to-be-distinguished keys/credentials

   <kaz> [adjourned]

Summary of Action Items

Summary of Resolutions

   [End of minutes]
     __________________________________________________________


    Minutes manually created (not a transcript), formatted by
    David Booth's [12]scribe.perl version 1.154 ([13]CVS log)
    $Date: 2020/04/06 12:09:42 $

     [12] http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm
     [13] http://dev.w3.org/cvsweb/2002/scribe/

Received on Tuesday, 7 April 2020 10:07:02 UTC