W3C

- DRAFT -

Breakout TF-Security&Privacy

30 Oct 2015

See also: IRC log

Attendees

Present
Oliver, James, Daniel, Carsten, Kaoru, QingAn, Matsuki, Yasunori
Regrets
Chair
Oliver
Scribe
kaoru

Contents

<inserted> scribenick: kaoru

Oliver, Siemens: rather security than wot

Kaoru, Lepidum: oauth, openid

Qing An

Matsuki, Hitachi: software development, compilers, etc.

James, HP: application security testing

Daniel, @: IoT last 10 years, low level stacks, security key-exchange

Carsten, @: 3 decades on iot, system quality and information security

Landscape of Security and Privacy in WoT

Oliver presents slides https://www.w3.org/WoT/IG/wiki/images/e/ea/Landscape_of_Security_%26_Privacy_Means.pdf

Oliver: https://www.w3.org/WoT/IG/wiki/Landscape_of_Security&Privacy_Means
... https://www.w3.org/WoT/IG/wiki/Design-Time_Security%26Privacy_Means
... Various technology is surveyed in a uniform structure in this page.
... Design-time is analyze what tools are available and usable.
... Runtime means you must monitor how system goes
... Most landscape we focus are in design-time

James: Functionally, design-/run-time have some overlaps.

Oliver: Customers ask security functionality and products, but not experts on TLS, OAuth, etc. We find technologies they should invest. Mechanisms are mostly in design phase.
... @@ are design-time deliverables. Then implement.
... Runtime is something you test. E.g. how TLS/SSL is configured
... Overview of WoT as distributed systems
... Things, user agents, intermediaries
... They are always distributed.
... Distributed system study started 60/70ies. Protection of DS has a lot of prior arts.
... Five disciplines: Privacy, Authorization, Authentication, Secure communications and storage, Provisioning and credentialing

Granting an access to an online bank account is either authorizing or credentialing?

James: Both provisioning an account and then giving an authorization.

Oliver: Branch manager is not relevant in this scenario.

Carsten: I'm trying to understand difference between provisioning and authorization

Oliver: Provisioning is just a preparation. To register a user into the database.

Carsten: Doesn't that already give authorization?

Oliver: at this time, no.
... Usually authentication goes under this. No money to manege yet.
... Suppose now we have $1000 in the balance database. We want to transfer money.
... One pain point is explaining what's the authorization here in natural language.
... Next pain is to decribe owner resource model. That's by linking the account to the balance.
... Giving credentials to the account for future authorizations
... We have to describe this scenario in pattern level and technoligy level.

Slide 6

Oliver: Characteristics/dependencies of the disciplines.
... Privacy is human-centric in definition

James: Privacy vs confidentiality?

Oliver: secure communication helps privacy

James: Secure comm and storage are tools to control privacy. Privacy is by definition not related for corporations
... We need someting like privacy for companies, I don't know what we call that

Oliver: Authroization is different for legal entity vs. individually-owned resources
... Authentication is most complicated
... Trusted 3rd-party called IdP, OP establishes initial authentication. Then it transfers the result as a security token to who whats the authentication (RP)

Daniel: Sometimes, authentication must be established without Internet connection.

Carsten: You skipped an aspects on mutual authentication?

Oliver: for now, yes.
... secure communications/storage is very much like protocol stack layer

Slide 7

Oliver: Aspects of these Disiplines. These are described in wiki pages.
... Do we have sufficient collection of topics to talk to other TFs?

Page 9: WoT specifics

Oliver: Big question: can we reuse the prior arts from distributed systems protection?
... Inclusion of physical goods: this is a fundamental thing. Copying/relocating is very hard.
... Constrained devices: physical goods do not scale easily.
... Constrained networks.
... Non-human actors. Automated controllers grows authentication request around 10s in number.
... Not only IT-applications: who are requested authentication increases by factor of 10000.
... can PKI handle this number of servers?
... Connectivity: UAs from public networks -> more attack surface (not really WoT-specific)

Matsuki: How about the time constraints. Response on time is important.

Oliver: We might include this into constrained devices. Crypto computations, etc.

Daniel: Network latency is also relevant

Slide 10

Oliver: Digital vs physical goods: reproduction, relocation of item instances at almost no cost

Carsten: Bank account is also digital.

Oliver: Technically, yes.
... aspects: static/dynamic, human-/machine-readable
... Physical goods: reproduction, relocation of item instances at cost
... aspects: consumer vs investment, individual-/company-owned

Slide 11

Technology Generations in these 30-40 years.

Oliver: Classic: technology invented before 2010. mostly in enterprise/office environments
... examples: Kerberos, LDAP, P3P, PKIX, S/MIME, SAML, SSL/TLS
... possible only partial/no fit for WoT/IoT
... New technologies: born in 2010-2015. not native to WoT/IoT - possibly no or only a partial for WoT/Iot
... examples: FIDO, JOSE, OAuth, OIDC, SCIM
... These are designed to be run in a datacenter. There is no guarantee that these technoligies run on constrained devices.
... Future (3rd-generation) technologies: invented in future
... Native to WoT/Iot
... Examples: ACE

Slide 12: Interoperability

Oliver: WoT security and privacy solution can be either Silo'ed or Interoperable.
... in Silo'ed solution, a manufacturer provides everything. No standard needed.
... Interoperable solution are required for cross-domain scenarios. Standards for S&P are mandatory. Interoperability AND reuse.
... Hypothesis: current IoT/WoT projects either neglect S&P or create silo'ed solution.

James: Propriatary standard as a hub is not completely silo'ed but somewhat not open enough.

Oliver: We don't have well-known standard.

Slide 13: Silo'ed vs Interoperable for Traditional Web

Oliver: DIY (ubiquitous) or P3P (some)
... Authorization: DIY. There is no standard that is commonly accepted.
... Authentication: server authN: SSL/TLS (ubiquitous); User or client authN: Initial authentication is DIY, or HTTP Basic/Digest
... subsequent AuthN in DIY ("SSO Cookies" ubiquitous) or SAML/WS-Fed/OIDC (some)
... Secure comm and storage: transport is protected with TLS(ubiq). Information bound by PKCS#7/CMS or XML signature(some)
... Provisioning and credentialing: DIY(ubiq) only small CMP/KeyProv/PKCS

CMP: credential definition protocol defined in PKIX

Slide 14

Oliver: Filter S&P in traditional Web that are standard and ubiquitous is only one mechanism: SSL/TLS
... secure comm and server authn is supported; but no privacy, authZ, user auth, provisioning/credentialing
... Most security functionality is DIY
... Key question: is DIY S&P viable for WoT?

Carsten: TLS includes protocol and PKI. We must be careful not to confuse these two.

Oliver: DIY is not viable with new application styles like, "I want office24.com to print my photos storeed at Google Drive"
... Two entities in a single transaction is not well handled in OAuth currently.
... SSL/TLS client certificate did not succeed in reality.
... HTTP level password is possible but banks want fancier things.
... If browser-side JS and server is both from you, any private protocol can assure user authentication.
... This picture does'nt work once browser client is made by 3rd-party.
... Any kind of standard either in HTTP stack or TLS stack is necessary.
... Three options: 1. no security at all. 2. minimal set of security standards (SSL/TLS only). 3. full set of standards
... Traditional Web has 2. minimal set standards + a lot of DIY.

<scribe> ... New application styles, 2. SSL/TLS only is not suffcient. We need more standards than TLS.

UNKNOWN_SPEAKER: What about WoT. Even further standardization is necessary.
... Maybe we cannot reach 3, but we need to proceed
... We have two questions here. 1. Do we have it (something beyond TLS)?
... Let's clarify gaps between what we have and what's needed to have

Carsten: New app style is only part of WoT. We might have other styles.

James: We may be extending existing standards.

Daniel: It's like a moving target.

Matsuki: Standard is a boundary between cooperation and competition. Depending on domains, the border varies.

Oliver: We don't ask all projects for the same level of standardization. Providing suites with 3-4 technologies from IETF/W3C is good that implementers can choose from them.
... We need to recognize the gap between what we have and what's needed.

Kaoru: Not only the technology but policy about what to protect should be considered as part of stardards.

Oliver: Different profiles shoud be defined and provided so that use cases can choose necessary protection level.

Slide 15: impact

Oliver: We might add security in the next plugfest, but doing DTLS/CoAP only is not the way we should go.
... Conclusions - Maturity, Usage, WoT Fitness
... Classic style: Maturity is very high, usage good, but not fit to WoT

<scribe> ... New style: maturity high, usage good, but WoT fintess limited.

UNKNOWN_SPEAKER: Future: maturity is low because just started. Usage is expermental or not yet. WoT fitness is high.
... Here we find a dillema, if we want interoperable S&P solutions for WoT
... If silo'ed solution is OK, just go ahead. But when someone start selling that, problem arises.

Slide 24: White spots

Oliver: IETF ACE is started but not many people know it.
... Discovery authorization have not been explored.
... APIs should pay more attention to S&P so that the client developers are not necessary to be S&P experts.

Slide 25 wrap-up

Oliver: Suggest a trusted 4th party that helps requesting party.

s|... New application styles, 2. SSL|Oliver: New application styles, 2. SSL|

Oliver: Trusted Fourth Party (TFP) and T Third Party (TTP) can be shared in a domain. One TFP and many rps, one TTP and many service provides.
... provisioning and credentialing should be explored.

Daniel: "Christmas problem", that having a lot of new device, make them join the home automation network.
... TTP and devices don't have communication method.

Carsten: This problem is known as "network onboarding". Extremely important problem esp. regarding parameters.

Oliver: The question is not how to do that but how to change it.

Carsten: Vertical onboarding might not be cross-domain but be cross-vendor.

Next steps

Oliver: We had a rough consensus on what's on wiki and the slides.

<scribe> ACTION: double check and review the rough consensus on wiki page [recorded in http://www.w3.org/2015/10/30-wot-sp-minutes.html#action01]

<scribe> ACTION: Oliver, to update the overview part and lessons learned today [recorded in http://www.w3.org/2015/10/30-wot-sp-minutes.html#action02]

<scribe> ACTION: everyone to double check the update on wiki [recorded in http://www.w3.org/2015/10/30-wot-sp-minutes.html#action03]

<scribe> ACTION: what to do in the next plugfest [recorded in http://www.w3.org/2015/10/30-wot-sp-minutes.html#action04]

<scribe> ACTION: IG facing [recorded in http://www.w3.org/2015/10/30-wot-sp-minutes.html#action05]

<scribe> ACTION: actual deliverables [recorded in http://www.w3.org/2015/10/30-wot-sp-minutes.html#action06]

Summary of Action Items

[NEW] ACTION: actual deliverables [recorded in http://www.w3.org/2015/10/30-wot-sp-minutes.html#action06]
[NEW] ACTION: double check and review the rough consensus on wiki page [recorded in http://www.w3.org/2015/10/30-wot-sp-minutes.html#action01]
[NEW] ACTION: everyone to double check the update on wiki [recorded in http://www.w3.org/2015/10/30-wot-sp-minutes.html#action03]
[NEW] ACTION: IG facing [recorded in http://www.w3.org/2015/10/30-wot-sp-minutes.html#action05]
[NEW] ACTION: Oliver, to update the overview part and lessons learned today [recorded in http://www.w3.org/2015/10/30-wot-sp-minutes.html#action02]
[NEW] ACTION: what to do in the next plugfest [recorded in http://www.w3.org/2015/10/30-wot-sp-minutes.html#action04]
 
[End of minutes]
Minutes formatted by David Booth's scribe.perl version 1.140 (CVS log)
$Date: 2015/10/30 03:32:48 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.140  of Date: 2014-11-06 18:16:30  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 1.00)

Succeeded: s/iot/wot/
Succeeded: i/Oliver, /scribenick: kaoru
Succeeded: i|Oliver, Siemens|Topic: Breakout TF-Security&Privacy
Succeeded: s|kaz, yes. we are in briefing room 4, second floor||
Succeeded: s/Topic:/Meeting:/
Succeeded: s/... New/Oliver: New/
Succeeded: i|Oliver presents|Topic: Landscape of Security and Privacy in WoT
FAILED: s/... New application styles/Oliver: New application styles/
Succeeded: s|s/... New application styles/Oliver: New application styles/||
FAILED: s|... New application styles, 2. SSL|Oliver: New application styles, 2. SSL|
Succeeded: s/smart home/home automation/
Found ScribeNick: kaoru
Inferring Scribes: kaoru
Present: Oliver James Daniel Carsten Kaoru QingAn Matsuki Yasunori
Got date from IRC log name: 30 Oct 2015
Guessing minutes URL: http://www.w3.org/2015/10/30-wot-sp-minutes.html
People with action items: actual double everyone ig oliver what
[End of scribe.perl diagnostic output]