See also: IRC log
<scribe> scribenick: dsr
David introduces the background on the need for IoT security and the launch of the IoTSF.
Introduction to the IoTSF steering committee
The obvious questions, e.g. why yet another standards body?
We don’t intend to be a standards body, and as we are covering so many sectors that would be impractical anyway
Mission: to secure the IoT aid its adoption and maximise its benefits
We will promote best practices
We are funded by our members.
We’re having a meeting next week to get our work underway
There are lots of news stories around IoT insecurity
What about security certification? There is such a diverse set of mechanisms and standards that this can only approached on a domain by domain basis
We’re also looking at self declaration - where companies state which standards they conform to
<drogersuk> https://iotsecurityfoundation.org/events/
any questions?
Oliver thanks David for his presentation.
Oliver: so you primarily focus on testing and deal with self certification, right?
David: Companies will be able to do self-testing. We will identify existing standards and practices that we consider necessary, and we will also provide further guidance where we have identified gaps.
Oliver asks about the practical details involved
David displays us the PCI security standards self certification form
see https://www.pcisecuritystandards.org/
This has a list of questions for companies to fill out.
We would expect third party companies to provide services to companies to assist with self certification.
David: OWASP is widely quoted, but doesn’t necessarily provide the level of assurance required
We want to go a lot further than that
David: we would like to reference W3C specifications, and would be very happy to liaise with you. I am happy to act as the contact person for that.
It would be great if W3C could send someone to our of our future meetings.
Oliver: next year would be appropriate, given our schedule for finishing our initial report
David dropps off the call
Tibor: I am based in the UK and am an open source developer
Tibor introduces the open source project for the web of things at https://github.com/w3c/web-of-things-framework
This is an experimental project at this stage. I am currently the only active development right now, but hope we will get others later.
I asked to be included to exchange ideas and seek guidelines from security experts.
It would be great to have advice to ensure that the open source work is going in a good direction.
The project explores the use of JSON-LD as a basis for describing the scripting interface for things in terms of properties, actions and events.
This is an event driven design which reduces the dependency across the software modules.
The main part of the framework is the thing module which connects scripts to the transport modules.
We have transport modules for HTTP, WebSockets, CoaP and P2P
We’ve started a security document at https://github.com/w3c/web-of-things-framework/blob/master/security.md
Security is an integral part of the system. This covers authentication, access control, data integrity, device provisioning and secure upgrade, and the use of the ARM Trust Zone for managing crypto keys
For authentication, I have used UML to illustrate the 2 types of authentication we need to support.
This includes support for third party authentication servers e.g. OpenID Connect, as well as direct authentication approaches. The resource constraints for low power device is a challenge and may preclude some approaches.
We may therefore need some WoT specific solutions for low power devices
Our current approach uses ECC and public/private key pairs.
Once the public/private key pair is provisioned (e.g. prior to configuring the device), messages can be secured using AES 128 and 256 symmetric keys
The key exchange solution uses the Diffie Hellman alglorithm.
We are complying with existing standards throughout.
We’re using the open standard security token format - JSON Web Tokens (JWT), as well as JSON Web Signatures, etc.
Tibor shows a UML diagram covering message handling.
At this point I am really keen to get some expert review to ensure that I am on the right track
Some questions include the role of RSA on low power devices, what about Telehash and quantum crypto?
RSA is a big burden and may be too demanding for lower power devices.
See http://telehash.org which describes an encrypted mesh protocol for P2P applications
IBM and Samsung are looking at Telehash so perhaps we should too.
In the long term, there are concerns about quantum computing which could be very disruptive.
Oliver thanks Tibor for an excellent presentation. This is going in the right direction. We should find time for more detailed discussions.
There are some differences in terminology but apart from that we are thinking along the same lines.
Tibor: I only recently became aware of the WoT Security TF and have now joined the IG.
I can update the Github document to align more closely as we proceed.
Oliver: we’ve been working on a technology survey with a view to producing a report. You’ve taken an implementation perspective. We should continue to discuss the details and see opportunities for strong alignment.
I think personally that you are going in the right direction. I too am doing implementation work at Siemens and following a very similar path
We can work towards interoperability testing as we clarify the details.
Oliver: At Siemens, we don’t exclude RSA upfront. On more powerful devices (IETF class 2 and up) RSA is fine. It is too heavy for devices with less power.
Tibor: IoT gateways will be sufficiently powerful to support RSA
Dave: Oliver, perhaps we can discuss opportunities around security for the January plugfest?
Tibor: I will try my best to come to Nice and am working on Beaglebone and Raspberry Pi, and would expect to present these
Oliver: let’s try to make that
work out
... let me talk about the recipe we’re working on
Dave: lets get all of these slides on the WoT IG wiki
Oliver presents some slides on a proposal for security enabling WoT for the January plugfest
Oliver: we want to initially show case DTLS and TLS.
We want to adopt the IETF ACE WG architectural model
This includes clients, resource servers, authorization managers and authorisation servers.
We want to reuse things like OAuth and JWT, along with self-contained security tokens (to avoid additional round trips)
We thus want to employ a 4 corner model
The client only needs to know about the application manager, not the application server.
We (Siemens) are preparing a how-to document
There isn’t a lot of time though until the face to face.
Oliver asks Tibor for his comments
Tibor: I would be happy to collaborate as few people are as yet aware of the W3C framework
Are the AM and AS components accessed via Siemens proprietary protocols?
Oliver: no, we’re using OAuth and open source compoents.
We’ve had to tune the protocols a bit
The client is completely standard compliant and lightweight
We’re looking for low effort solutions involving one or two person weeks
Tibor: what are you thinking in term of the client component?
Oliver: the client could be a laptop and the server an ARM based IoT board
Some of the clients were JavaScript based and running in web browsers.
Tibor: this should be okay as we have a lot of modules in the project
Oliver: the complexity is mostly on the server (servient) component
There are some tables on the Sapporo face to face plugfest materials.
I will try to find some time to get back to you with more details comments on the Github project in the next few days.
Oliver: I got back to the T2TRG with some comments. I am focusing on the plugfest.
We also want direction from the IG on the overall report structure and length.
[today is Thanksgiving so not everyone could join]
Dave: Looking forward to progress towards switching to Github for the security report.
Oliver: AOB?
... end of meeting …
This is scribe.perl Revision: 1.144 of Date: 2015/11/17 08:39:34 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: RRSAgent_Text_Format (score 1.00) Succeeded: s/mechaniss/mechanisms/ Succeeded: s/model/module/ Succeeded: s/shows a/shows a UML/ Found ScribeNick: dsr Inferring Scribes: dsr Present: Oliver Dave David_Rogers Edoardo Tibor Yingying Agenda: https://lists.w3.org/Archives/Public/public-wot-ig/2015Nov/0040.html Got date from IRC log name: 26 Nov 2015 Guessing minutes URL: http://www.w3.org/2015/11/26-wot-sp-minutes.html People with action items: WARNING: Input appears to use implicit continuation lines. You may need the "-implicitContinuations" option.[End of scribe.perl diagnostic output]