13:05:45 RRSAgent has joined #wot-sp 13:05:45 logging to http://www.w3.org/2015/11/26-wot-sp-irc 13:06:00 meeting: Security task force 13:07:18 chair: Oliver 13:07:22 scribenick: dsr 13:08:18 agenda: https://lists.w3.org/Archives/Public/public-wot-ig/2015Nov/0040.html 13:08:33 Topic: IoTSF - David Rogers 13:10:48 David introduces the background on the need for IoT security and the launch of the IoTSF. 13:12:32 Introduction to the IoTSF steering committee 13:13:03 The obvious questions, e.g. why yet another standards body? 13:13:30 We don’t intend to be a standards body, and as we are covering so many sectors that would be impractical anyway 13:14:57 Mission: to secure the IoT aid its adoption and maximise its benefits 13:15:09 We will promote best practices 13:16:18 present: Oliver, Dave, David_Rogers, Edoardo, Tibor, Yingying 13:16:39 We are funded by our members. 13:17:17 We’re having a meeting next week to get our work underway 13:18:03 There are lots of news stories around IoT insecurity 13:18:47 What about security certification? There is such a diverse set of mechaniss and standards that this can only approached on a domain by domain basis 13:19:28 s/mechaniss/mechanisms/ 13:19:58 We’re also looking at self declaration - where companies state which standards they conform to 13:21:03 https://iotsecurityfoundation.org/events/ 13:21:20 any questions? 13:21:41 Oliver thanks David for his presentation. 13:21:46 q? 13:22:23 Oliver: so you primarily focus on testing and deal with self certification, right? 13:23:25 David: Companies will be able to do self-testing. We will identify existing standards and practices that we consider necessary, and we will also provide further guidance where we have identified gaps. 13:23:48 Oliver asks about the practical details involved 13:25:00 David displays us the PCI security standards self certification form 13:25:50 see https://www.pcisecuritystandards.org/ 13:26:28 This has a list of questions for companies to fill out. 13:26:44 rrsagent, set logs public 13:28:05 We would expect third party companies to provide services to companies to assist with self certification. 13:28:48 David: OWASP is widely quoted, but doesn’t necessarily provide the level of assurance required 13:29:03 We want to go a lot further than that 13:29:15 q? 13:30:43 David: we would like to reference W3C specifications, and would be very happy to liaise with you. I am happy to act as the contact person for that. 13:31:37 It would be great if W3C could send someone to our of our future meetings. 13:32:11 Oliver: next year would be appropriate, given our schedule for finishing our initial report 13:32:18 David dropps off the call 13:33:05 Topic: Web of Things Framework Security - Tibor Pardi 13:33:39 Tibor: I am based in the UK and am an open source developer 13:34:23 Tibor introduces the open source project for the web of things at https://github.com/w3c/web-of-things-framework 13:35:27 This is an experimental project at this stage. I am currently the only active development right now, but hope we will get others later. 13:35:58 I asked to be included to exchange ideas and seek guidelines from security experts. 13:36:27 It would be great to have advice to ensure that the open source work is going in a good direction. 13:37:25 The project explores the use of JSON-LD as a basis for describing the scripting interface for things in terms of properties, actions and events. 13:37:49 This is an event driven design which reduces the dependency across the software modules. 13:38:27 The main part of the framework is the thing model which connects scripts to the transport modules. 13:38:40 s/model/module/ 13:38:58 We have transport modules for HTTP, WebSockets, CoaP and P2P 13:39:54 We’ve started a security document at https://github.com/w3c/web-of-things-framework/blob/master/security.md 13:41:09 Security is an integral part of the system. This covers authentication, access control, data integrity, device provisioning and secure upgrade, and the use of the ARM Trust Zone for managing crypto keys 13:43:39 For authentication, I have used UML to illustrate the 2 types of authentication we need to support. 13:44:53 This includes support for third party authentication servers e.g. OpenID Connect, as well as direct authentication approaches. The resource constraints for low power device is a challenge and may preclude some approaches. 13:45:12 We may therefore need some WoT specific solutions for low power devices 13:45:50 Our current approach uses ECC and public/private key pairs. 13:46:54 Once the public/private key pair is provisioned (e.g. prior to configuring the device), messages can be secured using AES 128 and 256 symmetric keys 13:47:22 The key exchange solution uses the Diffie Hellman alglorithm. 13:48:15 Yingying_ has joined #wot-sp 13:49:23 We are complying with existing standards throughout. 13:50:30 YingyingChen has joined #wot-sp 13:51:49 We’re using the open standard security token format - JSON Web Tokens (JWT), as well as JSON Web Signatures, etc. 13:52:09 Tibor shows a diagram covering message handling. 13:52:25 s/shows a/shows a UML/ 13:53:32 At this point I am really keen to get some expert review to ensure that I am on the right track 13:54:19 Some questions include the role of RSA on low power devices, what about Telehash and quantum crypto? 13:54:44 RSA is a big burden and may be too demanding for lower power devices. 13:55:32 See http://telehash.org which describes an encrypted mesh protocol for P2P applications 13:56:11 IBM and Samsung are looking at Telehash so perhaps we should too. 13:56:34 In the long term, there are concerns about quantum computing which could be very disruptive. 13:57:25 Oliver thanks Tibor for an excellent presentation. This is going in the right direction. We should find time for more detailed discussions. 13:57:54 There are some differences in terminology but apart from that we are thinking along the same lines. 13:58:37 Tibor: I only recently became aware of the WoT Security TF and have now joined the IG. 13:58:54 I can update the Github document to align more closely as we proceed. 14:00:36 Oliver: we’ve been working on a technology survey with a view to producing a report. You’ve taken an implementation perspective. We should continue to discuss the details and see opportunities for strong alignment. 14:00:57 Yingying has joined #wot-sp 14:01:15 I think personally that you are going in the right direction. I too am doing implementation work at Siemens and following a very similar path 14:01:53 We can work towards interoperability testing as we clarify the details. 14:02:54 Oliver: At Siemens, we don’t exclude RSA upfront. On more powerful devices (IETF class 2 and up) RSA is fine. It is too heavy for devices with less power. 14:03:07 q+ 14:04:17 Tibor: IoT gateways will be sufficiently powerful to support RSA 14:05:49 Dave: Oliver, perhaps we can discuss opportunities around security for the January plugfest? 14:06:28 Tibor: I will try my best to come to Nice and am working on Beaglebone and Raspberry Pi, and would expect to present these 14:06:55 Oliver: let’s try to make that work out 14:07:22 Oliver: let me talk about the recipe we’re working on 14:09:05 Dave: lets get all of these slides on the WoT IG wiki 14:09:36 Oliver presents some slides on a proposal for security enabling WoT for the January plugfest 14:10:18 Oliver: we want to initially show case DTLS and TLS. 14:10:37 We want to adopt the IETF ACE WG architectural model 14:11:02 This includes clients, resource servers, authorization managers and authorisation servers. 14:11:47 We want to reuse things like OAuth and JWT, along with self-contained security tokens (to avoid additional round trips) 14:12:03 We thus want to employ a 4 corner model 14:13:11 The client only needs to know about the application manager, not the application server. 14:14:22 We (Siemens) are preparing a how-to document 14:14:41 There isn’t a lot of time though until the face to face. 14:16:15 Oliver asks Tibor for his comments 14:16:43 Tibor: I would be happy to collaborate as few people are as yet aware of the W3C framework 14:17:17 Are the AM and AS components accessed via Siemens proprietary protocols? 14:17:43 Oliver: no, we’re using OAuth and open source compoents. 14:18:04 We’ve had to tune the protocols a bit 14:18:56 The client is completely standard compliant and lightweight 14:19:19 We’re looking for low effort solutions involving one or two person weeks 14:20:17 Tibor: what are you thinking in term of the client component? 14:21:12 Oliver: the client could be a laptop and the server an ARM based IoT board 14:22:15 Some of the clients were JavaScript based and running in web browsers. 14:22:40 Tibor: this should be okay as we have a lot of modules in the project 14:23:12 Oliver: the complexity is mostly on the server (servient) component 14:24:04 There are some tables on the Sapporo face to face plugfest materials. 14:26:29 I will try to find some time to get back to you with more details comments on the Github project in the next few days. 14:27:23 Oliver: I got back to the T2TRG with some comments. I am focusing on the plugfest. 14:27:52 We also want direction from the IG on the overall report structure and length. 14:28:18 [today is Thanksgiving so not everyone could join] 14:29:41 Dave: Looking forward to progress towards switching to Github for the security report. 14:29:58 Oliver: AOB? 14:30:31 … end of meeting … 14:30:40 rrsagent, make minutes 14:30:40 I have made the request to generate http://www.w3.org/2015/11/26-wot-sp-minutes.html dsr