W3C

- DRAFT -

Web of Things Security and Payments - breakout session

08 Nov 2017

Agenda

Attendees

Present
vincentK, Gildas, Keyur, AdrianHB, Dave_Raggett, Dongwoo, Ian, mdadas, Toshihiko_Yamakami(ACCESS), Adrian_Hope-Bailie(Ripple), Dave_Raggett(W3C), Kazuo_Kajimoto(Panasonic), Kaz_Ashimura(W3C), Tomoaki_Mizushima(IRI), Kazuaki_Nimura(Fujitsu), Cyril_Vignet(BPCE), Arnaud_Braud(Orange), Tara_Gay(American_Express), Gurunaja(Bosch), Barry_Leiba(Huawei), Vincent_Kuntz(ISO), Gildas_Le_Louarn(Lyra_Network), Keyur_Patel(Mastercard), Jim_Bell(Guest), Michael_McCool(Intel), Ryan_Watkins(Mastercard), Steve_Sommers(Shift4), Yoshiaki_Ohsumi(Panasonic), Takeshi_Sano(Fujitsu), Ryuichi_Matsukura(Fujitsu), Masato_Ohura(Panasonic), Keiichi_Tokuyama(Panasonic), Soichiro_Isobe(ACCESS), Andre_Lyver(Shopify), Nathan_Starr(Microsoft), Max_Liu(Alibaba), Matthias_Kovatsch(Siemens), Andrei_Ciortea(Siemens), Darko_Anicic(Siemens), Sebastian_Kaebisch(Siemens), Mohammed_Dadas(Orange), Colin_Whorlow(NCSC), Reilly_Grant(Google), Ibrahim_Damlaj(Microsoft), Matt_Saxon(Worldpay), Takashi_Minamii(JCB), Jason_Dominicak(inAuth;Amex), Tatsuhiko_Hirata(Hitachi), Keisuke_Minami(Toshiba), Kunihiko_Toumura(Hitachi), Michael_Koster(SmartThings), Magnus_Gunnarsson(Mitsubishi_Electric), Shinjiro_Urata(ACCESS), Kimberly_Garcia(Siemens), Uday_Davuluru(Lemonbeat), Dongwoo_Im(Samsung), Geunhyung_Kim(Dong_Eui_University), Mark_Foltz(Google), Ian_Jacobs(W3C)
Regrets
Chair
Michael McCool
Scribe
Ian, dsr

Contents


<dsr_> scribenick: dsr

Web of Things Security and Payments

<inserted> scribenick: AdrianHB

McCool: Session is a collab with payments WG
... and also looking to discuss security
... demos this afternoon for more info on what the WoT WG is doing
... also interested in discussing requirements, specifically are there new reqs for payments and security
... Web Commerce IG has a session tomorrow focused on WoT payments

<dsr_> scribenick: AndrianHB, dsr

<inserted> scribenick: AdrianHB

McCool: also consider going to HTTPS local breakout later
... WoT is not only HTTP
... one deliverable of the WG is security and testing strategy docs
... need to figure out how we produce those
... [presenting slides]
... primary goal of WoT is interop in the world of IoT
... enable an open ecosystem of devices
... learn from success of the Web
... BUT avoid adding to the overload of standards in IoT
... many existing standards, especially from specific verticals
... there are some newer standards that also compete with old
... need to find the gap WoT can fill

[ Bus Value of Interop slide]

scribe: a lot of analysis of the market assumes interop
... this is not reality so the value of interop is clearly high
... one issue is meta-data about services
... this is the key thing the WG is targeting
... deliverable being standardised meta-data for describing "things"
... this describes the properties, actions and events of things
... secondary deliverables are a scripting API and binding templates for mapping data to different protocol message formats
... one of the technologies we want to leverage is semantic web
... challenge being that the ecosystem is divided on the tech (some love it some hate it)
... want to ensure we accommodate both views without missing out on the value of semantic web for modelling this complex graph of things
... using JSON-LD in such a way that it can be used as regular JSON

<Ian> scribe: Ian

IOT payments and browser

<inserted> scribenick: dsr

Adrian: there is a lot of browser based work on web payments, and it looks like the protocols could be applied to IoT

Michael: for the IoT the user is often not presenty

s/presenty/present/

<Ian> --> https://adrianhopebailie.github.io/http-payments/http-payments.html HTTP Payments RFC

Adrian: HTTP could be re-used for this

<Ian> scribe:dsr

Michael: IoT devices may not be using HTTP
... if a device can make or receive payments, then we can have metadata describing that

A further requirement is the need to support discovery and the role of directory services

Michael presents the agenda for the session

He notes that payment solutions vary from one country to another, e.g. debit cards are commonly used for payments in Europe

<AdrianHB> I am presenting the following to the HTTPbis at IETF next week to solicit interest. Happy to find a co-editor that can expand this to include other protocols: https://github.com/adrianhopebailie/http-payments/blob/master/http-payments.txt

<AdrianHB> Older version is on the datatracker but missed deadline to submit latest: https://datatracker.ietf.org/doc/draft-hope-bailie-http-payments/

<inserted> scribenick: AdrianHB

McCool: Presenting WoT security deliverable
... we didn't want to have to this work but didn't find existing work we could build on
... some from IETF and others but no good references at the time we needed it. Plan is to update this rapidly as things evolve
... part of this is looking at different scenarios
... started with home env but this is probabaly least interesting
... industrial env has far more use cases
... the other relevant section is the examples of config for different env, specifically public vs private auth systems
... need to work through some implementations to really test our theories
... there is an IETF publication in the works on thing to thing security
... this highlights the different priorities in industrial vs home env (safety vs privacy)
... an example of a topic is a semantic search that needs to be constrained by privacy rules
... use case and requirements are captured in the WoT arch document
... we have tried to extract security considerations into the security doc

@@@: Is the setup for new new devices specified?

MCCool: we have limited scope to operational. We assume the device is provisioned (sometimes this happens in the factory)
... we have limited resources for the work so needed to limit scope
... decomissioning is also out of scope
... we are considering a management API but for now that is out of scope
... the other debate we have had is whether we allow scripts to be shared (security risk)
... focus is operational things
... conversely, we have a wide breadth of scope across environment (home, industrial, smart city etc)
... this means the work we need to do to gather use cases is huge
... sometimes best we can do is recommend best practices
... we have a challenge testing everything we have specc'ed too
... looking for POCs and commercial engagement
... security is a requirement before we'll get to commercializations
... need to demonstrate that we'll get good security with the WoT framework

Toshihiko: I have been Internet user for 37 years. My experience is that we are helpless wrt to security and privacy.
... the biggest false assumption about security is that security is against criminals. I thinkw e also have to deal with sovereign powers.
... the other issue we have with privacy is large technology companies who are focused on getting personal data

McCool: We have looked at state actors in our threat modelling. One of the challenges is that if they intercept things early enough in the manufacturing cycle there is little we can do
... One of the things I am interested in is end-to-end encryption and transparent proxying to partly resolve this
... I am also interested in blockchain and web of trust systems to get around compromised central authorities like CAs
... there are solutions to some of these issue
... "How paranoid are we?" is a scope consideration. We need to rank the threats and this will also be contextual

dsr: This is also a question for best practices. If businesses want to secure themselves then we can at least give them best practices to follow

McCool: Even best practices have no guarantees. There are also architectural considerations
... we should at least avoid obviously bad designs. We must assume there will always be insecure devices to we must design the architecture on that assumption.
... we must do this also assuming we will have resource limitations in device and in the networks

Groups represented:

Web payments WG

<ACC> Media and Entertainment IG

Web Commerce IG

<dsr> Data Exchange WG

<dsr> WoT IG/WG

<dsr> Automotive BG and WG

WebAuthn

McCool: The Devices and sensors WG is writing APIs for exposing devices in the browser. We are not trying to define device APIs in the WoT WG
... that said the combination of the work of the two would be interesting

Second Screen WG

<inserted> scribenick: Ian

AdrianHB: Upcoming discussions on payments at Web Commerce IG (tomorrow) and IETF tomorrow
... we have some Web Commerce IG use cases.
... a Web Payments Working Group deliverable might be (out-of-browser) data model for payment requests
... side comment - in the Interledger CG we do proofs of concepts; we have an ILP meetup tomorrow evening nearby

Michael: I have also been doing some voice input research

<AdrianHB> Anyone interested in joining the Interledger CG on Thursday night: https://interledger.org/sanfrancisco

<AdrianHB> We'll have some coaches from here to the venue around 17:45

Michael: Also looking at robotics

DSR: monetization models may vary
... there's a commercial aspect that is larger than payment itself

Michael: Secure metering
... I am paying for something but want to be sure I am measuring it reliably (e.g., paying for electricity)
... so the issue is to ensure that you are paying for the right thing
... Our first priority is auth and security; payments is down the road

<kaz> preesent+ Jason_Dominicak(inAuth;Amex), Tatsuhiko_Hirata(Hitachi), Keisuke_Minami(Toshiba), Kunihiko_Toumura(Hitachi), Michael_Koster(SmartThings), Magnus_Gunnarsson(Mitsubishi_Electric), Shinjiro_Urata(ACCESS), Kimberly_Garcia(Siemens), Uday_Davuluru(Lemonbeat), Dongwoo_Im(Samsung), Geunhyung_Kim(Dong_Eui_University), Mark_Foltz(Google), Ian_Jacobs(W3C)

Summary of Action Items

Summary of Resolutions

[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.152 (CVS log)
$Date: 2017/11/09 19:54:23 $