<dsr_> scribenick: dsr
<inserted> scribenick: AdrianHB
McCool: Session is a collab with
payments WG
... and also looking to discuss security
... demos this afternoon for more info on what the WoT WG is
doing
... also interested in discussing requirements, specifically
are there new reqs for payments and security
... Web Commerce IG has a session tomorrow focused on WoT
payments
<dsr_> scribenick: AndrianHB, dsr
<inserted> scribenick: AdrianHB
McCool: also consider going to
HTTPS local breakout later
... WoT is not only HTTP
... one deliverable of the WG is security and testing strategy
docs
... need to figure out how we produce those
... [presenting slides]
... primary goal of WoT is interop in the world of IoT
... enable an open ecosystem of devices
... learn from success of the Web
... BUT avoid adding to the overload of standards in IoT
... many existing standards, especially from specific
verticals
... there are some newer standards that also compete with
old
... need to find the gap WoT can fill
[ Bus Value of Interop slide]
scribe: a lot of analysis of the
market assumes interop
... this is not reality so the value of interop is clearly
high
... one issue is meta-data about services
... this is the key thing the WG is targeting
... deliverable being standardised meta-data for describing
"things"
... this describes the properties, actions and events of
things
... secondary deliverables are a scripting API and binding
templates for mapping data to different protocol message
formats
... one of the technologies we want to leverage is semantic
web
... challenge being that the ecosystem is divided on the tech
(some love it some hate it)
... want to ensure we accommodate both views without missing
out on the value of semantic web for modelling this complex
graph of things
... using JSON-LD in such a way that it can be used as regular
JSON
<Ian> scribe: Ian
<inserted> scribenick: dsr
Adrian: there is a lot of browser based work on web payments, and it looks like the protocols could be applied to IoT
Michael: for the IoT the user is often not presenty
s/presenty/present/
<Ian> --> https://adrianhopebailie.github.io/http-payments/http-payments.html HTTP Payments RFC
Adrian: HTTP could be re-used for this
<Ian> scribe:dsr
Michael: IoT devices may not be
using HTTP
... if a device can make or receive payments, then we can have
metadata describing that
A further requirement is the need to support discovery and the role of directory services
Michael presents the agenda for the session
He notes that payment solutions vary from one country to another, e.g. debit cards are commonly used for payments in Europe
<AdrianHB> I am presenting the following to the HTTPbis at IETF next week to solicit interest. Happy to find a co-editor that can expand this to include other protocols: https://github.com/adrianhopebailie/http-payments/blob/master/http-payments.txt
<AdrianHB> Older version is on the datatracker but missed deadline to submit latest: https://datatracker.ietf.org/doc/draft-hope-bailie-http-payments/
<inserted> scribenick: AdrianHB
McCool: Presenting WoT security
deliverable
... we didn't want to have to this work but didn't find
existing work we could build on
... some from IETF and others but no good references at the
time we needed it. Plan is to update this rapidly as things
evolve
... part of this is looking at different scenarios
... started with home env but this is probabaly least
interesting
... industrial env has far more use cases
... the other relevant section is the examples of config for
different env, specifically public vs private auth
systems
... need to work through some implementations to really test
our theories
... there is an IETF publication in the works on thing to thing
security
... this highlights the different priorities in industrial vs
home env (safety vs privacy)
... an example of a topic is a semantic search that needs to be
constrained by privacy rules
... use case and requirements are captured in the WoT arch
document
... we have tried to extract security considerations into the
security doc
@@@: Is the setup for new new devices specified?
MCCool: we have limited scope to
operational. We assume the device is provisioned (sometimes
this happens in the factory)
... we have limited resources for the work so needed to limit
scope
... decomissioning is also out of scope
... we are considering a management API but for now that is out
of scope
... the other debate we have had is whether we allow scripts to
be shared (security risk)
... focus is operational things
... conversely, we have a wide breadth of scope across
environment (home, industrial, smart city etc)
... this means the work we need to do to gather use cases is
huge
... sometimes best we can do is recommend best practices
... we have a challenge testing everything we have specc'ed
too
... looking for POCs and commercial engagement
... security is a requirement before we'll get to
commercializations
... need to demonstrate that we'll get good security with the
WoT framework
Toshihiko: I have been Internet
user for 37 years. My experience is that we are helpless wrt to
security and privacy.
... the biggest false assumption about security is that
security is against criminals. I thinkw e also have to deal
with sovereign powers.
... the other issue we have with privacy is large technology
companies who are focused on getting personal data
McCool: We have looked at state
actors in our threat modelling. One of the challenges is that
if they intercept things early enough in the manufacturing
cycle there is little we can do
... One of the things I am interested in is end-to-end
encryption and transparent proxying to partly resolve
this
... I am also interested in blockchain and web of trust systems
to get around compromised central authorities like CAs
... there are solutions to some of these issue
... "How paranoid are we?" is a scope consideration. We need to
rank the threats and this will also be contextual
dsr: This is also a question for best practices. If businesses want to secure themselves then we can at least give them best practices to follow
McCool: Even best practices have
no guarantees. There are also architectural
considerations
... we should at least avoid obviously bad designs. We must
assume there will always be insecure devices to we must design
the architecture on that assumption.
... we must do this also assuming we will have resource
limitations in device and in the networks
Groups represented:
Web payments WG
<ACC> Media and Entertainment IG
Web Commerce IG
<dsr> Data Exchange WG
<dsr> WoT IG/WG
<dsr> Automotive BG and WG
WebAuthn
McCool: The Devices and sensors
WG is writing APIs for exposing devices in the browser. We are
not trying to define device APIs in the WoT WG
... that said the combination of the work of the two would be
interesting
Second Screen WG
<inserted> scribenick: Ian
AdrianHB: Upcoming discussions on
payments at Web Commerce IG (tomorrow) and IETF tomorrow
... we have some Web Commerce IG use cases.
... a Web Payments Working Group deliverable might be
(out-of-browser) data model for payment requests
... side comment - in the Interledger CG we do proofs of
concepts; we have an ILP meetup tomorrow evening nearby
Michael: I have also been doing some voice input research
<AdrianHB> Anyone interested in joining the Interledger CG on Thursday night: https://interledger.org/sanfrancisco
<AdrianHB> We'll have some coaches from here to the venue around 17:45
Michael: Also looking at robotics
DSR: monetization models may
vary
... there's a commercial aspect that is larger than payment
itself
Michael: Secure metering
... I am paying for something but want to be sure I am
measuring it reliably (e.g., paying for electricity)
... so the issue is to ensure that you are paying for the right
thing
... Our first priority is auth and security; payments is down
the road
<kaz> preesent+ Jason_Dominicak(inAuth;Amex), Tatsuhiko_Hirata(Hitachi), Keisuke_Minami(Toshiba), Kunihiko_Toumura(Hitachi), Michael_Koster(SmartThings), Magnus_Gunnarsson(Mitsubishi_Electric), Shinjiro_Urata(ACCESS), Kimberly_Garcia(Siemens), Uday_Davuluru(Lemonbeat), Dongwoo_Im(Samsung), Geunhyung_Kim(Dong_Eui_University), Mark_Foltz(Google), Ian_Jacobs(W3C)