McCool: last week we canceled the
call
... to finalize the Proposed REC transition
... for today
... planning to have the main call this week as well
... what about the Security calls?
... maybe we can have a call on Jan 6, and cancel the meeting
on Jan 13?
Elena: will do my best to join the call on Jan 6
McCool: ok, let's have the next
meeting on Jan. 6 then
... possible cancellation on Jan 13
... no meetings on Dec 23 or Dec 30
Oliver: will be not available on Jan 6...
McCool: ok
... in that case...
... no meetings: Dec 23, Dec 30
... tentative Jan 6, Jan 13
McCool: charter finalization
... not an actual security meeting
... we still need to discuss IETF Anima
... would accept the minutes
... objections?
(none)
McCool: accept the minutes then
Elena: discussed the lifecycle
... first discussed Oracle's model
... Lagally presented Oracle's documentation
... it's a lifecycle of IoT devices from cloud viewpoint
... then OneM2M model and OCF model
... need to read the OCF spec more in detail
McCool: Oracle is taking cloud
management approach
... specific to automatic onboarding
... we should look into generic onboarding as well
... including establishment of trust
... Oracle is interested in how to manage devices for large
scale
... we need to work on use cases
Elena: there was discussion we would need to work on use cases during the Architecture call
McCool: each company has some
specific use case in mind
... according to the schedule, we have use cases as the first
priority
Elena: Architecture call could happen on 19th this week
McCool: ok
... we should have use case discussion as well
... OCF, oneM2M and LwM2M as the primary contenders
... oneM2M is based on LwM2M?
... the lifecycle is included in the Architecture now?
Elena: not really sure if it's good to move the content now
McCool: we can wait for a while so
that the Architecture content can be cleaned up
... probably should keep the content on the Security/Privacy
guideline now
... PRs and Issues to cleaning up before yearend
Elena: the goal is described here
McCool: 3 things here
... establishing the trust
... key materials
... provisioning access
... may involve installing other devices
... generate tokens, etc.
Elena: we need to understand how to deal with that
McCool: would capture the point here
(within the comment for PR 150)
... need to specify goals before datailed proceses
... need to establish trust, need to provision secretes, need
to configure authorizations
... setup/onboarding/provisioning may invoke more than the
device itself
... apparently the last point is also being discussed in
architecture
Oliver: wonder whether trust is symmetric or asymmetric
McCool: probably depends on use cases
Elena: don't think we can prescribe it
McCool: some use cases may require mutual trust and some don't
Kaz: we might want to look into verifiable credentials as well
McCool: ok
McCool: (adds a section for "Future
topics" on the Security agenda wiki)
... Lifecycle and Onboarding
... Look at Verifiable Claims; VCWG is closed but people are in
DID-WG now
... Trust establishment: use case analysis
Oliver: maybe bootstrapping for establishing trust?
McCool: terminology varies
... we need to research related ecosystems
... OCF bootstrapping: correspondence with lifecycle,
provisioning, etc.
... and Discovery: privacy preservation
... what a privacy-sensitive situation would be?
... those would be topics for the future
McCool: then would clean up the
agenda wiki
... "Key Dates" section is out-dated
... also should update the "External Review" section
... possible reviewers: Terri Oda, Valerie Fenwick, Sven
Shrecker, Mike West/Daniel Vedtz, DISS participants
... (remove obsolete "Key Dates" section, and mention "See new
WG charter")
McCool: (adds a comment to Issue
151)
... Terminology use for various stakeholders need to be made
consistent between the Arch and Security Document. Use cases
also need to define stakeholders, and use cases should be in
architecture... so maybe all stakeholder defns should move to
architecture?
McCool: currently we use ISO
definition for Privacy
... but think it's a bit weak, since it refers to "private
information" which seems circular
... maybe there is a deeper ISO definition, e.g., of "private,
that we can refer to
... we should investigate further
[adjourned]