WoT Security

16 Dec 2019


Kaz_Ashimura, Michael_McCool, Elena_Reshetova, Oliver_Pfaff



McCool: last week we canceled the call
... to finalize the Proposed REC transition
... for today
... planning to have the main call this week as well
... what about the Security calls?
... maybe we can have a call on Jan 6, and cancel the meeting on Jan 13?

Elena: will do my best to join the call on Jan 6

McCool: ok, let's have the next meeting on Jan. 6 then
... possible cancellation on Jan 13
... no meetings on Dec 23 or Dec 30

Oliver: will be not available on Jan 6...

McCool: ok
... in that case...
... no meetings: Dec 23, Dec 30
... tentative Jan 6, Jan 13

Minutes review

Nov-18 minutes

McCool: charter finalization
... not an actual security meeting
... we still need to discuss IETF Anima
... would accept the minutes
... objections?


McCool: accept the minutes then

Review of Lifecycle/Onboarding in Architecture

Elena: discussed the lifecycle
... first discussed Oracle's model
... Lagally presented Oracle's documentation
... it's a lifecycle of IoT devices from cloud viewpoint
... then OneM2M model and OCF model
... need to read the OCF spec more in detail

Dec-12 Architecture minutes

McCool: Oracle is taking cloud management approach
... specific to automatic onboarding
... we should look into generic onboarding as well
... including establishment of trust
... Oracle is interested in how to manage devices for large scale
... we need to work on use cases

Elena: there was discussion we would need to work on use cases during the Architecture call

McCool: each company has some specific use case in mind
... according to the schedule, we have use cases as the first priority

Elena: Architecture call could happen on 19th this week

McCool: ok
... we should have use case discussion as well
... OCF, oneM2M and LwM2M as the primary contenders
... oneM2M is based on LwM2M?
... the lifecycle is included in the Architecture now?

Elena: not really sure if it's good to move the content now

McCool: we can wait for a while so that the Architecture content can be cleaned up
... probably should keep the content on the Security/Privacy guideline now
... PRs and Issues to cleaning up before yearend

PR 150


Elena: the goal is described here

McCool: 3 things here
... establishing the trust
... key materials
... provisioning access
... may involve installing other devices
... generate tokens, etc.

Elena: we need to understand how to deal with that

McCool: would capture the point here (within the comment for PR 150)
... need to specify goals before datailed proceses
... need to establish trust, need to provision secretes, need to configure authorizations
... setup/onboarding/provisioning may invoke more than the device itself
... apparently the last point is also being discussed in architecture

McCool's comment

Oliver: wonder whether trust is symmetric or asymmetric

McCool: probably depends on use cases

Elena: don't think we can prescribe it

McCool: some use cases may require mutual trust and some don't

Kaz: we might want to look into verifiable credentials as well

McCool: ok

Future topics

McCool: (adds a section for "Future topics" on the Security agenda wiki)
... Lifecycle and Onboarding
... Look at Verifiable Claims; VCWG is closed but people are in DID-WG now
... Trust establishment: use case analysis

Oliver: maybe bootstrapping for establishing trust?

McCool: terminology varies
... we need to research related ecosystems
... OCF bootstrapping: correspondence with lifecycle, provisioning, etc.
... and Discovery: privacy preservation
... what a privacy-sensitive situation would be?
... those would be topics for the future

Cleaning up the agenda wiki

McCool: then would clean up the agenda wiki
... "Key Dates" section is out-dated
... also should update the "External Review" section
... possible reviewers: Terri Oda, Valerie Fenwick, Sven Shrecker, Mike West/Daniel Vedtz, DISS participants
... (remove obsolete "Key Dates" section, and mention "See new WG charter")

Issue 151

Issue 151

McCool: (adds a comment to Issue 151)
... Terminology use for various stakeholders need to be made consistent between the Arch and Security Document. Use cases also need to define stakeholders, and use cases should be in architecture... so maybe all stakeholder defns should move to architecture?

McCool's comment

Issue 143

Issue 143

McCool: currently we use ISO definition for Privacy
... but think it's a bit weak, since it refers to "private information" which seems circular
... maybe there is a deeper ISO definition, e.g., of "private, that we can refer to
... we should investigate further


Summary of Action Items

Summary of Resolutions

[End of minutes]

Minutes manually created (not a transcript), formatted by David Booth's scribe.perl version 1.154 (CVS log)
$Date: 2020/01/15 11:41:35 $