W3C

- DRAFT -

WoT Security

30 Mar 2020

Attendees

Present
Kaz_Ashimura, Michael_McCool, Elena_Reshetova, Oliver_Pfaff, Tomoaki_Mizushima
Regrets
Chair
McCool
Scribe
Oliver

Contents

<kaz> scribenick: Oliver

Previous minutes

<McCool> https://www.w3.org/2020/03/23-wot-sec-minutes.html

Minutes from 2020-03-23 were reviewed and accepted as okay (modulo some typos)

<kaz> [typos fixed]

Lifecycle - Anima mapping

Elena's updated lifecycle diagram

Elena presented proposal for Thing lifecycle with a focus on lifecycle stages

Original proposal allows a good mapping to IETF Anima

Having a dedicated block "Bootstrapping/Onboarding" rather than an arrow-onyl seems a good improvement

Mappings against IETF Anima should also consider https://tools.ietf.org/html/draft-ietf-anima-bootstrapping-keyinfra-38#section-2.1

Lifecycle as illustrated in slides "Bootstrapping IoT Security - The IETF Anima and OPC-UA Recipes" have their backing in work from IRTF T2TRG (was also mapped with some Operational Technology)

Manufacturer keys/credentials shall be distinguished from site keys/credentials

The former are regarded optional. The latter may incarnate multiply (per application domain)

3 families of keys/credentials can play a role: manufacturer key/credential (0..1 per Thing), site key/credential (0..1 per Thing), application keys/credentials (0/1..n per Thing)

Manufacturer keys/credentials are supplied (if supplied) in the manufacturing phase

Site key/credentals are supplied (if supplied) in the bootstrapping/onboarding phase

Application keys/credentials are supplied in the bootstrapping/onboarding and/or maintenance phases (depending on the maintenance mode)

Manufacturer keys/credentials can contain what the manufacturer knows (production date/location...); issuance under manufacturer control

Site keys/credentials can also contain what the user/operator knows about the Thing (independent from an application domain); issuance under site-control

Application keys/credentials can also contain what an appliaction domain expects to find (e.g. DNS name in SubjectAltName); issuance under site-control

PRs

<kaz> PR 164

PR 164 needs an editorial update. Can not be done in the GitHub Web UI. Needs to be followed-up...

Progress made in lifecycle discussion esp. regarding its states and to-be-distinguished keys/credentials

<kaz> [adjourned]

Summary of Action Items

Summary of Resolutions

[End of minutes]
Minutes manually created (not a transcript), formatted by David Booth's scribe.perl version 1.154 (CVS log)
$Date: 2020/04/06 12:09:42 $