<kaz> scribenick: Oliver
<McCool> https://www.w3.org/2020/03/23-wot-sec-minutes.html
Minutes from 2020-03-23 were reviewed and accepted as okay (modulo some typos)
<kaz> [typos fixed]
Elena's updated lifecycle diagram
Elena presented proposal for Thing lifecycle with a focus on lifecycle stages
Original proposal allows a good mapping to IETF Anima
Having a dedicated block "Bootstrapping/Onboarding" rather than an arrow-onyl seems a good improvement
Mappings against IETF Anima should also consider https://tools.ietf.org/html/draft-ietf-anima-bootstrapping-keyinfra-38#section-2.1
Lifecycle as illustrated in slides "Bootstrapping IoT Security - The IETF Anima and OPC-UA Recipes" have their backing in work from IRTF T2TRG (was also mapped with some Operational Technology)
Manufacturer keys/credentials shall be distinguished from site keys/credentials
The former are regarded optional. The latter may incarnate multiply (per application domain)
3 families of keys/credentials can play a role: manufacturer key/credential (0..1 per Thing), site key/credential (0..1 per Thing), application keys/credentials (0/1..n per Thing)
Manufacturer keys/credentials are supplied (if supplied) in the manufacturing phase
Site key/credentals are supplied (if supplied) in the bootstrapping/onboarding phase
Application keys/credentials are supplied in the bootstrapping/onboarding and/or maintenance phases (depending on the maintenance mode)
Manufacturer keys/credentials can contain what the manufacturer knows (production date/location...); issuance under manufacturer control
Site keys/credentials can also contain what the user/operator knows about the Thing (independent from an application domain); issuance under site-control
Application keys/credentials can also contain what an appliaction domain expects to find (e.g. DNS name in SubjectAltName); issuance under site-control
<kaz> PR 164
PR 164 needs an editorial update. Can not be done in the GitHub Web UI. Needs to be followed-up...
Progress made in lifecycle discussion esp. regarding its states and to-be-distinguished keys/credentials
<kaz> [adjourned]