Meeting minutes
Minutes
approved
Issues
Discovery
McCool: we were planning to make onboarding out of scope, but it seems we need it
… for example, hubs talking with devices
… any thoughts?
Jiye: not looked at it yet
… will see it after this call
McCool: (adds comments)
… disallow self-description under plain HTTP
… (would essentially disallow it on LANs unless some other mechanism, not described in the profile or discovery specs, was used to assign certs to devices))
… this basically converts the SHOULD in the Discovery spec to a MUST.
… in practice, it means an on-boarding process needs to be used but is not...
Jiye: browsers may reject the self-signed certs. right?
McCool: yeah
… (modifies the comments a bit)
… on a LAN, raw public keys should be use din place of certs to set up HTTPS
Jiye: based on the connection between the server and the client
… need to check, though
McCool: ok
Jiye: we can check the pre-shared key
McCool: we can check the HTTPS spec
Jiye: please share the resource too
McCool: need to check later
… possibly empty cert can be used
<jiye> https://
Jiye: looking at RFC5246
McCool: (goes through the RFC 5246)
<jiye> https://
<jiye> TLS_RSA_PSK_WITH_RC4_128_SHA RSA_PSK RC4_128 SHA TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA RSA_PSK 3DES_EDE_CBC SHA TLS_RSA_PSK_WITH_AES_128_CBC_SHA RSA_PSK AES_128_CBC SHA TLS_RSA_PSK_WITH_AES_256_CBC_SHA RSA_PSK AES_256_CBC SHA
Jiye: another RFC (4279) about PSK Ciphersuites for TLS
… can be used with TLS 1.2
McCool: (updates the comments based on the discussion)
… not essential to define an onboarding process in Profiles (due to time limitation)
… but let's take care of the basics before even considering whether we should do so
… (copy part of the comments to wot-discovery issue 254)
wot-discovery issue 254 - Review Security and Privacy Considerations
McCool: on a LAN, recommend that pre-shared keys be used in place of certs
… see RFC4279 for cipher suites that can be used with TLS 1.2.
… see linked issue #263 for discussion
… The other mitigation is to NOT support self-discovery if security cannot be established.
… note that passwords, etc., still need to be used since different passwords/tokes/etc. may provide different access levels to different users.
… the PSK should not be the only access control.
… in particular, do not use 'nosec' even with PSK.
… ALso, the PSK should be unique to the device pair and not used for any other purpose.
… if the PSK is derived from the id of the Thing (or encodes it somehow).
… the PSK may be derived from internal device identity but this is separate from the "id" used in the Thing.
… the Thing should NOT be revealing its internal identity
… however, we do need a separate recommendation somewhere (profile? or TD?)
<McCool> https://
<McCool> please commend on this issue for followup
McCool: would start with generating a PR for wot-discovery
<McCool> PR 264 - Update Security and Privacy Considerations
McCool: will add you to reviewers
Jiye: ok
[adjourned]