**Session Date/Time:** 03 Apr 2025 15:00

# [T2TRG](../wg/t2trg.html)

## Summary

The T2TRG interim meeting focused on a range of security-related topics relevant to the Internet of Things (IoT). Discussions covered architectural approaches for more resilient and evolvable smart home devices, a review of recent security-focused IETF working group activities, efforts to standardize terminology for IoT device initial setup, a taxonomy for trust anchor management in the supply chain, and the challenges of secure time validation for intermittently connected IoT devices. The session highlighted ongoing research, progress on existing drafts, and identified areas for future work and community engagement.

## Key Discussion Points

*   **Evolvability and Resilience in Smart Home IoT:**
    *   Karolina presented research on making smart home IoT systems truly "smart" by focusing on security, resilience, and evolvability.
    *   The current model (devices to cloud server) is prone to flakiness and tightly coupled hardware/software hinders evolution.
    *   Proposed a decentralized architecture using WebAssembly (Wasm) containers on embedded devices (e.g., ESP32) for independent software chunks, managed via message channels. This allows dynamic code placement, independent evolution, and improved resilience by restoring services after failures.
    *   Discussion confirmed the relevance of Wasm for T2TRG's future, with comparisons to early mobile code efforts and the role of languages like Rust. Challenges with Wasm runtimes optimized for larger ARM processors on smaller RTOS-based devices like ESP32 were noted.
    *   The CoAP state transfer model was suggested as a relevant theoretical background for the message channels.
*   **IETF 122 Security Discussions Overview:**
    *   Carsten provided an overview of selected IETF 122 working groups through the lens of "players, objectives, and beliefs."
    *   **SCONE (Trone protocol):** A protocol for endpoints to query network path properties (e.g., rate limits) using unprotected information coalesced with protected Quick packets. The implicit trust in network elements (who already control data) was a key belief.
    *   **NEZA (Buff):** Discussed architecture for ensuring packets follow paths with specific security objectives, relying on router attestation and path evidence collection.
    *   **Selective Disclosure:** Explored protocols (O for JSON, Spice for CBOR) allowing a credential holder to selectively redact claims from an issuer's signed statement before presenting to a verifier, raising cryptographic challenges like linkability.
    *   **SKIT (Supply Chain Integrity, Transparency, and Trust):** Focused on the broad problem of supply chain integrity for artifacts, introducing a "Transparency Server" as a new player to manage an append-only log of registrations and issue receipts.
    *   The framework of "players, objectives, beliefs" was encouraged for T2TRG research.
*   **Terminology for IoT Device Initial Security Setup:**
    *   Mohit updated on the draft aiming to standardize terminology (bootstrapping, onboarding, provisioning, enrollment, commissioning) for IoT device setup across various protocols (IETF and external).
    *   The draft compares initial assumptions (e.g., manufacturer-installed certificates), post-protocol device state, and the roles of "players" (e.g., device manufacturer, owner, end user, network administrator) rather than just protocol endpoints.
    *   Recent updates include providing context for how terms are used within specific standards and refining the identification of player roles and requirements.
*   **Taxonomy on Trust Anchors:**
    *   Michael Richardson presented an update on the draft, motivated by the need for auditors to assess manufacturer practices regarding private key management in the IoT supply chain.
    *   The document proposes normative descriptions for various methods of private key generation and secure element usage (e.g., device-generated, factory-generated, pre-loaded seed, secure element).
    *   The goal is to provide a common terminology for public audit reports, aiding transparency and trust in different parts of the supply chain.
    *   Discussion touched on the historical challenges of auditing opaque supply chain processes and the need for public visibility into redundancy levels (e.g., PKI root key shares).
*   **Validating Token Expiry on an Unbound Local Time Interval (Rate Time):**
    *   Christian Amsuss introduced the "Rate Time" problem: securing IoT devices that are intermittently powered and lack a reliable clock or real-time connectivity to a trusted time source (e.g., deep underground, remote locations).
    *   The dilemma is choosing between failing safe (requiring a round trip for time sync, halting operation) or tolerating expired tokens with potential security consequences. No existing literature fully addresses this.
    *   The document explores alternatives (GPS, certificate revocation) and explains trade-offs. It also raises questions for practical implementation within the ACE framework.
    *   Discussion highlighted the "change the problem" approach, relaxing objectives, and considering deployment economics. The importance of backup strategies and handling exceptions in real-world systems was emphasized, drawing parallels to cloud HSM solutions and the market impact of services like Let's Encrypt. The applicability of 3GPP networks as a timing source was considered, but the focus remains on truly offline scenarios.

## Decisions and Action Items

*   **Mohit's "Terminology and processes for initial security setup of IoT devices" draft:**
    *   **ACTION:** Attendees are encouraged to review the latest version of the draft, paying close attention to the protocol descriptions and how terms and players are defined.
    *   **ACTION:** Chairs to facilitate outreach to specific organizations/people for expert review of non-IETF protocols.
    *   **DECISION:** A design team meeting will be scheduled to help progress the draft text. Michael Richardson volunteered to assist.
*   **Michael Richardson's "Taxonomy on Trust Anchors" draft:**
    *   **ACTION:** Discussion on the naming of private key generation methods (e.g., whimsical names vs. Method A/B/C) will be continued on the T2TRG mailing list. This discussion is encouraged to happen before the Madrid meeting.
*   **Christian Amsuss's "Rate Time" draft:**
    *   **ACTION:** Attendees are invited to provide input on the document's progression, suggest background references, or offer contributions via the T2TRG mailing list.

## Next Steps

*   **Mailing List Activity:** Active discussion is encouraged on the T2TRG mailing list for the review of Mohit's draft, the naming conventions in Michael Richardson's draft, and further input on Christian Amsuss's "Rate Time" draft.
*   **Interim Meeting:** One more online interim meeting is planned before summer, potentially focusing on data modeling topics.
*   **IETF 123 Madrid:** Many participants are anticipated at the face-to-face meeting in Madrid (IETF 123), which is planned as a more summary, higher-level meeting, but will also include deeper dives into ongoing work, such as Karolina's research.