Markdown Version | Session Recording

Session Date/Time: 08 Nov 2022 13:00

iotops

Summary

This iotops session at IETF 115 in London covered several topics, including device onboarding using SCIM, a draft on baseline security requirements, a new approach to authorization using Power of Attorney (POA), and an attestation-based TLS handshake. The session concluded with a discussion about adopting two drafts from the airwig working group.

Key Discussion Points

• SCIM for Devices (Elliot):
  • Presented a draft extending SCIM for device onboarding and provisioning.
  • Addresses provisioning new devices, establishing bootstrapping credentials, and handling ancillary information and API endpoints.
  • Open for discussion on the SCIM working group, with co-authors, reviewers, and implementers needed.
  • Raised concerns about reverse authentication flows compared to typical user provisioning and the need for cross-working group collaboration.
• Baseline Security Requirements (Brendan):
  • Presented a draft mapping baseline security requirements from sources like NIST and ENISA to IETF technologies.
  • Seeks to provide a "landing pad" for information on building secure IoT solutions.
  • Looking for contributors to map additional security requirements documents.
  • A call for adoption as an iotops document was discussed, with an in-room assessment showing support.
  • Discussion included gaps in the current mapping, particularly concerning onboarding guidance.
• Power of Attorney (POA) for Authorization (Ulo & Ss3):
  • Introduced a POA-based authorization mechanism for delegating authority, particularly in onboarding scenarios.
  • Use case focused on subcontractor onboarding in industrial environments.
  • Utilizes JWTs to represent POAs and supports multi-level sub-granting.
  • Discussion focused on differentiation from OAuth, potential overlap with the skit working group, and revocation strategies.
  • Suggestions included considering FIDO device onboarding and potentially reframing the concept as an access control mechanism rather than onboarding.
• Attestation-Based TLS Handshake (Hannes):
  • Presented an attestation-based TLS handshake using platform and key attestation tokens.
  • Focuses on verifying the integrity of the device's software before establishing a secure channel.
  • Uses a new TLS extension to negotiate attestation technology and pass nonces.
  • Prototyping efforts are sponsored by the Confidential Computing Consortium.
  • Discussion covered the ephemeral nature of the identity key, the frequency of attestation, and the possibility of attesting the server to the client.
• airwig Working Group Drafts (Carsten):
  • Proposed transferring two active drafts from the airwig working group (which is winding down) to iotops.
  • Drafts cover terminology for constrained node networks (7228bis) and a comparison of security protocols.
  • An in-room assessment indicated support for adopting the terminology document within the iotops scope.

Decisions and Action Items

• Brendan's Draft: A formal working group adoption call will be made on the mailing list for the "Baseline Security Requirements" draft.
• airwig Drafts: iotops will take the next steps to determine with the isg and the relevant ADs whether adoption of the "Terminology for Constrained Node Networks (7228bis)" draft is possible.

Next Steps

• SCIM for Devices: Elliot will follow up with the SCIM working group and continue to provide updates to iotops.
• Baseline Security Requirements: Hold a formal adoption call on the mailing list.
• Power of Attorney: Ulo and Ss3 will explore relevant discussions in the skit and oauth working groups.
• Attestation-Based TLS Handshake: Hannes will continue developing the prototype and documentation, taking feedback into account.
• airwig Drafts: Chairs will discuss the potential adoption of the airwig drafts with relevant ADs.