**Session Date/Time:** 08 Nov 2022 13:00 # iotops ## Summary This iotops session at IETF 115 in London covered several topics, including device onboarding using SCIM, a draft on baseline security requirements, a new approach to authorization using Power of Attorney (POA), and an attestation-based TLS handshake. The session concluded with a discussion about adopting two drafts from the airwig working group. ## Key Discussion Points * **SCIM for Devices (Elliot):** * Presented a draft extending SCIM for device onboarding and provisioning. * Addresses provisioning new devices, establishing bootstrapping credentials, and handling ancillary information and API endpoints. * Open for discussion on the SCIM working group, with co-authors, reviewers, and implementers needed. * Raised concerns about reverse authentication flows compared to typical user provisioning and the need for cross-working group collaboration. * **Baseline Security Requirements (Brendan):** * Presented a draft mapping baseline security requirements from sources like NIST and ENISA to IETF technologies. * Seeks to provide a "landing pad" for information on building secure IoT solutions. * Looking for contributors to map additional security requirements documents. * A call for adoption as an iotops document was discussed, with an in-room assessment showing support. * Discussion included gaps in the current mapping, particularly concerning onboarding guidance. * **Power of Attorney (POA) for Authorization (Ulo & Ss3):** * Introduced a POA-based authorization mechanism for delegating authority, particularly in onboarding scenarios. * Use case focused on subcontractor onboarding in industrial environments. * Utilizes JWTs to represent POAs and supports multi-level sub-granting. * Discussion focused on differentiation from OAuth, potential overlap with the skit working group, and revocation strategies. * Suggestions included considering FIDO device onboarding and potentially reframing the concept as an access control mechanism rather than onboarding. * **Attestation-Based TLS Handshake (Hannes):** * Presented an attestation-based TLS handshake using platform and key attestation tokens. * Focuses on verifying the integrity of the device's software before establishing a secure channel. * Uses a new TLS extension to negotiate attestation technology and pass nonces. * Prototyping efforts are sponsored by the Confidential Computing Consortium. * Discussion covered the ephemeral nature of the identity key, the frequency of attestation, and the possibility of attesting the server to the client. * **airwig Working Group Drafts (Carsten):** * Proposed transferring two active drafts from the airwig working group (which is winding down) to iotops. * Drafts cover terminology for constrained node networks (7228bis) and a comparison of security protocols. * An in-room assessment indicated support for adopting the terminology document within the iotops scope. ## Decisions and Action Items * **Brendan's Draft:** A formal working group adoption call will be made on the mailing list for the "Baseline Security Requirements" draft. * **airwig Drafts:** iotops will take the next steps to determine with the isg and the relevant ADs whether adoption of the "Terminology for Constrained Node Networks (7228bis)" draft is possible. ## Next Steps * **SCIM for Devices:** Elliot will follow up with the SCIM working group and continue to provide updates to iotops. * **Baseline Security Requirements:** Hold a formal adoption call on the mailing list. * **Power of Attorney:** Ulo and Ss3 will explore relevant discussions in the skit and oauth working groups. * **Attestation-Based TLS Handshake:** Hannes will continue developing the prototype and documentation, taking feedback into account. * **airwig Drafts:** Chairs will discuss the potential adoption of the airwig drafts with relevant ADs.