Markdown Version | Session Recording

Session Date/Time: 31 Mar 2023 03:00

iotops

Summary

The iotops working group meeting covered three presentations: an update on the "NIot device security ability core baseline" draft, a comparison of CoAP security protocols, an "Acme based provisioning of Iot devices" draft and a presentation on "Power of attorney based device boarding". The key discussion points revolved around the structure and scope of the NIot draft, the stability of CoAP security protocols, security concerns related to Acme provisioning on local networks, and the implementation of Po based device onboarding.

Key Discussion Points

• NIot Device Security Core Baseline:
  • Discussion on whether to maintain a single, growing document versus creating individual mapping drafts for each baseline requirement document.
  • Concerns about scalability and manageability of a large, comprehensive document.
  • Consensus to maintain a single document and seek additional authorship for contributions.
  • Agreement to periodically publish a snapshot of the document as an RFC.
• Comparison of CoAP Security Protocols:
  • Focus on message size overhead comparisons for different security protocols (DTLS, TLS, OSCORE, GROUP OSCORE).
  • Discussion on the stability of C and the impact on the draft's content.
  • Clarification of the document's scope: focusing on security protocol overhead and not lower-layer considerations (TCP/UDP).
  • The addition of numbers related to P as requested.
• Acme-Based Provisioning of Iot Devices:
  • Discussion on network identity and security implications of trusting the local ACME server.
  • Concern about network patient and the potential for man-in-the-middle attacks on compromised devices.
  • Consideration of alternative approaches, such as vendor-provided ACME and dynamic DNS services, and vendor zones.
  • Recognition of the complexity of the problem and the need for collaboration with browser vendors.
• Power of Attorney Based Device Boarding:
  • Clarification of offline feature of power of attorney.
  • Difference between initial device onboarding and ownership change vouchers.
  • Discussions regarding the relationship between B and EAP onboarding.
  • Consideration of the J talking format for constant devices.

Decisions and Action Items

• NIot Device Security Core Baseline:
  • Keep the current draft as a single document.
  • Chairs to find additional authors to help with the mapping.
  • Plan to periodically publish a snapshot of the document as an RFC.
• Comparison of CoAP Security Protocols:
  • Update numbers based on the latest draft (08).
  • Verify overhead with ad hoc.
• Acme-Based Provisioning of Iot Devices:
  • Chairs to consider forming a design team for this draft.
  • Michael Sweet to send chairs a reminder email so a more coordinated future will result.
  • Michael Sweet to present this document at the next Acne meeting.
• Power of Attorney Based Device Boarding:
  • Look for additional collaborators to work on the draft.
  • Add new draft that positions the POA with other existing works.

Next Steps

• Brendan to look into adding the Etsy cybersecurity for consumer Iot devices, baseline requirements.
• Michael Sweet to discuss concerns and solutions with web browser vendors.
• Authors of Po draft should contact the EAP Onboarding working group for discussion.