# IoT Operations * Date: Friday, November 12, 2021 * Time: 16:00-17:00 (UTC) * Meetecho: https://meetings.conf.meetecho.com/ietf112/?group=iotops&short=&item=1 * Jabber: iotops@jabber.ietf.org * Notes: https://notes.ietf.org/notes-ietf-112-iotops ### Chairs * Alexey Melnikov alexey.melnikov@isode.com * Henk Birkholz henk.birkholz@sit.fraunhofer.de ### Scribe scribing/note taking: Michael Richardson ## MINUTES ### IoT Authentication in Next Generation Networks hardware based: many things... "admit the device I just touched" ideas come from prof. Henning Schulzrinne @ Columbia. need things like Wi-Fi Signals for gesture AI/neural network model BM: Perhaps this can be used for bluetooth hardware authentication: https://spectrum.ieee.org/bluetooth-security Join discussion: pidloc@ietf.org https://www.ietf.org/mailman/listinfo/pidloc (or email pidloc-request@ietf.org) ### Framework For Integrated Industrial Networks created a new document: old: draft-km-industrial- new: draft-iotops-km-iiot-frwk IIC, OPC-UA, IEC/IEEE 60802 project. Question: what is the right landing spot for this work? ### IoTSF ManuSecured SUIB: Browsing local web resources, in a secure usable manner: examining IoT device configuration as a special case SUIB: Secure Useable Intranet Browser. (IoT is special case of local web server) Problem statement: try to connect to a device management system using HTTPS. Most system use IP address over HTTP. Can we do better with HTTPS? How can we get certificates for devices that don't have Internet connectivity? CA: points out that aside from being unuseable, that we don't want to train users on how to click around warnings shown by browsers. white paper is at: https://www.iotsecurityfoundation.org/wp-content/uploads/2021/08/ManySecured-SUIB-White-Paper.pdf (11:35:49 AM) Kohei Isobe_web_609: Is this related work ? https://www.w3.org/community/httpslocal/ Much discussion in jabber about ideas on how to solve the problem. As Nick says, everything thinks that it can be solved by "FOO", but it usually doesn't work. More in the jabber log: https://jabber.ietf.org/jabber/logs/iotops/2021-11-12.html ### Roy Williams (Microsoft), SBOM (Software Bill Of Materials) https://datatracker.ietf.org/meeting/112/materials/slides-112-iotops-iotops-sbom-signing-discussion-00 Discussed US executive directive as related to SBOM. Move things that are signed, have a 5 year lifecycle, which is longer than typical certificate expiration lifetime for certificates. Which means that certificates need to be renewed. ### Midlife Crisis (of an IoT Device) Slides with great graffic... Game called "MID-LIFE CRISIS" Decommissioning is a big deal ("end of life crisis"), but not even going to get to that. This is about the middle life crisis. Example: house full of stuff, and house is sold. How does new owner find and associate things well? What if the house transfer was not voluntary? Do you have have the manual, so that you can find the reset button? midlife: discovering the devices, and doing something with them. example: sprinkler system that speaks over 3G discuss... what does "good" look like. Roy Williams (RW): EL: talked to various people, and everyone has a slightly different version. Maybe in the rental market, the owner retains ultimate control, and shifts control. MCR: standard place to put ownership statements. Wes Hardaker (WH): the discovery is a really interesting problem. Even if some light was attached to a router... The router that it was attached to might be long gone. Erik Nordmark (EN): This is an important problem. Getting the keys to the house... at least you know how many doors have locks on them. You say, _I'm gonna rekey_, because you don't know how many copies they had of the key. If there are some things which are stored elsewhere... should I escrow the credentials somewhere? Or should I escrow the method by which I can reset them? Normally people don't like to escrow credentials, but maybe for rentals this is reasonable? WH: crazy idea... if IoT could communicate with each other, and had a list of friends, then at least the list could be recovered from any device one does find. EL: What do we do here at the IETF... we usually document things... big ticket items have easier solutions... Good use of IOTOPS to document this. Here are the principles... we don't really like key escrow... (because they don't do it well...). Once we have principles, we might start talking mechanisms.