Thanks Nat and Aninda.

From your responses, I see one thing is common which is the identifier discovery mechanism to get more attributes about the identity provided the entity is allowed to interact with that identifier.

Let me think a bit more on this and respond back with more questions. From: Nat Sakimura Date: Thursday, July 16, 2015 at 10:25 PM To: Aninda Bhunia Cc: Ranjan Jain , "dg-idot@kantarainitiative.org" Subject: Re: [DG-IDoT] Common identity standard

Hi Ranjan,

I suppose you meant identifier, not identity. Identity is often defined as 'set of attributes related to an entity' (ISO/IEC 29115, ITU-T X.1254, OpenID Connect, etc.). It can be represented in many ways, but X.509 (ASN.1), SAML(XML), ID Token (JSON) are some of the popular formats.

There is no single standard for identifier. However, we can represent them as URIs or URNs. XRI is another candidate.

One advantage of using URI/XRI is that you can resolve it to get more data about it.

My 2c.

Nat Sakimura

On Thursday, July 16, 2015, Aninda Bhunia wrote:

...

Hi Ranjan, You bring up interesting points but the question i believe, we need to ask, is why (if at all) do we need to 'exchange' identity information and does it make practical sense to have just one common identity structure in the IoT ecosystem?

I dont think it would be practical nor scalable to have just one common identity structure. Rather we need to have a flexible schema and a universal discovery mechanism for identity attributes based on the type of service an entity is interested in interacting with. Such a framework could be configured with hierarchical rule sets which govern what 'kinds' of entities are authorized to interact with the entity domain the rules govern and with 'what capacity'.

would be interested in hearing other's thoughts.

Aninda

On Thu, Jul 16, 2015 at 2:38 PM, Ranjan Jain (ranjain) javascript:_e(%7B%7D,'cvml','ranjain@cisco.com'); > wrote:

...

Hey y¹all, Hope everyone is doing well. Just wanted to bounce a question which I¹m consistently getting asked around Identity, IoT perspective. Is there any industry standard in place or in works which can be used as a common standard across multiple identities. What I mean by this is that humans have SSN as an identity while a thermostat may have serial number while a network device may have a Mac ID as their identity. So, while individually they all have their own identity standard, when in the IoT world, all these entities start interacting with each other, how do we translate one identity into another or how will one identity interact with another identity in a standards way?

Thanks Ranjan

Ranjan Jain ARCHITECT.IT http://ARCHITECT.IT Information Technology ranjain@cisco.com javascript:_e(%7B%7D,'cvml','ranjain@cisco.com'); Phone: +1 408 853 4396 tel:%2B1%20408%20853%204396 Mobile: +1 408 627 9538 tel:%2B1%20408%20627%209538 Cisco Systems, Inc. 400 East Tasman Drive San Jose California 95134 United States Cisco.com http://www.cisco.com/ Think before you print. This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message.

_______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.org javascript:_e(%7B%7D,'cvml','DG-IDoT@kantarainitiative.org'); http://kantarainitiative.org/mailman/listinfo/dg-idot

-- Aninda Bhunia

President, The Incubate Group

416.418.1674 (Phone)

(888) 483-3818 (fax)

abhunia@inc38.com javascript:_e(%7B%7D,'cvml','abhunia@inc38.com');

www.inc38.com http://www.inc38.com/

-- Nat Sakimura (=nat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en

Other than ip devices? In that case there are mechanisms support scanning ( eg NMAP) or SNMP that have been around for a while these are typically not exactly API friendly but do provide a starting point and we make good use in our offerings. Salvatore D'Agostino IDmachines LLC |1264 Beacon Street, #5 Brookline, MA. 02446 | USA http://www.idmachines.com

On Jul 21, 2015, at 10:46 AM, Paul Madsen wrote:

(one of) what is needed is a standardized mechanism for devices to present their identity (and those humans for which they are acting) to other things, cloud endpoints & applications

...

On 7/16/15 2:38 PM, Ranjan Jain (ranjain) wrote: Hey y’all, Hope everyone is doing well. Just wanted to bounce a question which I’m consistently getting asked around Identity, IoT perspective. Is there any industry standard in place or in works which can be used as a common standard across multiple identities. What I mean by this is that humans have SSN as an identity while a thermostat may have serial number while a network device may have a Mac ID as their identity. So, while individually they all have their own identity standard, when in the IoT world, all these entities start interacting with each other, how do we translate one identity into another or how will one identity interact with another identity in a standards way?

Thanks Ranjan

Ranjan Jain ARCHITECT.IT Information Technology ranjain@cisco.com Phone: +1 408 853 4396 Mobile: +1 408 627 9538 Cisco Systems, Inc. 400 East Tasman Drive San Jose California 95134 United States Cisco.com

Think before you print. This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message.

_______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot

_______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot

It would be interesting if we could create a standard that would allow even non IP devices to publish their identity through a wsdl type structure. Even if they are non IP at some point in their upwards relationship hierarchy their master gateway would be IP based and could be responsible for publishing the identity wsdls for the entities it brokers. Thoughts ? On Jul 21, 2015 11:52 AM, "Joni Brennan" wrote:

Noting I have no vote =)

I agree with Paul and others regarding discovery as the key initial mechanism. I believe Ingo has also noted this in the summaries from IDoT. Sal mentions NMAP / SNMP are there other exiting approaches? (apologies if this has been discussed in detail already)

- Joni

Best Regards,

Joni Brennan Kantara Initiative | Executive Director email: joni @ kantarainitiative.org

Connecting Identity for a more trustworthy Internet - Overview http://www.slideshare.net/kantarainitiative/kantara-overview2014-37969351

On Tue, Jul 21, 2015 at 8:42 AM, Salvatore D'Agostino wrote:

...

Other than ip devices? In that case there are mechanisms support scanning ( eg NMAP) or SNMP that have been around for a while these are typically not exactly API friendly but do provide a starting point and we make good use in our offerings.

Salvatore D'Agostino IDmachines LLC |1264 Beacon Street, #5 Brookline, MA. 02446 | USA http://www.idmachines.com

On Jul 21, 2015, at 10:46 AM, Paul Madsen wrote:

(one of) what is needed is a standardized mechanism for devices to present their identity (and those humans for which they are acting) to other things, cloud endpoints & applications

On 7/16/15 2:38 PM, Ranjan Jain (ranjain) wrote:

Hey y’all, Hope everyone is doing well. Just wanted to bounce a question which I’m consistently getting asked around Identity, IoT perspective. Is there any industry standard in place or in works which can be used as a common standard across multiple identities. What I mean by this is that humans have SSN as an identity while a thermostat may have serial number while a network device may have a Mac ID as their identity. So, while individually they all have their own identity standard, when in the IoT world, all these entities start interacting with each other, how do we translate one identity into another or how will one identity interact with another identity in a standards way?

Thanks Ranjan

*Ranjan Jain* ARCHITECT.IT Information Technology ranjain@cisco.com Phone: *+1 408 853 4396 <%2B1%20408%20853%204396>* Mobile: *+1 408 627 9538 <%2B1%20408%20627%209538>*

*Cisco Systems, Inc.* 400 East Tasman Drive San Jose California 95134 United States Cisco.com http://www.cisco.com/

Think before you print.

This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message.

_______________________________________________ DG-IDoT mailing listDG-IDoT@kantarainitiative.orghttp://kantarainitiative.org/mailman/listinfo/dg-idot

_______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot

_______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot

_______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot

Agree publishing on behalf is sketchy. Though at some point delegation has to be dealt with. Maybe common registration endpoint for the constellation of devices and functions? If you have an UMA authZ mgr, how about introducing them as UMA resources everything is a resource (maybe or not resource server in some cases they may/also be clients to use the registration endpoint). So this is registration which is one way to do discovery in the sense you start by solving discovery (for however long tbd). On the discovery front still like the idea of being able to scan an identifier space where they could exist, assume you can manage the protocol, and then you have shared information requisite to your relationship, some might be public and not need the keyring. As well as the identifier/relationship/shared resources tuple defined by the key, you could further leverage them as UMA token(s) (snuck IRM in there as well..;-) From: dg-idot-bounces@kantarainitiative.org [mailto:dg-idot-bounces@kantarainitiative.org] On Behalf Of afesta@alfweb.com Sent: Tuesday, July 21, 2015 12:42 PM To: Aninda Bhunia; Joni Brennan Cc: dg-idot@kantarainitiative.org Subject: Re: [DG-IDoT] Common identity standard Publishing on behalf of another thing sounds not appealing to me. In the end if the primary identity has no viable way to publish I cannot control its identity either so why I should publish itinerary behalf? On non-ip based communication I am thinking more at communication based on keyring type of membership so I may expose my identity only to those things who are member of the same keyring (and so the transport become less interesting). Alex Alessandro Festa web:http://alfweb.com twitter:@festaatdell mail:afesta@alfweb.com On Tue, Jul 21, 2015 at 9:33 AM -0700, "Aninda Bhunia" wrote: It would be interesting if we could create a standard that would allow even non IP devices to publish their identity through a wsdl type structure. Even if they are non IP at some point in their upwards relationship hierarchy their master gateway would be IP based and could be responsible for publishing the identity wsdls for the entities it brokers. Thoughts ? On Jul 21, 2015 11:52 AM, "Joni Brennan" wrote: Noting I have no vote =) I agree with Paul and others regarding discovery as the key initial mechanism. I believe Ingo has also noted this in the summaries from IDoT. Sal mentions NMAP / SNMP are there other exiting approaches? (apologies if this has been discussed in detail already) - Joni Best Regards, Joni Brennan Kantara Initiative | Executive Director email: joni @ kantarainitiative.org Connecting Identity for a more trustworthy Internet - Overview http://www.slideshare.net/kantarainitiative/kantara-overview2014-37969351 On Tue, Jul 21, 2015 at 8:42 AM, Salvatore D'Agostino wrote: Other than ip devices? In that case there are mechanisms support scanning ( eg NMAP) or SNMP that have been around for a while these are typically not exactly API friendly but do provide a starting point and we make good use in our offerings. Salvatore D'Agostino IDmachines LLC |1264 Beacon Street, #5 Brookline, MA. 02446 | USA http://www.idmachines.com On Jul 21, 2015, at 10:46 AM, Paul Madsen wrote: (one of) what is needed is a standardized mechanism for devices to present their identity (and those humans for which they are acting) to other things, cloud endpoints & applications On 7/16/15 2:38 PM, Ranjan Jain (ranjain) wrote: Hey y’all, Hope everyone is doing well. Just wanted to bounce a question which I’m consistently getting asked around Identity, IoT perspective. Is there any industry standard in place or in works which can be used as a common standard across multiple identities. What I mean by this is that humans have SSN as an identity while a thermostat may have serial number while a network device may have a Mac ID as their identity. So, while individually they all have their own identity standard, when in the IoT world, all these entities start interacting with each other, how do we translate one identity into another or how will one identity interact with another identity in a standards way? Thanks Ranjan http://www.cisco.com/web/europe/images/email/signature/est2014/logo_08.png?c... Ranjan Jain ARCHITECT.IT Information Technology mailto:ranjain@cisco.com ranjain@cisco.com Phone: +1 408 853 4396 tel:%2B1%20408%20853%204396 Mobile: +1 408 627 9538 tel:%2B1%20408%20627%209538 Cisco Systems, Inc. 400 East Tasman Drive San Jose California 95134 United States http://www.cisco.com/ Cisco.com http://www.cisco.com/assets/swa/img/thinkbeforeyouprint.gif Think before you print. This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message. _______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot _______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot _______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot _______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot

Makes sense Nat, pretty much how some of the smart meters work, PKI and elliptical curve in some case for the particulars, here is one vendors take http://www.safenet-inc.com/data-protection/advanced-metering-infrastructure-... How about the binding to users? From: dg-idot-bounces@kantarainitiative.org [mailto:dg-idot-bounces@kantarainitiative.org] On Behalf Of Nat Sakimura Sent: Friday, July 24, 2015 4:56 AM To: Aninda Bhunia Cc: dg-idot@kantarainitiative.org Subject: Re: [DG-IDoT] Common identity standard Yeah, it is nice, but WSDL would be too big. Remember that sending 1 byte over the radio takes as much power as encrypting 1000 bytes. Also, memory and processing power is becoming cheap, so in IoT context, we should probably treat "minimizing the radio packet" as the priority. As to the identification of the things are cocerned, the viable model that I imagine is as follows: 1. The device manufacutrer creates a good keypair and embeds the private key (and its key thumbprint) in the device. 2. For device authentication, use the key to sign the message. Nat 2015-07-22 1:33 GMT+09:00 Aninda Bhunia : It would be interesting if we could create a standard that would allow even non IP devices to publish their identity through a wsdl type structure. Even if they are non IP at some point in their upwards relationship hierarchy their master gateway would be IP based and could be responsible for publishing the identity wsdls for the entities it brokers. Thoughts ? On Jul 21, 2015 11:52 AM, "Joni Brennan" wrote: Noting I have no vote =) I agree with Paul and others regarding discovery as the key initial mechanism. I believe Ingo has also noted this in the summaries from IDoT. Sal mentions NMAP / SNMP are there other exiting approaches? (apologies if this has been discussed in detail already) - Joni Best Regards, Joni Brennan Kantara Initiative | Executive Director email: joni @ kantarainitiative.org Connecting Identity for a more trustworthy Internet - Overview http://www.slideshare.net/kantarainitiative/kantara-overview2014-37969351 On Tue, Jul 21, 2015 at 8:42 AM, Salvatore D'Agostino wrote: Other than ip devices? In that case there are mechanisms support scanning ( eg NMAP) or SNMP that have been around for a while these are typically not exactly API friendly but do provide a starting point and we make good use in our offerings. Salvatore D'Agostino IDmachines LLC |1264 Beacon Street, #5 Brookline, MA. 02446 | USA http://www.idmachines.com On Jul 21, 2015, at 10:46 AM, Paul Madsen wrote: (one of) what is needed is a standardized mechanism for devices to present their identity (and those humans for which they are acting) to other things, cloud endpoints & applications On 7/16/15 2:38 PM, Ranjan Jain (ranjain) wrote: Hey y’all, Hope everyone is doing well. Just wanted to bounce a question which I’m consistently getting asked around Identity, IoT perspective. Is there any industry standard in place or in works which can be used as a common standard across multiple identities. What I mean by this is that humans have SSN as an identity while a thermostat may have serial number while a network device may have a Mac ID as their identity. So, while individually they all have their own identity standard, when in the IoT world, all these entities start interacting with each other, how do we translate one identity into another or how will one identity interact with another identity in a standards way? Thanks Ranjan http://www.cisco.com/web/europe/images/email/signature/est2014/logo_08.png?c... Ranjan Jain ARCHITECT.IT Information Technology mailto:ranjain@cisco.com ranjain@cisco.com Phone: +1 408 853 4396 tel:%2B1%20408%20853%204396 Mobile: +1 408 627 9538 tel:%2B1%20408%20627%209538 Cisco Systems, Inc. 400 East Tasman Drive San Jose California 95134 United States http://www.cisco.com/ Cisco.com http://www.cisco.com/assets/swa/img/thinkbeforeyouprint.gif Think before you print. This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message. _______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot _______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot _______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot _______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot _______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot -- Nat Sakimura (=nat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en

Just a background on my comment "The device manufacutrer creates a good keypair and embeds the private key ". Often, in constrained environments, you would not have an access to a good random. So, having unconstrained device creating the key may be better for those device. Per Richard's point about memory size etc. Yes, but memory and cpu power constrained it getting less of an issue going forward, it seems, than the radio and power constraint. 2015-07-24 18:28 GMT+09:00 Richard Baker-Donnelly < richard@baker-donnelly.org>:

An observation from a lurker to this group. If you are looking to connect non ip devices, you also need to consider their memory and cpu constraints. If you are running in a low power device with only 2-4k of ram even building an encrypted packet will blow your available memory.

I also suggest that thought is given as to how the identity of such devices can be proxied and this may need to consider guidance or principles for evaluating the risks and threats and how to position this with the overall application.

I would like to engage more in this conversation but the Friday afternoon timing of the call is not helpful given my current role.

Regards

Richard Baker

Sent from my iPhone. Please excuse spelling mistakes.

On 24 Jul 2015, at 09:56, Nat Sakimura wrote:

Yeah, it is nice, but WSDL would be too big. Remember that sending 1 byte over the radio takes as much power as encrypting 1000 bytes. Also, memory and processing power is becoming cheap, so in IoT context, we should probably treat "minimizing the radio packet" as the priority.

As to the identification of the things are cocerned, the viable model that I imagine is as follows:

1. The device manufacutrer creates a good keypair and embeds the private key (and its key thumbprint) in the device. 2. For device authentication, use the key to sign the message.

Nat

2015-07-22 1:33 GMT+09:00 Aninda Bhunia :

...

It would be interesting if we could create a standard that would allow even non IP devices to publish their identity through a wsdl type structure. Even if they are non IP at some point in their upwards relationship hierarchy their master gateway would be IP based and could be responsible for publishing the identity wsdls for the entities it brokers. Thoughts ? On Jul 21, 2015 11:52 AM, "Joni Brennan" wrote:

...

Noting I have no vote =)

I agree with Paul and others regarding discovery as the key initial mechanism. I believe Ingo has also noted this in the summaries from IDoT. Sal mentions NMAP / SNMP are there other exiting approaches? (apologies if this has been discussed in detail already)

- Joni

Best Regards,

Joni Brennan Kantara Initiative | Executive Director email: joni @ kantarainitiative.org

Connecting Identity for a more trustworthy Internet - Overview http://www.slideshare.net/kantarainitiative/kantara-overview2014-37969351

On Tue, Jul 21, 2015 at 8:42 AM, Salvatore D'Agostino < sal@idmachines.com> wrote:

...

Other than ip devices? In that case there are mechanisms support scanning ( eg NMAP) or SNMP that have been around for a while these are typically not exactly API friendly but do provide a starting point and we make good use in our offerings.

Salvatore D'Agostino IDmachines LLC |1264 Beacon Street, #5 Brookline, MA. 02446 | USA http://www.idmachines.com

On Jul 21, 2015, at 10:46 AM, Paul Madsen wrote:

(one of) what is needed is a standardized mechanism for devices to present their identity (and those humans for which they are acting) to other things, cloud endpoints & applications

On 7/16/15 2:38 PM, Ranjan Jain (ranjain) wrote:

Hey y’all, Hope everyone is doing well. Just wanted to bounce a question which I’m consistently getting asked around Identity, IoT perspective. Is there any industry standard in place or in works which can be used as a common standard across multiple identities. What I mean by this is that humans have SSN as an identity while a thermostat may have serial number while a network device may have a Mac ID as their identity. So, while individually they all have their own identity standard, when in the IoT world, all these entities start interacting with each other, how do we translate one identity into another or how will one identity interact with another identity in a standards way?

Thanks Ranjan

*Ranjan Jain* ARCHITECT.IT Information Technology ranjain@cisco.com Phone: *+1 408 853 4396 <%2B1%20408%20853%204396>* Mobile: *+1 408 627 9538 <%2B1%20408%20627%209538>*

*Cisco Systems, Inc.* 400 East Tasman Drive San Jose California 95134 United States Cisco.com http://www.cisco.com/

Think before you print.

This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message.

_______________________________________________ DG-IDoT mailing listDG-IDoT@kantarainitiative.orghttp://kantarainitiative.org/mailman/listinfo/dg-idot

_______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot

_______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot

_______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot

_______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot

-- Nat Sakimura (=nat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en

_______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot

-- Nat Sakimura (=nat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en

Hi Nat,related to the private key embeded by manufacturer I am wondering who would embed what in the case of a multi-manufacturer.use case:1) thing created by original manufacturer : embed a priv key2) thing crafted/customized (oem) by second manufacturer : embed a priv key when thing will need to act on behalf I expect to reflect a 1 to many relationship at this point and so I'll need as user to decide the degree of relationship between the various keys or only one single key pair will be allowed and this means we need to define a hierarchical policy to decide who will embed what. I immagine an onion ring model based on user consent and relationship constrain: user to seller, seller to manufacturer (original or oem), manufacturer (oem) to manufacturer Alex -Alessandro Festa  website:http://alfweb.comtwitter:@festaatdellemail:afesta@alfweb.com Il Venerdì 24 Luglio 2015 13:10, Paul Madsen ha scritto: Hi nat, I would follow on to your steps below On 7/24/15 4:56 AM, Nat Sakimura wrote: Yeah, it is nice, but WSDL would be too big.  Remember that sending 1 byte over the radio takes as much power as encrypting 1000 bytes. Also, memory and processing power is becoming cheap, so in IoT context, we should probably treat "minimizing the radio packet" as the priority.  As to the identification of the things are cocerned, the viable model that I imagine is as follows:  - The device manufacutrer creates a good keypair and embeds the private key (and its key thumbprint) in the device.  - For device authentication, use the key to sign the message. When acting on behalf of a user 3. Authenticated user facilitates delivery of tokens to device 4. Device authenticates to AS using embedded keys in order to obtain tokens 5. Device uses tokens to authenticate to cloud endpoints, other device etc Tokens thereby reflect 'relationship' of user & device Nat 2015-07-22 1:33 GMT+09:00 Aninda Bhunia : It would be interesting if we could create a standard that would allow even non IP devices to publish their identity through a wsdl type structure. Even if they are non IP at some point in their upwards relationship hierarchy their master gateway would be IP based and could be responsible for publishing the identity wsdls for the entities it brokers. Thoughts ? On Jul 21, 2015 11:52 AM, "Joni Brennan" wrote: Noting I have no vote =) I agree with Paul and others regarding discovery as the key initial mechanism.  I believe Ingo has also noted this in the summaries from IDoT.  Sal mentions NMAP / SNMP are there other exiting approaches?  (apologies if this has been discussed in detail already) - Joni Best Regards, Joni Brennan Kantara Initiative | Executive Director email: joni @ kantarainitiative.org Connecting Identity for a more trustworthy Internet - Overview On Tue, Jul 21, 2015 at 8:42 AM, Salvatore D'Agostino wrote: Other than ip devices?  In that case there are mechanisms support scanning ( eg NMAP) or SNMP that have been around for a while these are typically not exactly API friendly but do provide a starting point and we make good use in our offerings. Salvatore D'Agostino IDmachines LLC |1264 Beacon Street, #5 Brookline, MA. 02446 | USA http://www.idmachines.com On Jul 21, 2015, at 10:46 AM, Paul Madsen wrote: (one of) what is needed is a standardized mechanism for devices to present their identity (and those humans for which they are acting) to other things, cloud endpoints & applications On 7/16/15 2:38 PM, Ranjan Jain (ranjain) wrote: Hey y’all, Hope everyone is doing well. Just wanted to bounce a question which I’m consistently getting asked around Identity, IoT perspective. Is there any industry standard in place or in works which can be used as a common standard across multiple identities. What I mean by this is that humans have SSN as an identity while a thermostat may have serial number while a network device may have a Mac ID as their identity. So, while individually they all have their own identity standard, when in the IoT world, all these entities start interacting with each other, how do we translate one identity into another or how will one identity interact with another identity in a standards way? Thanks Ranjan | | | | Ranjan Jain ARCHITECT.IT Information Technology ranjain@cisco.com Phone: +1 408 853 4396 Mobile: +1 408 627 9538 | Cisco Systems, Inc. 400 East Tasman Drive San Jose California 95134 United States Cisco.com | | | |  Think before you print. | | This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message. | | _______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot _______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot _______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot _______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot _______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot -- Nat Sakimura (=nat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en _______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot _______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot

Hi Jeff, Regarding point 3. following thoughts: - The owner, admin, or user of a thing has to trigger an update…their might be services that do the update on behalf - In general we need an update mechanism, if e.g. an owner changes, it should be changed in discovery/search...not a big deal. Isn’ it? From: dg-idot-bounces@kantarainitiative.org [mailto:dg-idot-bounces@kantarainitiative.org] On Behalf Of j stollman Sent: Freitag, 24. Juli 2015 19:21 To: Alessandro Festa Cc: dg-idot@kantarainitiative.org Subject: Re: [DG-IDoT] Common identity standard I am with Alessandro in the complexity of this solution in the real world. 1. An iPhone is a collection of IoT devices (camera, audio recorder, touch screen, telephone, computer, etc.). Should each of these have its own "good key pair"? If not how do we handle the sale of just the camera by the same OEM who sells the camera to Apple? Do we need a way to aggregate devices? 2. Separately, what constitutes a "good key pair"? Will all of the many unenlightened, non-high-tech manufacturers in the world participate? What is the likelihood that they will create duplicate key pairs when there are billions of devices? We tend to consider that we are servicing an environment where everyone is paying attention to international standards. Standards in markets as broad as we are discussion take decades to become pervasive. How many types of screws do we have? It isn't just metric versus "standard." Screws differ in diameter, pitch, head shape (flat, pan, etc.), and driver type (straight blade, phillips, head, star, etc.). And then there are custom screws. In IoT we will have hobbyist-types creating devices, along with old-line manufacturers. It isn't just an Apply and Samsung world. 3. To Ingo's comment about relationships, how do we track changes in those relationships without creating a massive infrastructure? What happens when company A has a device that is used by employees A1, A2, and A3, sells the device to company B for use by B7, B8, and B9? Jeff --------------------------------- Jeff Stollman stollman.j@gmail.commailto:stollman.j@gmail.com 1 202.683.8699 Truth never triumphs — its opponents just die out. Science advances one funeral at a time. Max Planck On Fri, Jul 24, 2015 at 7:34 AM, Alessandro Festa mailto:afesta@alfweb.com> wrote: Hi Nat, related to the private key embeded by manufacturer I am wondering who would embed what in the case of a multi-manufacturer. use case: 1) thing created by original manufacturer : embed a priv key 2) thing crafted/customized (oem) by second manufacturer : embed a priv key when thing will need to act on behalf I expect to reflect a 1 to many relationship at this point and so I'll need as user to decide the degree of relationship between the various keys or only one single key pair will be allowed and this means we need to define a hierarchical policy to decide who will embed what. I immagine an onion ring model based on user consent and relationship constrain: user to seller, seller to manufacturer (original or oem), manufacturer (oem) to manufacturer Alex - Alessandro Festa website:http://alfweb.com twitter:@festaatdell email:afesta@alfweb.commailto:email%3Aafesta@alfweb.com Il Venerdì 24 Luglio 2015 13:10, Paul Madsen mailto:pmadsen@pingidentity.com> ha scritto: Hi nat, I would follow on to your steps below On 7/24/15 4:56 AM, Nat Sakimura wrote: Yeah, it is nice, but WSDL would be too big. Remember that sending 1 byte over the radio takes as much power as encrypting 1000 bytes. Also, memory and processing power is becoming cheap, so in IoT context, we should probably treat "minimizing the radio packet" as the priority. As to the identification of the things are cocerned, the viable model that I imagine is as follows: 1. The device manufacutrer creates a good keypair and embeds the private key (and its key thumbprint) in the device. 2. For device authentication, use the key to sign the message. When acting on behalf of a user 3. Authenticated user facilitates delivery of tokens to device 4. Device authenticates to AS using embedded keys in order to obtain tokens 5. Device uses tokens to authenticate to cloud endpoints, other device etc Tokens thereby reflect 'relationship' of user & device Nat 2015-07-22 1:33 GMT+09:00 Aninda Bhunia mailto:abhunia@inc38.com>: It would be interesting if we could create a standard that would allow even non IP devices to publish their identity through a wsdl type structure. Even if they are non IP at some point in their upwards relationship hierarchy their master gateway would be IP based and could be responsible for publishing the identity wsdls for the entities it brokers. Thoughts ? On Jul 21, 2015 11:52 AM, "Joni Brennan" mailto:joni@kantarainitiative.org> wrote: Noting I have no vote =) I agree with Paul and others regarding discovery as the key initial mechanism. I believe Ingo has also noted this in the summaries from IDoT. Sal mentions NMAP / SNMP are there other exiting approaches? (apologies if this has been discussed in detail already) - Joni Best Regards, Joni Brennan Kantara Initiative | Executive Director email: joni @ kantarainitiative.orghttp://kantarainitiative.org/ Connecting Identity for a more trustworthy Internet - Overviewhttp://www.slideshare.net/kantarainitiative/kantara-overview2014-37969351 On Tue, Jul 21, 2015 at 8:42 AM, Salvatore D'Agostino mailto:sal@idmachines.com> wrote: Other than ip devices? In that case there are mechanisms support scanning ( eg NMAP) or SNMP that have been around for a while these are typically not exactly API friendly but do provide a starting point and we make good use in our offerings. Salvatore D'Agostino IDmachines LLC |1264 Beacon Street, #5 Brookline, MA. 02446 | USA http://www.idmachines.comhttp://www.idmachines.com/ On Jul 21, 2015, at 10:46 AM, Paul Madsen mailto:pmadsen@pingidentity.com> wrote: (one of) what is needed is a standardized mechanism for devices to present their identity (and those humans for which they are acting) to other things, cloud endpoints & applications On 7/16/15 2:38 PM, Ranjan Jain (ranjain) wrote: Hey y’all, Hope everyone is doing well. Just wanted to bounce a question which I’m consistently getting asked around Identity, IoT perspective. Is there any industry standard in place or in works which can be used as a common standard across multiple identities. What I mean by this is that humans have SSN as an identity while a thermostat may have serial number while a network device may have a Mac ID as their identity. So, while individually they all have their own identity standard, when in the IoT world, all these entities start interacting with each other, how do we translate one identity into another or how will one identity interact with another identity in a standards way? Thanks Ranjan Ranjan Jain ARCHITECT.IThttp://architect.it/ Information Technology ranjain@cisco.commailto:ranjain@cisco.com Phone: +1 408 853 4396 Mobile: +1 408 627 9538 Cisco Systems, Inc. 400 East Tasman Drive San Jose California 95134 United States Cisco.comhttp://www.cisco.com/ Think before you print. This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message. _______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.orgmailto:DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot _______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.orgmailto:DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot _______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.orgmailto:DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot _______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.orgmailto:DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot _______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.orgmailto:DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot -- Nat Sakimura (=nat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en _______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.orgmailto:DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot _______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.orgmailto:DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot _______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.orgmailto:DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot

Ranjan, What would the GUID be based on? How would you ensure its *U*niqueness across industry sectors, across the globe, and over time? Jeff --------------------------------- Jeff Stollman stollman.j@gmail.com 1 202.683.8699 Truth never triumphs — its opponents just die out. Science advances one funeral at a time. Max Planck On Mon, Jul 27, 2015 at 2:41 PM, Ranjan Jain (ranjain) wrote:

All great ideas so far.

How about using GUID as the identifier which can be tied to a “thing” and this GUID can have multiple personas based on the relationship? Ofcourse we’ll need some kind of discovery service and the things need to publish their meta data for usage but just wanted to get initial assessment.

From: "Ingo.Friese@telekom.de" Date: Monday, July 27, 2015 at 7:50 AM To: "stollman.j@gmail.com" , "afesta@alfweb.com" < afesta@alfweb.com> Cc: "dg-idot@kantarainitiative.org" Subject: Re: [DG-IDoT] Common identity standard

Hi Jeff,

Regarding point 3. following thoughts:

- The owner, admin, or user of a thing has to trigger an update…their might be services that do the update on behalf

- In general we need an update mechanism, if e.g. an owner changes, it should be changed in discovery/search...not a big deal. Isn’ it?

*From:* dg-idot-bounces@kantarainitiative.org [ mailto:dg-idot-bounces@kantarainitiative.org ] *On Behalf Of *j stollman

*Sent:* Freitag, 24. Juli 2015 19:21 *To:* Alessandro Festa *Cc:* dg-idot@kantarainitiative.org *Subject:* Re: [DG-IDoT] Common identity standard

I am with Alessandro in the complexity of this solution in the real world.

1. An iPhone is a collection of IoT devices (camera, audio recorder, touch screen, telephone, computer, etc.). Should each of these have its own "good key pair"? If not how do we handle the sale of just the camera by the same OEM who sells the camera to Apple? Do we need a way to aggregate devices? 2. Separately, what constitutes a "good key pair"? Will all of the many unenlightened, non-high-tech manufacturers in the world participate? What is the likelihood that they will create duplicate key pairs when there are billions of devices? We tend to consider that we are servicing an environment where everyone is paying attention to international standards. Standards in markets as broad as we are discussion take decades to become pervasive. How many types of screws do we have? It isn't just metric versus "standard." Screws differ in diameter, pitch, head shape (flat, pan, etc.), and driver type (straight blade, phillips, head, star, etc.). And then there are custom screws. In IoT we will have hobbyist-types creating devices, along with old-line manufacturers. It isn't just an Apply and Samsung world. 3. To Ingo's comment about relationships, how do we track changes in those relationships without creating a massive infrastructure? What happens when company A has a device that is used by employees A1, A2, and A3, sells the device to company B for use by B7, B8, and B9?

Jeff

---------------------------------

Jeff Stollman stollman.j@gmail.com 1 202.683.8699

Truth never triumphs — its opponents just die out.

Science advances one funeral at a time.

Max Planck

On Fri, Jul 24, 2015 at 7:34 AM, Alessandro Festa wrote:

Hi Nat,

related to the private key embeded by manufacturer I am wondering who would embed what in the case of a multi-manufacturer.

use case:

1) thing created by original manufacturer : embed a priv key

2) thing crafted/customized (oem) by second manufacturer : embed a priv key

when thing will need to act on behalf I expect to reflect a 1 to many relationship at this point and so I'll need as user to decide the degree of relationship between the various keys or only one single key pair will be allowed and this means we need to define a hierarchical policy to decide who will embed what.

I immagine an onion ring model based on user consent and relationship constrain: user to seller, seller to manufacturer (original or oem), manufacturer (oem) to manufacturer

Alex

-

Alessandro Festa

website:http://alfweb.com

twitter:@festaatdell

email:afesta@alfweb.com

Il Venerdì 24 Luglio 2015 13:10, Paul Madsen ha scritto:

Hi nat, I would follow on to your steps below

On 7/24/15 4:56 AM, Nat Sakimura wrote:

Yeah, it is nice, but WSDL would be too big.

Remember that sending 1 byte over the radio takes as much power as encrypting 1000 bytes. Also, memory and processing power is becoming cheap, so in IoT context, we should probably treat "minimizing the radio packet" as the priority.

As to the identification of the things are cocerned, the viable model that I imagine is as follows:

1. The device manufacutrer creates a good keypair and embeds the private key (and its key thumbprint) in the device. 2. For device authentication, use the key to sign the message.

When acting on behalf of a user

3. Authenticated user facilitates delivery of tokens to device 4. Device authenticates to AS using embedded keys in order to obtain tokens 5. Device uses tokens to authenticate to cloud endpoints, other device etc

Tokens thereby reflect 'relationship' of user & device

Nat

2015-07-22 1:33 GMT+09:00 Aninda Bhunia :

It would be interesting if we could create a standard that would allow even non IP devices to publish their identity through a wsdl type structure. Even if they are non IP at some point in their upwards relationship hierarchy their master gateway would be IP based and could be responsible for publishing the identity wsdls for the entities it brokers. Thoughts ?

On Jul 21, 2015 11:52 AM, "Joni Brennan" wrote:

Noting I have no vote =)

I agree with Paul and others regarding discovery as the key initial mechanism. I believe Ingo has also noted this in the summaries from IDoT. Sal mentions NMAP / SNMP are there other exiting approaches? (apologies if this has been discussed in detail already)

- Joni

Best Regards,

Joni Brennan Kantara Initiative | Executive Director email: joni @ kantarainitiative.org

Connecting Identity for a more trustworthy Internet - Overview http://www.slideshare.net/kantarainitiative/kantara-overview2014-37969351

On Tue, Jul 21, 2015 at 8:42 AM, Salvatore D'Agostino wrote:

Other than ip devices? In that case there are mechanisms support scanning ( eg NMAP) or SNMP that have been around for a while these are typically not exactly API friendly but do provide a starting point and we make good use in our offerings.

Salvatore D'Agostino

IDmachines LLC |1264 Beacon Street, #5

Brookline, MA. 02446 | USA

http://www.idmachines.com

On Jul 21, 2015, at 10:46 AM, Paul Madsen wrote:

(one of) what is needed is a standardized mechanism for devices to present their identity (and those humans for which they are acting) to other things, cloud endpoints & applications

On 7/16/15 2:38 PM, Ranjan Jain (ranjain) wrote:

Hey y’all,

Hope everyone is doing well. Just wanted to bounce a question which I’m consistently getting asked around Identity, IoT perspective. Is there any industry standard in place or in works which can be used as a common standard across multiple identities. What I mean by this is that humans have SSN as an identity while a thermostat may have serial number while a network device may have a Mac ID as their identity. So, while individually they all have their own identity standard, when in the IoT world, all these entities start interacting with each other, how do we translate one identity into another or how will one identity interact with another identity in a standards way?

Thanks

Ranjan

*Ranjan Jain* ARCHITECT.IT http://architect.it/ Information Technology ranjain@cisco.com Phone: *+1 408 853 4396 <%2B1%20408%20853%204396>* Mobile: *+1 408 627 9538 <%2B1%20408%20627%209538>*

*Cisco Systems, Inc.* 400 East Tasman Drive San Jose California 95134 United States Cisco.com http://www.cisco.com/

Think before you print.

This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message.

_______________________________________________

DG-IDoT mailing list

DG-IDoT@kantarainitiative.org

http://kantarainitiative.org/mailman/listinfo/dg-idot

_______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot

_______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot

_______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot

_______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot

--

Nat Sakimura (=nat)

Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en

_______________________________________________

DG-IDoT mailing list

DG-IDoT@kantarainitiative.org

http://kantarainitiative.org/mailman/listinfo/dg-idot

_______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot

_______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot

As we have already many IDs outside I doubt that we can propose a certain GUID. But of course you can use GUID if you need some kind of ID for your system. Jeff, uniqueness is most likely not realistic. We don’t have no governance over all possible IDs. But the nice thing about identifying things with relationships is that identifier don’t have to be unique. There are several “Ingo Friese” outside, but since you know “works with T-Labs” and “Lives in Berlin” you can find me regardless of my identifier. The identifier than is usually mapped to a address (e.g. IP address). And addresses are unique in their domain. From: j stollman [mailto:stollman.j@gmail.com] Sent: Montag, 27. Juli 2015 20:45 To: Ranjan Jain (ranjain) Cc: Friese, Ingo; afesta@alfweb.com; dg-idot@kantarainitiative.org Subject: Re: [DG-IDoT] Common identity standard Ranjan, What would the GUID be based on? How would you ensure its Uniqueness across industry sectors, across the globe, and over time? Jeff --------------------------------- Jeff Stollman stollman.j@gmail.commailto:stollman.j@gmail.com 1 202.683.8699 Truth never triumphs — its opponents just die out. Science advances one funeral at a time. Max Planck On Mon, Jul 27, 2015 at 2:41 PM, Ranjan Jain (ranjain) mailto:ranjain@cisco.com> wrote: All great ideas so far. How about using GUID as the identifier which can be tied to a “thing” and this GUID can have multiple personas based on the relationship? Ofcourse we’ll need some kind of discovery service and the things need to publish their meta data for usage but just wanted to get initial assessment. From: "Ingo.Friese@telekom.demailto:Ingo.Friese@telekom.de" mailto:Ingo.Friese@telekom.de> Date: Monday, July 27, 2015 at 7:50 AM To: "stollman.j@gmail.commailto:stollman.j@gmail.com" mailto:stollman.j@gmail.com>, "afesta@alfweb.commailto:afesta@alfweb.com" mailto:afesta@alfweb.com> Cc: "dg-idot@kantarainitiative.orgmailto:dg-idot@kantarainitiative.org" mailto:dg-idot@kantarainitiative.org> Subject: Re: [DG-IDoT] Common identity standard Hi Jeff, Regarding point 3. following thoughts: - The owner, admin, or user of a thing has to trigger an update…their might be services that do the update on behalf - In general we need an update mechanism, if e.g. an owner changes, it should be changed in discovery/search...not a big deal. Isn’ it? From: dg-idot-bounces@kantarainitiative.orgmailto:dg-idot-bounces@kantarainitiative.org [mailto:dg-idot-bounces@kantarainitiative.org] On Behalf Of j stollman Sent: Freitag, 24. Juli 2015 19:21 To: Alessandro Festa Cc: dg-idot@kantarainitiative.orgmailto:dg-idot@kantarainitiative.org Subject: Re: [DG-IDoT] Common identity standard I am with Alessandro in the complexity of this solution in the real world. 1. An iPhone is a collection of IoT devices (camera, audio recorder, touch screen, telephone, computer, etc.). Should each of these have its own "good key pair"? If not how do we handle the sale of just the camera by the same OEM who sells the camera to Apple? Do we need a way to aggregate devices? 2. Separately, what constitutes a "good key pair"? Will all of the many unenlightened, non-high-tech manufacturers in the world participate? What is the likelihood that they will create duplicate key pairs when there are billions of devices? We tend to consider that we are servicing an environment where everyone is paying attention to international standards. Standards in markets as broad as we are discussion take decades to become pervasive. How many types of screws do we have? It isn't just metric versus "standard." Screws differ in diameter, pitch, head shape (flat, pan, etc.), and driver type (straight blade, phillips, head, star, etc.). And then there are custom screws. In IoT we will have hobbyist-types creating devices, along with old-line manufacturers. It isn't just an Apply and Samsung world. 3. To Ingo's comment about relationships, how do we track changes in those relationships without creating a massive infrastructure? What happens when company A has a device that is used by employees A1, A2, and A3, sells the device to company B for use by B7, B8, and B9? Jeff --------------------------------- Jeff Stollman stollman.j@gmail.commailto:stollman.j@gmail.com 1 202.683.8699tel:1%20202.683.8699 Truth never triumphs — its opponents just die out. Science advances one funeral at a time. Max Planck On Fri, Jul 24, 2015 at 7:34 AM, Alessandro Festa mailto:afesta@alfweb.com> wrote: Hi Nat, related to the private key embeded by manufacturer I am wondering who would embed what in the case of a multi-manufacturer. use case: 1) thing created by original manufacturer : embed a priv key 2) thing crafted/customized (oem) by second manufacturer : embed a priv key when thing will need to act on behalf I expect to reflect a 1 to many relationship at this point and so I'll need as user to decide the degree of relationship between the various keys or only one single key pair will be allowed and this means we need to define a hierarchical policy to decide who will embed what. I immagine an onion ring model based on user consent and relationship constrain: user to seller, seller to manufacturer (original or oem), manufacturer (oem) to manufacturer Alex - Alessandro Festa website:http://alfweb.com twitter:@festaatdell email:afesta@alfweb.commailto:email%3Aafesta@alfweb.com Il Venerdì 24 Luglio 2015 13:10, Paul Madsen mailto:pmadsen@pingidentity.com> ha scritto: Hi nat, I would follow on to your steps below On 7/24/15 4:56 AM, Nat Sakimura wrote: Yeah, it is nice, but WSDL would be too big. Remember that sending 1 byte over the radio takes as much power as encrypting 1000 bytes. Also, memory and processing power is becoming cheap, so in IoT context, we should probably treat "minimizing the radio packet" as the priority. As to the identification of the things are cocerned, the viable model that I imagine is as follows: 1. The device manufacutrer creates a good keypair and embeds the private key (and its key thumbprint) in the device. 2. For device authentication, use the key to sign the message. When acting on behalf of a user 3. Authenticated user facilitates delivery of tokens to device 4. Device authenticates to AS using embedded keys in order to obtain tokens 5. Device uses tokens to authenticate to cloud endpoints, other device etc Tokens thereby reflect 'relationship' of user & device Nat 2015-07-22 1:33 GMT+09:00 Aninda Bhunia mailto:abhunia@inc38.com>: It would be interesting if we could create a standard that would allow even non IP devices to publish their identity through a wsdl type structure. Even if they are non IP at some point in their upwards relationship hierarchy their master gateway would be IP based and could be responsible for publishing the identity wsdls for the entities it brokers. Thoughts ? On Jul 21, 2015 11:52 AM, "Joni Brennan" mailto:joni@kantarainitiative.org> wrote: Noting I have no vote =) I agree with Paul and others regarding discovery as the key initial mechanism. I believe Ingo has also noted this in the summaries from IDoT. Sal mentions NMAP / SNMP are there other exiting approaches? (apologies if this has been discussed in detail already) - Joni Best Regards, Joni Brennan Kantara Initiative | Executive Director email: joni @ kantarainitiative.orghttp://kantarainitiative.org/ Connecting Identity for a more trustworthy Internet - Overviewhttp://www.slideshare.net/kantarainitiative/kantara-overview2014-37969351 On Tue, Jul 21, 2015 at 8:42 AM, Salvatore D'Agostino mailto:sal@idmachines.com> wrote: Other than ip devices? In that case there are mechanisms support scanning ( eg NMAP) or SNMP that have been around for a while these are typically not exactly API friendly but do provide a starting point and we make good use in our offerings. Salvatore D'Agostino IDmachines LLC |1264 Beacon Street, #5 Brookline, MA. 02446 | USA http://www.idmachines.comhttp://www.idmachines.com/ On Jul 21, 2015, at 10:46 AM, Paul Madsen mailto:pmadsen@pingidentity.com> wrote: (one of) what is needed is a standardized mechanism for devices to present their identity (and those humans for which they are acting) to other things, cloud endpoints & applications On 7/16/15 2:38 PM, Ranjan Jain (ranjain) wrote: Hey y’all, Hope everyone is doing well. Just wanted to bounce a question which I’m consistently getting asked around Identity, IoT perspective. Is there any industry standard in place or in works which can be used as a common standard across multiple identities. What I mean by this is that humans have SSN as an identity while a thermostat may have serial number while a network device may have a Mac ID as their identity. So, while individually they all have their own identity standard, when in the IoT world, all these entities start interacting with each other, how do we translate one identity into another or how will one identity interact with another identity in a standards way? Thanks Ranjan Ranjan Jain ARCHITECT.IThttp://architect.it/ Information Technology ranjain@cisco.commailto:ranjain@cisco.com Phone: +1 408 853 4396tel:%2B1%20408%20853%204396 Mobile: +1 408 627 9538tel:%2B1%20408%20627%209538 Cisco Systems, Inc. 400 East Tasman Drive San Jose California 95134 United States Cisco.comhttp://www.cisco.com/ Think before you print. This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message. _______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.orgmailto:DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot _______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.orgmailto:DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot _______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.orgmailto:DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot _______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.orgmailto:DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot _______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.orgmailto:DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot -- Nat Sakimura (=nat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en _______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.orgmailto:DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot _______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.orgmailto:DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot _______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.orgmailto:DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot

Hi Ingo I think you make some subtly very powerful points here. Uniqueness by static identifiers is difficult to uphold as you mention. However, the powerful aspect is the relative context being applied, which results in local uniqueness. That context information, such as where you work and your city, not only helps reduce the noise and pollution of unrelated identities, but it also reduces the scope of knowledge to those who know what living in that city or working at that company actually means. The interesting paradox here - which is often overlooked - is that the more that the contextual information is made public, the less likely it is to be faked. For example, I "know" everything there is to know about Justin Bieber - simply by Googling - which ironically makes it incredibly difficult for me to "fake" his identity, as there are several avenues to prove me wrong. The relationship aspect here is what helps not only identifier the person/thing/object but also verify it's existence and thus possible integrity. Simon On 27/07/15 19:54, Ingo.Friese@telekom.de wrote:

As we have already many IDs outside I doubt that we can propose a certain GUID. But of course you can use GUID if you need some kind of ID for your system.

Jeff, uniqueness is most likely not realistic. We don’t have no governance over all possible IDs. But the nice thing about identifying things with relationships is that identifier don’t have to be unique.

There are several “Ingo Friese” outside, but since you know “works with T-Labs” and “Lives in Berlin” you can find me regardless of my identifier.

The identifier than is usually mapped to a address (e.g. IP address). And addresses are unique in their domain.

*From:*j stollman [mailto:stollman.j@gmail.com] *Sent:* Montag, 27. Juli 2015 20:45 *To:* Ranjan Jain (ranjain) *Cc:* Friese, Ingo; afesta@alfweb.com; dg-idot@kantarainitiative.org *Subject:* Re: [DG-IDoT] Common identity standard

Ranjan,

What would the GUID be based on? How would you ensure its _U_niqueness across industry sectors, across the globe, and over time?

Jeff

---------------------------------

Jeff Stollman stollman.j@gmail.com mailto:stollman.j@gmail.com 1 202.683.8699

Truth never triumphs — its opponents just die out.

Science advances one funeral at a time.

Max Planck

On Mon, Jul 27, 2015 at 2:41 PM, Ranjan Jain (ranjain) mailto:ranjain@cisco.com> wrote:

All great ideas so far.

How about using GUID as the identifier which can be tied to a “thing” and this GUID can have multiple personas based on the relationship? Ofcourse we’ll need some kind of discovery service and the things need to publish their meta data for usage but just wanted to get initial assessment.

*From: *"Ingo.Friese@telekom.de mailto:Ingo.Friese@telekom.de" mailto:Ingo.Friese@telekom.de> *Date: *Monday, July 27, 2015 at 7:50 AM *To: *"stollman.j@gmail.com mailto:stollman.j@gmail.com" mailto:stollman.j@gmail.com>, "afesta@alfweb.com mailto:afesta@alfweb.com" mailto:afesta@alfweb.com> *Cc: *"dg-idot@kantarainitiative.org mailto:dg-idot@kantarainitiative.org" mailto:dg-idot@kantarainitiative.org> *Subject: *Re: [DG-IDoT] Common identity standard

Hi Jeff,

Regarding point 3. following thoughts:

-The owner, admin, or user of a thing has to trigger an update…their might be services that do the update on behalf

-In general we need an update mechanism, if e.g. an owner changes, it should be changed in discovery/search...not a big deal. Isn’ it?

*From:*dg-idot-bounces@kantarainitiative.org mailto:dg-idot-bounces@kantarainitiative.org [mailto:dg-idot-bounces@kantarainitiative.org] *On Behalf Of *j stollman

*Sent:* Freitag, 24. Juli 2015 19:21 *To:* Alessandro Festa *Cc:* dg-idot@kantarainitiative.org mailto:dg-idot@kantarainitiative.org *Subject:* Re: [DG-IDoT] Common identity standard

I am with Alessandro in the complexity of this solution in the real world.

1. An iPhone is a collection of IoT devices (camera, audio recorder, touch screen, telephone, computer, etc.). Should each of these have its own "good key pair"? If not how do we handle the sale of just the camera by the same OEM who sells the camera to Apple? Do we need a way to aggregate devices? 2. Separately, what constitutes a "good key pair"? Will all of the many unenlightened, non-high-tech manufacturers in the world participate? What is the likelihood that they will create duplicate key pairs when there are billions of devices? We tend to consider that we are servicing an environment where everyone is paying attention to international standards. Standards in markets as broad as we are discussion take decades to become pervasive. How many types of screws do we have? It isn't just metric versus "standard." Screws differ in diameter, pitch, head shape (flat, pan, etc.), and driver type (straight blade, phillips, head, star, etc.). And then there are custom screws. In IoT we will have hobbyist-types creating devices, along with old-line manufacturers. It isn't just an Apply and Samsung world. 3. To Ingo's comment about relationships, how do we track changes in those relationships without creating a massive infrastructure? What happens when company A has a device that is used by employees A1, A2, and A3, sells the device to company B for use by B7, B8, and B9?

Jeff

---------------------------------

Jeff Stollman stollman.j@gmail.com mailto:stollman.j@gmail.com 1 202.683.8699 tel:1%20202.683.8699

Truth never triumphs — its opponents just die out.

Science advances one funeral at a time.

Max Planck

On Fri, Jul 24, 2015 at 7:34 AM, Alessandro Festa mailto:afesta@alfweb.com> wrote:

Hi Nat,

related to the private key embeded by manufacturer I am wondering who would embed what in the case of a multi-manufacturer.

use case:

1) thing created by original manufacturer : embed a priv key

2) thing crafted/customized (oem) by second manufacturer : embed a priv key

when thing will need to act on behalf I expect to reflect a 1 to many relationship at this point and so I'll need as user to decide the degree of relationship between the various keys or only one single key pair will be allowed and this means we need to define a hierarchical policy to decide who will embed what.

I immagine an onion ring model based on user consent and relationship constrain: user to seller, seller to manufacturer (original or oem), manufacturer (oem) to manufacturer

Alex

-

Alessandro Festa

website:http://alfweb.com

twitter:@festaatdell

email:afesta@alfweb.com mailto:email%3Aafesta@alfweb.com

Il Venerdì 24 Luglio 2015 13:10, Paul Madsen mailto:pmadsen@pingidentity.com> ha scritto:

Hi nat, I would follow on to your steps below

On 7/24/15 4:56 AM, Nat Sakimura wrote:

Yeah, it is nice, but WSDL would be too big.

Remember that sending 1 byte over the radio takes as much power as encrypting 1000 bytes. Also, memory and processing power is becoming cheap, so in IoT context, we should probably treat "minimizing the radio packet" as the priority.

As to the identification of the things are cocerned, the viable model that I imagine is as follows:

1. The device manufacutrer creates a good keypair and embeds the private key (and its key thumbprint) in the device. 2. For device authentication, use the key to sign the message.

When acting on behalf of a user

3. Authenticated user facilitates delivery of tokens to device 4. Device authenticates to AS using embedded keys in order to obtain tokens 5. Device uses tokens to authenticate to cloud endpoints, other device etc

Tokens thereby reflect 'relationship' of user & device

Nat

2015-07-22 1:33 GMT+09:00 Aninda Bhunia mailto:abhunia@inc38.com>:

It would be interesting if we could create a standard that would allow even non IP devices to publish their identity through a wsdl type structure. Even if they are non IP at some point in their upwards relationship hierarchy their master gateway would be IP based and could be responsible for publishing the identity wsdls for the entities it brokers. Thoughts ?

On Jul 21, 2015 11:52 AM, "Joni Brennan" mailto:joni@kantarainitiative.org> wrote:

Noting I have no vote =)

I agree with Paul and others regarding discovery as the key initial mechanism. I believe Ingo has also noted this in the summaries from IDoT. Sal mentions NMAP / SNMP are there other exiting approaches? (apologies if this has been discussed in detail already)

- Joni

Best Regards,

Joni Brennan Kantara Initiative | Executive Director email: joni @ kantarainitiative.org http://kantarainitiative.org/

Connecting Identity for a more trustworthy Internet - Overview http://www.slideshare.net/kantarainitiative/kantara-overview2014-37969351

On Tue, Jul 21, 2015 at 8:42 AM, Salvatore D'Agostino mailto:sal@idmachines.com> wrote:

Other than ip devices? In that case there are mechanisms support scanning ( eg NMAP) or SNMP that have been around for a while these are typically not exactly API friendly but do provide a starting point and we make good use in our offerings.

Salvatore D'Agostino

IDmachines LLC |1264 Beacon Street, #5

Brookline, MA. 02446 | USA

http://www.idmachines.com http://www.idmachines.com/

On Jul 21, 2015, at 10:46 AM, Paul Madsen mailto:pmadsen@pingidentity.com> wrote:

(one of) what is needed is a standardized mechanism for devices to present their identity (and those humans for which they are acting) to other things, cloud endpoints & applications

On 7/16/15 2:38 PM, Ranjan Jain (ranjain) wrote:

Hey y’all,

Hope everyone is doing well. Just wanted to bounce a question which I’m consistently getting asked around Identity, IoT perspective. Is there any industry standard in place or in works which can be used as a common standard across multiple identities. What I mean by this is that humans have SSN as an identity while a thermostat may have serial number while a network device may have a Mac ID as their identity. So, while individually they all have their own identity standard, when in the IoT world, all these entities start interacting with each other, how do we translate one identity into another or how will one identity interact with another identity in a standards way?

Thanks

Ranjan

*Ranjan Jain* ARCHITECT.IT http://architect.it/ Information Technology ranjain@cisco.com mailto:ranjain@cisco.com Phone: *+1 408 853 4396 tel:%2B1%20408%20853%204396* Mobile: *+1 408 627 9538 tel:%2B1%20408%20627%209538*

*Cisco Systems, Inc.* 400 East Tasman Drive San Jose California 95134 United States Cisco.com http://www.cisco.com/

Think before you print.

This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message.

_______________________________________________

DG-IDoT mailing list

DG-IDoT@kantarainitiative.org mailto:DG-IDoT@kantarainitiative.org

http://kantarainitiative.org/mailman/listinfo/dg-idot

_______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.org mailto:DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot

_______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.org mailto:DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot

_______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.org mailto:DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot

_______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.org mailto:DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot

--

Nat Sakimura (=nat)

Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en

_______________________________________________

DG-IDoT mailing list

DG-IDoT@kantarainitiative.org mailto:DG-IDoT@kantarainitiative.org

http://kantarainitiative.org/mailman/listinfo/dg-idot

_______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.org mailto:DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot

_______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.org mailto:DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot

_______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot

-- ForgeRock http://www.forgerock.com/ *Simon Moffatt* Solutions Director | Sales Engineering | ForgeRock *tel* +44 (0) 7903 347 240 | *e* Simon.Moffatt@Forgerock.com mailto:simon.moffatt@forgerock.com *skype* simon.moffatt | *web* www.forgerock.com http://www.forgerock.com/ | *twitter* @simonmoffatt

Hi Jeff Comments inline. Regards, Simon On 28/07/15 12:22, j stollman wrote:

Simon,

I am uncomfortable with your assertion,

The interesting paradox here - which is often overlooked - is that the more that the contextual information is made public, the less likely it is to be faked. For example, I "know" everything there is to know about Justin Bieber - simply by Googling - which ironically makes it incredibly difficult for me to "fake" his identity, as there are several avenues to prove me wrong.

I would argue that I could use the public information available for Justin Bieber to begin setting up accounts using his name and identity characteristics that would be under my control. I could then use these accounts to substantiate the creation of additional accounts and masquerade as Mr. Bieber in various online venues. On the contrary. You would not be able to use that information for an identity assertion, simply as that information is public - therefore it wouldn't be used during verification, making that information "unfakeable" - opening a bank account in his name, would trigger more stringent checks.

As for the value of relationships, I agree that there is value. But it can be very difficult to use. In LinkedIn, for example, when I am looking for a person, I can use relationships to try to narrow down my search. For example, I can filter based on location (within 50 miles of London) or his current/former employer. But in searching for people with common names, I often find that this does not help me because I don't know where the person lives or his employment history.

I don't think that is a relationship search though? That is simply static assertion matching. A relationship search would be were tuples of information came in play resulting in no search being required. For example if searching LinkedIn, a reference to an unlinked person could be more tangible based on that person being previously linked to two people you have already linked in with.

Furthermore, wouldn't using relationships require that we establish database fields for the most common relationships in order to filter on them? But what fields need to be included? If we just allow device "owners" to add ten arbitrary fields that they consider most important for their device, won't we be limited the search to exact matches -- eliminating the ability to perform proximity searches. For example, if I enter the data "2015" would that be the year I deployed the sensor, the altitude of the location of the sensor, or the serial number of the sensor? If I enter instead "Serial Number = 2015", what will happen if someone seeking out my sensor searches for "Part Number = 2015" of "S/N = 2015"? Relationship matching is general done using Graphs, not static field storage. This can then move towards distributed analysis and identity building.

When the sensor changes owners (e.g., company A which owns the sensor is purchased by company B), will the owner be allowed to retain the data fields of the previous owner to keep everyone using the sensor from accessing it?

The relationship itself is a first-principal, not an attribute per-se.

I don't claim that these issues won't have solutions. But as things get more complicated, the threat surface increases. So there are consequences to this complexity -- whether through human error or evil intent.

Jeff

--------------------------------- Jeff Stollman stollman.j@gmail.com mailto:stollman.j@gmail.com 1 202.683.8699

Truth never triumphs — its opponents just die out. Science advances one funeral at a time. Max Planck

On Tue, Jul 28, 2015 at 4:06 AM, Simon Moffatt mailto:simon.moffatt@forgerock.com> wrote:

Hi Ingo

I think you make some subtly very powerful points here. Uniqueness by static identifiers is difficult to uphold as you mention. However, the powerful aspect is the relative context being applied, which results in local uniqueness.

That context information, such as where you work and your city, not only helps reduce the noise and pollution of unrelated identities, but it also reduces the scope of knowledge to those who know what living in that city or working at that company actually means.

The interesting paradox here - which is often overlooked - is that the more that the contextual information is made public, the less likely it is to be faked.

For example, I "know" everything there is to know about Justin Bieber - simply by Googling - which ironically makes it incredibly difficult for me to "fake" his identity, as there are several avenues to prove me wrong.

The relationship aspect here is what helps not only identifier the person/thing/object but also verify it's existence and thus possible integrity.

Simon

On 27/07/15 19:54, Ingo.Friese@telekom.de mailto:Ingo.Friese@telekom.de wrote:

...

As we have already many IDs outside I doubt that we can propose a certain GUID. But of course you can use GUID if you need some kind of ID for your system.

Jeff, uniqueness is most likely not realistic. We don’t have no governance over all possible IDs. But the nice thing about identifying things with relationships is that identifier don’t have to be unique.

There are several “Ingo Friese” outside, but since you know “works with T-Labs” and “Lives in Berlin” you can find me regardless of my identifier.

The identifier than is usually mapped to a address (e.g. IP address). And addresses are unique in their domain.

*From:*j stollman [mailto:stollman.j@gmail.com] *Sent:* Montag, 27. Juli 2015 20:45 *To:* Ranjan Jain (ranjain) *Cc:* Friese, Ingo; afesta@alfweb.com mailto:afesta@alfweb.com; dg-idot@kantarainitiative.org mailto:dg-idot@kantarainitiative.org *Subject:* Re: [DG-IDoT] Common identity standard

Ranjan,

What would the GUID be based on? How would you ensure its _U_niqueness across industry sectors, across the globe, and over time?

Jeff

---------------------------------

Jeff Stollman stollman.j@gmail.com mailto:stollman.j@gmail.com 1 202.683.8699 tel:1%20202.683.8699

Truth never triumphs — its opponents just die out.

Science advances one funeral at a time.

Max Planck

On Mon, Jul 27, 2015 at 2:41 PM, Ranjan Jain (ranjain) mailto:ranjain@cisco.com> wrote:

All great ideas so far.

How about using GUID as the identifier which can be tied to a “thing” and this GUID can have multiple personas based on the relationship? Ofcourse we’ll need some kind of discovery service and the things need to publish their meta data for usage but just wanted to get initial assessment.

*From: *"Ingo.Friese@telekom.de mailto:Ingo.Friese@telekom.de" mailto:Ingo.Friese@telekom.de> *Date: *Monday, July 27, 2015 at 7:50 AM *To: *"stollman.j@gmail.com mailto:stollman.j@gmail.com" mailto:stollman.j@gmail.com>, "afesta@alfweb.com mailto:afesta@alfweb.com" mailto:afesta@alfweb.com> *Cc: *"dg-idot@kantarainitiative.org mailto:dg-idot@kantarainitiative.org" mailto:dg-idot@kantarainitiative.org> *Subject: *Re: [DG-IDoT] Common identity standard

Hi Jeff,

Regarding point 3. following thoughts:

-The owner, admin, or user of a thing has to trigger an update…their might be services that do the update on behalf

-In general we need an update mechanism, if e.g. an owner changes, it should be changed in discovery/search...not a big deal. Isn’ it?

*From:*dg-idot-bounces@kantarainitiative.org mailto:dg-idot-bounces@kantarainitiative.org [mailto:dg-idot-bounces@kantarainitiative.org] *On Behalf Of *j stollman

*Sent:* Freitag, 24. Juli 2015 19:21 *To:* Alessandro Festa *Cc:* dg-idot@kantarainitiative.org mailto:dg-idot@kantarainitiative.org *Subject:* Re: [DG-IDoT] Common identity standard

I am with Alessandro in the complexity of this solution in the real world.

1. An iPhone is a collection of IoT devices (camera, audio recorder, touch screen, telephone, computer, etc.). Should each of these have its own "good key pair"? If not how do we handle the sale of just the camera by the same OEM who sells the camera to Apple? Do we need a way to aggregate devices? 2. Separately, what constitutes a "good key pair"? Will all of the many unenlightened, non-high-tech manufacturers in the world participate? What is the likelihood that they will create duplicate key pairs when there are billions of devices? We tend to consider that we are servicing an environment where everyone is paying attention to international standards. Standards in markets as broad as we are discussion take decades to become pervasive. How many types of screws do we have? It isn't just metric versus "standard." Screws differ in diameter, pitch, head shape (flat, pan, etc.), and driver type (straight blade, phillips, head, star, etc.). And then there are custom screws. In IoT we will have hobbyist-types creating devices, along with old-line manufacturers. It isn't just an Apply and Samsung world. 3. To Ingo's comment about relationships, how do we track changes in those relationships without creating a massive infrastructure? What happens when company A has a device that is used by employees A1, A2, and A3, sells the device to company B for use by B7, B8, and B9?

Jeff

---------------------------------

Jeff Stollman stollman.j@gmail.com mailto:stollman.j@gmail.com 1 202.683.8699 tel:1%20202.683.8699

Truth never triumphs — its opponents just die out.

Science advances one funeral at a time.

Max Planck

On Fri, Jul 24, 2015 at 7:34 AM, Alessandro Festa mailto:afesta@alfweb.com> wrote:

Hi Nat,

related to the private key embeded by manufacturer I am wondering who would embed what in the case of a multi-manufacturer.

use case:

1) thing created by original manufacturer : embed a priv key

2) thing crafted/customized (oem) by second manufacturer : embed a priv key

when thing will need to act on behalf I expect to reflect a 1 to many relationship at this point and so I'll need as user to decide the degree of relationship between the various keys or only one single key pair will be allowed and this means we need to define a hierarchical policy to decide who will embed what.

I immagine an onion ring model based on user consent and relationship constrain: user to seller, seller to manufacturer (original or oem), manufacturer (oem) to manufacturer

Alex

-

Alessandro Festa

website:http://alfweb.com

twitter:@festaatdell

email:afesta@alfweb.com mailto:email%3Aafesta@alfweb.com

Il Venerdì 24 Luglio 2015 13:10, Paul Madsen mailto:pmadsen@pingidentity.com> ha scritto:

Hi nat, I would follow on to your steps below

On 7/24/15 4:56 AM, Nat Sakimura wrote:

Yeah, it is nice, but WSDL would be too big.

Remember that sending 1 byte over the radio takes as much power as encrypting 1000 bytes. Also, memory and processing power is becoming cheap, so in IoT context, we should probably treat "minimizing the radio packet" as the priority.

As to the identification of the things are cocerned, the viable model that I imagine is as follows:

1. The device manufacutrer creates a good keypair and embeds the private key (and its key thumbprint) in the device. 2. For device authentication, use the key to sign the message.

When acting on behalf of a user

3. Authenticated user facilitates delivery of tokens to device 4. Device authenticates to AS using embedded keys in order to obtain tokens 5. Device uses tokens to authenticate to cloud endpoints, other device etc

Tokens thereby reflect 'relationship' of user & device

Nat

2015-07-22 1:33 GMT+09:00 Aninda Bhunia mailto:abhunia@inc38.com>:

It would be interesting if we could create a standard that would allow even non IP devices to publish their identity through a wsdl type structure. Even if they are non IP at some point in their upwards relationship hierarchy their master gateway would be IP based and could be responsible for publishing the identity wsdls for the entities it brokers. Thoughts ?

On Jul 21, 2015 11:52 AM, "Joni Brennan" mailto:joni@kantarainitiative.org> wrote:

Noting I have no vote =)

I agree with Paul and others regarding discovery as the key initial mechanism. I believe Ingo has also noted this in the summaries from IDoT. Sal mentions NMAP / SNMP are there other exiting approaches? (apologies if this has been discussed in detail already)

- Joni

Best Regards,

Joni Brennan Kantara Initiative | Executive Director email: joni @ kantarainitiative.org http://kantarainitiative.org/

Connecting Identity for a more trustworthy Internet - Overview http://www.slideshare.net/kantarainitiative/kantara-overview2014-37969351

On Tue, Jul 21, 2015 at 8:42 AM, Salvatore D'Agostino mailto:sal@idmachines.com> wrote:

Other than ip devices? In that case there are mechanisms support scanning ( eg NMAP) or SNMP that have been around for a while these are typically not exactly API friendly but do provide a starting point and we make good use in our offerings.

Salvatore D'Agostino

IDmachines LLC |1264 Beacon Street, #5

Brookline, MA. 02446 | USA

http://www.idmachines.com http://www.idmachines.com/

On Jul 21, 2015, at 10:46 AM, Paul Madsen mailto:pmadsen@pingidentity.com> wrote:

(one of) what is needed is a standardized mechanism for devices to present their identity (and those humans for which they are acting) to other things, cloud endpoints & applications

On 7/16/15 2:38 PM, Ranjan Jain (ranjain) wrote:

Hey y’all,

Hope everyone is doing well. Just wanted to bounce a question which I’m consistently getting asked around Identity, IoT perspective. Is there any industry standard in place or in works which can be used as a common standard across multiple identities. What I mean by this is that humans have SSN as an identity while a thermostat may have serial number while a network device may have a Mac ID as their identity. So, while individually they all have their own identity standard, when in the IoT world, all these entities start interacting with each other, how do we translate one identity into another or how will one identity interact with another identity in a standards way?

Thanks

Ranjan

*Ranjan Jain* ARCHITECT.IT http://architect.it/ Information Technology ranjain@cisco.com mailto:ranjain@cisco.com Phone: *+1 408 853 4396 tel:%2B1%20408%20853%204396* Mobile: *+1 408 627 9538 tel:%2B1%20408%20627%209538*

*Cisco Systems, Inc.* 400 East Tasman Drive San Jose California 95134 United States Cisco.com http://www.cisco.com/

Think before you print.

This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message.

_______________________________________________

DG-IDoT mailing list

DG-IDoT@kantarainitiative.org mailto:DG-IDoT@kantarainitiative.org

http://kantarainitiative.org/mailman/listinfo/dg-idot

_______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.org mailto:DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot

_______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.org mailto:DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot

_______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.org mailto:DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot

_______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.org mailto:DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot

--

Nat Sakimura (=nat)

Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en

_______________________________________________

DG-IDoT mailing list

DG-IDoT@kantarainitiative.org mailto:DG-IDoT@kantarainitiative.org

http://kantarainitiative.org/mailman/listinfo/dg-idot

_______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.org mailto:DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot

_______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.org mailto:DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot

_______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.org mailto:DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot

-- ForgeRock http://www.forgerock.com/ *Simon Moffatt* Solutions Director | Sales Engineering | ForgeRock *tel* +44 (0) 7903 347 240 tel:%2B44%20%280%29%207903%20347%20240 | *e* Simon.Moffatt@Forgerock.com mailto:simon.moffatt@forgerock.com *skype* simon.moffatt | *web* www.forgerock.com http://www.forgerock.com/ | *twitter* @simonmoffatt

-- ForgeRock http://www.forgerock.com/ *Simon Moffatt* Solutions Director | Sales Engineering | ForgeRock *tel* +44 (0) 7903 347 240 | *e* Simon.Moffatt@Forgerock.com mailto:simon.moffatt@forgerock.com *skype* simon.moffatt | *web* www.forgerock.com http://www.forgerock.com/ | *twitter* @simonmoffatt

was Ranjan actually asking about discovery? :-) On 7/24/15 8:05 AM, Ingo.Friese@telekom.de wrote:

Hi Ranjan,

I’m not sure to have one standard way to finding things.

What we discussed in the group was a kind of “Google combined with p2p discovery” for things. This service might be operated by several companies/communities etc. like DNS.

Everything has relationships that describe things (e.g. is owned by Ingo, located in Berlin, run by DT, etc.) So you can find a communication endpoint for the thing itself.

The beauty of a mechanisms like this is it works for all kind of protocols and all form of identifier.

On top of finding things we can establish mechanisms, to authenticate, to build trust etc.

Best Ingo

*From:*Ranjan Jain (ranjain) [mailto:ranjain@cisco.com] *Sent:* Donnerstag, 16. Juli 2015 20:39 *To:* Friese, Ingo; stollman.j@gmail.com *Cc:* dg-idot@kantarainitiative.org *Subject:* Common identity standard

Hey y’all,

Hope everyone is doing well. Just wanted to bounce a question which I’m consistently getting asked around Identity, IoT perspective. Is there any industry standard in place or in works which can be used as a common standard across multiple identities. What I mean by this is that humans have SSN as an identity while a thermostat may have serial number while a network device may have a Mac ID as their identity. So, while individually they all have their own identity standard, when in the IoT world, all these entities start interacting with each other, how do we translate one identity into another or how will one identity interact with another identity in a standards way?

Thanks

Ranjan

*Ranjan Jain* ARCHITECT.IT Information Technology ranjain@cisco.com mailto:ranjain@cisco.com Phone: *+1 408 853 4396* Mobile: *+1 408 627 9538*

*Cisco Systems, Inc.* 400 East Tasman Drive San Jose California 95134 United States Cisco.com http://www.cisco.com/

Think before you print.

This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message.

_______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot

How ever you call it :) ....the question was:" how do we translate one identity into another?" " by this is that humans have SSN as an identity while a thermostat may have serial number while a network device may have a Mac ID as their identity... When you know the endpoints you have the issue of different communication protocols, and semantics. In WONDER, a EU project we tested "protocol on the fly". Here one party can on demand load a missing protocol stub. The home gateway initiative defined a Smart Device Template. Manufacturer of a device can describe the functions/options of their device. From: dg-idot-bounces@kantarainitiative.org [mailto:dg-idot-bounces@kantarainitiative.org] On Behalf Of Paul Madsen Sent: Freitag, 24. Juli 2015 14:07 To: dg-idot@kantarainitiative.org Subject: Re: [DG-IDoT] Common identity standard was Ranjan actually asking about discovery? :-) On 7/24/15 8:05 AM, Ingo.Friese@telekom.demailto:Ingo.Friese@telekom.de wrote: Hi Ranjan, I'm not sure to have one standard way to finding things. What we discussed in the group was a kind of "Google combined with p2p discovery" for things. This service might be operated by several companies/communities etc. like DNS. Everything has relationships that describe things (e.g. is owned by Ingo, located in Berlin, run by DT, etc.) So you can find a communication endpoint for the thing itself. The beauty of a mechanisms like this is it works for all kind of protocols and all form of identifier. On top of finding things we can establish mechanisms, to authenticate, to build trust etc. Best Ingo From: Ranjan Jain (ranjain) [mailto:ranjain@cisco.com] Sent: Donnerstag, 16. Juli 2015 20:39 To: Friese, Ingo; stollman.j@gmail.commailto:stollman.j@gmail.com Cc: dg-idot@kantarainitiative.orgmailto:dg-idot@kantarainitiative.org Subject: Common identity standard Hey y'all, Hope everyone is doing well. Just wanted to bounce a question which I'm consistently getting asked around Identity, IoT perspective. Is there any industry standard in place or in works which can be used as a common standard across multiple identities. What I mean by this is that humans have SSN as an identity while a thermostat may have serial number while a network device may have a Mac ID as their identity. So, while individually they all have their own identity standard, when in the IoT world, all these entities start interacting with each other, how do we translate one identity into another or how will one identity interact with another identity in a standards way? Thanks Ranjan [http://www.cisco.com/web/europe/images/email/signature/est2014/logo_08.png?c...] Ranjan Jain ARCHITECT.IT Information Technology ranjain@cisco.commailto:ranjain@cisco.com Phone: +1 408 853 4396 Mobile: +1 408 627 9538 Cisco Systems, Inc. 400 East Tasman Drive San Jose California 95134 United States Cisco.comhttp://www.cisco.com/ [http://www.cisco.com/assets/swa/img/thinkbeforeyouprint.gif] Think before you print. This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message. _______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.orgmailto:DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot

Gateways = registration and discovery endpoints? From: dg-idot-bounces@kantarainitiative.org [mailto:dg-idot-bounces@kantarainitiative.org] On Behalf Of Ingo.Friese@telekom.de Sent: Friday, July 24, 2015 8:26 AM To: pmadsen@pingidentity.com; dg-idot@kantarainitiative.org Subject: Re: [DG-IDoT] Common identity standard How ever you call it J ..the question was:" how do we translate one identity into another?" " by this is that humans have SSN as an identity while a thermostat may have serial number while a network device may have a Mac ID as their identity. When you know the endpoints you have the issue of different communication protocols, and semantics. In WONDER, a EU project we tested "protocol on the fly". Here one party can on demand load a missing protocol stub. The home gateway initiative defined a Smart Device Template. Manufacturer of a device can describe the functions/options of their device. From: dg-idot-bounces@kantarainitiative.org [mailto:dg-idot-bounces@kantarainitiative.org] On Behalf Of Paul Madsen Sent: Freitag, 24. Juli 2015 14:07 To: dg-idot@kantarainitiative.org Subject: Re: [DG-IDoT] Common identity standard was Ranjan actually asking about discovery? :-) On 7/24/15 8:05 AM, Ingo.Friese@telekom.de wrote: Hi Ranjan, I'm not sure to have one standard way to finding things. What we discussed in the group was a kind of "Google combined with p2p discovery" for things. This service might be operated by several companies/communities etc. like DNS. Everything has relationships that describe things (e.g. is owned by Ingo, located in Berlin, run by DT, etc.) So you can find a communication endpoint for the thing itself. The beauty of a mechanisms like this is it works for all kind of protocols and all form of identifier. On top of finding things we can establish mechanisms, to authenticate, to build trust etc. Best Ingo From: Ranjan Jain (ranjain) [mailto:ranjain@cisco.com] Sent: Donnerstag, 16. Juli 2015 20:39 To: Friese, Ingo; stollman.j@gmail.com Cc: dg-idot@kantarainitiative.org Subject: Common identity standard Hey y'all, Hope everyone is doing well. Just wanted to bounce a question which I'm consistently getting asked around Identity, IoT perspective. Is there any industry standard in place or in works which can be used as a common standard across multiple identities. What I mean by this is that humans have SSN as an identity while a thermostat may have serial number while a network device may have a Mac ID as their identity. So, while individually they all have their own identity standard, when in the IoT world, all these entities start interacting with each other, how do we translate one identity into another or how will one identity interact with another identity in a standards way? Thanks Ranjan <http://www.cisco.com/web/europe/images/email/signature/est2014/logo_08.png? ct=1408129135253> Ranjan Jain ARCHITECT.IT Information Technology mailto:ranjain@cisco.com ranjain@cisco.com Phone: +1 408 853 4396 Mobile: +1 408 627 9538 Cisco Systems, Inc. 400 East Tasman Drive San Jose California 95134 United States http://www.cisco.com/ Cisco.com http://www.cisco.com/assets/swa/img/thinkbeforeyouprint.gif Think before you print. This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message. _______________________________________________ DG-IDoT mailing list DG-IDoT@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idot