Sal,

You have captured the core issue for our group. Yes, we can choose to shoehorn UMA into an enterprise AS and call it IoT.

I hope we don't.

Adrian



On Tue, Mar 15, 2016 at 8:48 AM, Salvatore D'Agostino <sal@idmachines.com> wrote:

Adrian, UMAnitarians,

 

End of rant happy to have a use case discussion.

 

In enterprise access control system the door controller (RS) controls strikes (in the locks) or large magnets, request to exit sensors and other items that effectively lock and unlock things.  So yes it is the lock mfgr.  In all these cases the locks are transferred to the enterprise and the RO controls the AS.  There are also networked and stand alone lock (this is actually pretty cool, using UMA without any network connections, happy to talk about how…) use cases as well.  The logic in the controllers is quite extensive (typically about 150 if-then cases).  Certainly in the home case the same is true but much simpler.  In the enterprise physical access control use case you will find quite a lot of interesting examples of authorization.  As an example there is very often a requirement for a separation of roles, escalation of authentication requirements, alarm conditions that drive other things such as bringing a video stream up on an operator console, alarm handling and escalation, etc.   We used an early version of distribution authorization passing tokens in PKI validation responses about a decade ago and it is what drew me to UMA when I joined the group.  Expanding this to an OAuth profile certainly made sense and still absolutely does.  So yes you can build a very inexpensive authorization server or access control server as we called it when we first did this.  We expect to see a lot of these.

 

All our Linux distros can work in VMs as well, Virtual Box as a free one is what we often use. 

 

Kind regards,

Sal

 

 

From: agropper@gmail.com [mailto:agropper@gmail.com] On Behalf Of Adrian Gropper
Sent: Monday, March 14, 2016 10:47 PM
To: Salvatore D'Agostino
Cc: wg-uma
Subject: Re: [WG-UMA] First IoT Project Builder

 

Happy Pi Day!

I use a door lock as my proto use-case for UMA all the time so it's interesting to see Sal is building it. I'm not sure Sal's description with the enterprise as the RS is real UMA unless the RS is the lock vendor.

In my example, the lock vendor transfers full ownership and control of the RS to the enterprise. The RO is not the enterprise. The RO, Alice, is a tenant or employee of the enterprise that is responsible for granting access to some visitor Bob's Client on their smartphone. I consider this to be the real UMA because the RO gets to control her Authorization Server.

My HIE of One project is trying to build an affordable UMA Authorization Server which runs on a Raspberry Pi or a very inexpensive VM. The security issues around the AS are huge. It will be interesting to see how different approaches to sandboxing, FreedomBox, and microservices play out to make my AS reasonably secure.

Once I have my dedicated AS, a cute graphical app environment like Cayenne is just another UMA-aware Client to my Things and my AS.

Adrian

 

 

 

On Mon, Mar 14, 2016 at 9:52 PM, Salvatore D'Agostino <sal@idmachines.com> wrote:

Minor rant on link,  IoT and Pi you can stop here is you like.

 

I don’t get the uniqueness here, you can put a full Linux distro on a Pi and do quite a lot, we certainly do. 

 

We prototyped one some time ago doing physical access control based on UMA.  Works very nicely actually.  Access control server is the AS (could be a Pi), door controller is the RS (also a Linux distro but usually an ARM could be a Pi, but most mfgrs have to go through UL and other things so typically build their own or get and OEM modules such as http://www.mercury-security.com/ <- when it is up… ), enterprise is RO, client is person getting in the door with tokens on either smart card or smart phone.  Need a few other sensors connected to the RS to make it work and typically a network connection between AS and RS but not necessarily as the UMA use case can support distributed authorization, that’s the cool thing.

 

Not trying to promote anything but just as an example of what we actually use Pi’s for (an appropriate discussion for 0311416) in terms of an initial offering it is focused at technical automation for IoT, our plans for UMA follow on from there.     In case anyone is interested  short description is we connect the Linux distro (in some cases a Pi) to real world physical security systems and provide quite a lot of information about the devices in much the same way that modern IT scanning tools do, the difference is that we provide a UI that can be used by an electrician at the push of a button and we have worked with manufacturers to make sure that their implementations actually adopt IT standards so the monitoring of the devices is efficient and fruitful.  Its one of the tricky things with IoT to get standards properly implemented let alone securely.   Managing the lifecycle of these devices and making sure they get installed properly is the value proposition.   There is new story every day, e.g. http://www.theregister.co.uk/2016/03/14/cctv_insecurity_rife/?utm_source=dlvr.it&utm_medium=linkedin <- and fwiw we could do this exploit every day and have been showing it to vendors as part of our security practice for almost 10 years…

 

And don’t worry, there’s nothing on our web site (it’s ancient, not really about this, though it will shortly be upgraded) certainly nothing  you could click that would track you.. ;-)

 

Cheers,

Sal

From: wg-uma-bounces@kantarainitiative.org [mailto:wg-uma-bounces@kantarainitiative.org] On Behalf Of John Wunderlich
Sent: Monday, March 14, 2016 3:54 PM
To: wg-uma
Subject: [WG-UMA] First IoT Project Builder

 

UMA on Raspberry Pi? Cool idea, but trying to sign up for this leads to data tracking hell. Can’t ‘register’ even though whitelisted in Ghostery and turn off uBlock origin. Who knows what kinda crap is going on in the backend. But if you’re curious, consider yourself warned:

 

 

 

Sincerely,
John Wunderlich
@PrivacyCDN

Call: +1 (647) 669-4749
eMail: john@wunderlich.ca

 

 

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.


_______________________________________________
WG-UMA mailing list
WG-UMA@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-uma




--

 

Adrian Gropper MD

PROTECT YOUR FUTURE - RESTORE Health Privacy!
HELP us fight for the right to control personal health data.
DONATE: http://patientprivacyrights.org/donate-2/




--

Adrian Gropper MD

PROTECT YOUR FUTURE - RESTORE Health Privacy!
HELP us fight for the right to control personal health data.
DONATE: http://patientprivacyrights.org/donate-2/