I guess we need to wait till they deliver :) On Mar 15, 2016 1:37 AM, "John Wunderlich" <john@wunderlich.ca> wrote:

Over promise and under deliver? Where have I seen that before?

Sent from Outlook Mobile <https://aka.ms/vwm83r>. Yes, it works with gmail.

On Mon, Mar 14, 2016 at 1:06 PM -0700, "Farazath Ahamed" < mefarazath@gmail.com> wrote:

I managed to sign up only to find out that the android app for this is not

...

yet out :/

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

It's funny to see this Cayenne thing on WG-UMA within hours of this post on Project-VRM https://medium.com/the-internet-of-me/the-internet-of-things-is-going-to-nee... Here's the money-quote (sic) from http://www.cayenne-mydevices.com/docs/: "Every time you press a button from the Cayenne app or online dashboard, it travels to the Cayenne Cloud where it’s processed and finds its way to your hardware." I know their app is lovely but why would I want to connect my things to their cloud if the app could do the same thing locally or in a VM that I own? Adrian On Mon, Mar 14, 2016 at 4:11 PM, John Wunderlich <john@wunderlich.ca> wrote:

Maybe we can reach out and see if they can include UMA in the final deliverable?

Sent from Outlook Mobile <https://aka.ms/vwm83r>. Yes, it works with gmail.

On Mon, Mar 14, 2016 at 1:08 PM -0700, "Farazath Ahamed" < mefarazath@gmail.com> wrote:

I guess we need to wait till they deliver :)

...

On Mar 15, 2016 1:37 AM, "John Wunderlich" <john@wunderlich.ca> wrote:

...

Over promise and under deliver? Where have I seen that before?

Sent from Outlook Mobile <https://aka.ms/vwm83r>. Yes, it works with gmail.

On Mon, Mar 14, 2016 at 1:06 PM -0700, "Farazath Ahamed" < mefarazath@gmail.com> wrote:

I managed to sign up only to find out that the android app for this is

...

not yet out :/

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma

-- Adrian Gropper MD PROTECT YOUR FUTURE - RESTORE Health Privacy! HELP us fight for the right to control personal health data. DONATE: http://patientprivacyrights.org/donate-2/

Happy Pi Day! I use a door lock as my proto use-case for UMA all the time so it's interesting to see Sal is building it. I'm not sure Sal's description with the enterprise as the RS is real UMA unless the RS is the lock vendor. In my example, the lock vendor transfers full ownership and control of the RS to the enterprise. The RO is not the enterprise. The RO, Alice, is a tenant or employee of the enterprise that is responsible for granting access to some visitor Bob's Client on their smartphone. I consider this to be the real UMA because the RO gets to control her Authorization Server. My HIE of One project is trying to build an affordable UMA Authorization Server which runs on a Raspberry Pi or a very inexpensive VM. The security issues around the AS are huge. It will be interesting to see how different approaches to sandboxing, FreedomBox, and microservices play out to make my AS reasonably secure. Once I have my dedicated AS, a cute graphical app environment like Cayenne is just another UMA-aware Client to my Things and my AS. Adrian On Mon, Mar 14, 2016 at 9:52 PM, Salvatore D'Agostino <sal@idmachines.com> wrote:

Minor rant on link, IoT and Pi you can stop here is you like.

I don’t get the uniqueness here, you can put a full Linux distro on a Pi and do quite a lot, we certainly do.

We prototyped one some time ago doing physical access control based on UMA. Works very nicely actually. Access control server is the AS (could be a Pi), door controller is the RS (also a Linux distro but usually an ARM could be a Pi, but most mfgrs have to go through UL and other things so typically build their own or get and OEM modules such as http://www.mercury-security.com/ <- when it is up… ), enterprise is RO, client is person getting in the door with tokens on either smart card or smart phone. Need a few other sensors connected to the RS to make it work and typically a network connection between AS and RS but not necessarily as the UMA use case can support distributed authorization, that’s the cool thing.

Not trying to promote anything but just as an example of what we actually use Pi’s for (an appropriate discussion for 0311416) in terms of an initial offering it is focused at technical automation for IoT, our plans for UMA follow on from there. In case anyone is interested short description is we connect the Linux distro (in some cases a Pi) to real world physical security systems and provide quite a lot of information about the devices in much the same way that modern IT scanning tools do, the difference is that we provide a UI that can be used by an electrician at the push of a button and we have worked with manufacturers to make sure that their implementations actually adopt IT standards so the monitoring of the devices is efficient and fruitful. Its one of the tricky things with IoT to get standards properly implemented let alone securely. Managing the lifecycle of these devices and making sure they get installed properly is the value proposition. There is new story every day, e.g. http://www.theregister.co.uk/2016/03/14/cctv_insecurity_rife/?utm_source=dlvr.it&utm_medium=linkedin <- and fwiw we could do this exploit every day and have been showing it to vendors as part of our security practice for almost 10 years…

And don’t worry, there’s nothing on our web site (it’s ancient, not really about this, though it will shortly be upgraded) certainly nothing you could click that would track you.. ;-)

Cheers,

Sal

*From:* wg-uma-bounces@kantarainitiative.org [mailto: wg-uma-bounces@kantarainitiative.org] *On Behalf Of *John Wunderlich *Sent:* Monday, March 14, 2016 3:54 PM *To:* wg-uma *Subject:* [WG-UMA] First IoT Project Builder

UMA on Raspberry Pi? Cool idea, but trying to sign up for this leads to data tracking hell. Can’t ‘register’ even though whitelisted in Ghostery and turn off uBlock origin. Who knows what kinda crap is going on in the backend. But if you’re curious, consider yourself warned:

http://www.cayenne-mydevices.com/

Sincerely, John Wunderlich @PrivacyCDN

Call: +1 (647) 669-4749 eMail: john@wunderlich.ca

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma

-- Adrian Gropper MD PROTECT YOUR FUTURE - RESTORE Health Privacy! HELP us fight for the right to control personal health data. DONATE: http://patientprivacyrights.org/donate-2/

Sal, You have captured the core issue for our group. Yes, we can choose to shoehorn UMA into an enterprise AS and call it IoT. I hope we don't. Adrian On Tue, Mar 15, 2016 at 8:48 AM, Salvatore D'Agostino <sal@idmachines.com> wrote:

Adrian, UMAnitarians,

End of rant happy to have a use case discussion.

In enterprise access control system the door controller (RS) controls strikes (in the locks) or large magnets, request to exit sensors and other items that effectively lock and unlock things. So yes it is the lock mfgr. In all these cases the locks are transferred to the enterprise and the RO controls the AS. There are also networked and stand alone lock (this is actually pretty cool, using UMA without any network connections, happy to talk about how…) use cases as well. The logic in the controllers is quite extensive (typically about 150 if-then cases). Certainly in the home case the same is true but much simpler. In the enterprise physical access control use case you will find quite a lot of interesting examples of authorization. As an example there is very often a requirement for a separation of roles, escalation of authentication requirements, alarm conditions that drive other things such as bringing a video stream up on an operator console, alarm handling and escalation, etc. We used an early version of distribution authorization passing tokens in PKI validation responses about a decade ago and it is what drew me to UMA when I joined the group. Expanding this to an OAuth profile certainly made sense and still absolutely does. So yes you can build a very inexpensive authorization server or access control server as we called it when we first did this. We expect to see a lot of these.

All our Linux distros can work in VMs as well, Virtual Box as a free one is what we often use.

Kind regards,

Sal

*From:* agropper@gmail.com [mailto:agropper@gmail.com] *On Behalf Of *Adrian Gropper *Sent:* Monday, March 14, 2016 10:47 PM *To:* Salvatore D'Agostino *Cc:* wg-uma *Subject:* Re: [WG-UMA] First IoT Project Builder

Happy Pi Day!

I use a door lock as my proto use-case for UMA all the time so it's interesting to see Sal is building it. I'm not sure Sal's description with the enterprise as the RS is real UMA unless the RS is the lock vendor.

In my example, the lock vendor transfers full ownership and control of the RS to the enterprise. The RO is not the enterprise. The RO, Alice, is a tenant or employee of the enterprise that is responsible for granting access to some visitor Bob's Client on their smartphone. I consider this to be the real UMA because the RO gets to control her Authorization Server.

My HIE of One project is trying to build an affordable UMA Authorization Server which runs on a Raspberry Pi or a very inexpensive VM. The security issues around the AS are huge. It will be interesting to see how different approaches to sandboxing, FreedomBox, and microservices play out to make my AS reasonably secure.

Once I have my dedicated AS, a cute graphical app environment like Cayenne is just another UMA-aware Client to my Things and my AS.

Adrian

On Mon, Mar 14, 2016 at 9:52 PM, Salvatore D'Agostino <sal@idmachines.com> wrote:

Minor rant on link, IoT and Pi you can stop here is you like.

I don’t get the uniqueness here, you can put a full Linux distro on a Pi and do quite a lot, we certainly do.

We prototyped one some time ago doing physical access control based on UMA. Works very nicely actually. Access control server is the AS (could be a Pi), door controller is the RS (also a Linux distro but usually an ARM could be a Pi, but most mfgrs have to go through UL and other things so typically build their own or get and OEM modules such as http://www.mercury-security.com/ <- when it is up… ), enterprise is RO, client is person getting in the door with tokens on either smart card or smart phone. Need a few other sensors connected to the RS to make it work and typically a network connection between AS and RS but not necessarily as the UMA use case can support distributed authorization, that’s the cool thing.

Not trying to promote anything but just as an example of what we actually use Pi’s for (an appropriate discussion for 0311416) in terms of an initial offering it is focused at technical automation for IoT, our plans for UMA follow on from there. In case anyone is interested short description is we connect the Linux distro (in some cases a Pi) to real world physical security systems and provide quite a lot of information about the devices in much the same way that modern IT scanning tools do, the difference is that we provide a UI that can be used by an electrician at the push of a button and we have worked with manufacturers to make sure that their implementations actually adopt IT standards so the monitoring of the devices is efficient and fruitful. Its one of the tricky things with IoT to get standards properly implemented let alone securely. Managing the lifecycle of these devices and making sure they get installed properly is the value proposition. There is new story every day, e.g. http://www.theregister.co.uk/2016/03/14/cctv_insecurity_rife/?utm_source=dlvr.it&utm_medium=linkedin <- and fwiw we could do this exploit every day and have been showing it to vendors as part of our security practice for almost 10 years…

And don’t worry, there’s nothing on our web site (it’s ancient, not really about this, though it will shortly be upgraded) certainly nothing you could click that would track you.. ;-)

Cheers,

Sal

*From:* wg-uma-bounces@kantarainitiative.org [mailto: wg-uma-bounces@kantarainitiative.org] *On Behalf Of *John Wunderlich *Sent:* Monday, March 14, 2016 3:54 PM *To:* wg-uma *Subject:* [WG-UMA] First IoT Project Builder

UMA on Raspberry Pi? Cool idea, but trying to sign up for this leads to data tracking hell. Can’t ‘register’ even though whitelisted in Ghostery and turn off uBlock origin. Who knows what kinda crap is going on in the backend. But if you’re curious, consider yourself warned:

http://www.cayenne-mydevices.com/

Sincerely, John Wunderlich @PrivacyCDN

Call: +1 (647) 669-4749 eMail: john@wunderlich.ca

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma

--

Adrian Gropper MD

PROTECT YOUR FUTURE - RESTORE Health Privacy! HELP us fight for the right to control personal health data. DONATE: http://patientprivacyrights.org/donate-2/

-- Adrian Gropper MD PROTECT YOUR FUTURE - RESTORE Health Privacy! HELP us fight for the right to control personal health data. DONATE: http://patientprivacyrights.org/donate-2/

Hi John, So we have some thoughts about this. Current working premise would be to have the AS as a reverse proxy sitting in between you wireless router and ISP box and that the device might be a Pi akin to some of the example Adrian mentioned. Alternately someone could provide UMA as a service, again possibly as a reverse proxy much like some other web application security as a service do today. Not quite out there but again given the benefits and nature of some of the deployment progress I wouldn’t be surprised to see one pop up. It could also be part of other services. Cheers, Sal From: John Wunderlich [mailto:john@wunderlich.ca] Sent: Tuesday, March 15, 2016 3:19 PM To: Salvatore D'Agostino Cc: wg-uma Subject: Re: [WG-UMA] First IoT Project Builder Sal; I was looking for a drop dead simple and easy way for a newb to build UMA and security into an IoT implementation. Especially for resource constrained devices that will be installed somewhere and forgotten about for their lifespan. Sincerely, John Wunderlich @PrivacyCDN Call: +1 (647) 669-4749 eMail: john@wunderlich.ca On 14 March 2016 at 21:52, Salvatore D'Agostino <sal@idmachines.com> wrote: Minor rant on link, IoT and Pi you can stop here is you like. I don’t get the uniqueness here, you can put a full Linux distro on a Pi and do quite a lot, we certainly do. We prototyped one some time ago doing physical access control based on UMA. Works very nicely actually. Access control server is the AS (could be a Pi), door controller is the RS (also a Linux distro but usually an ARM could be a Pi, but most mfgrs have to go through UL and other things so typically build their own or get and OEM modules such as http://www.mercury-security.com/ <- when it is up… ), enterprise is RO, client is person getting in the door with tokens on either smart card or smart phone. Need a few other sensors connected to the RS to make it work and typically a network connection between AS and RS but not necessarily as the UMA use case can support distributed authorization, that’s the cool thing. Not trying to promote anything but just as an example of what we actually use Pi’s for (an appropriate discussion for 0311416) in terms of an initial offering it is focused at technical automation for IoT, our plans for UMA follow on from there. In case anyone is interested short description is we connect the Linux distro (in some cases a Pi) to real world physical security systems and provide quite a lot of information about the devices in much the same way that modern IT scanning tools do, the difference is that we provide a UI that can be used by an electrician at the push of a button and we have worked with manufacturers to make sure that their implementations actually adopt IT standards so the monitoring of the devices is efficient and fruitful. Its one of the tricky things with IoT to get standards properly implemented let alone securely. Managing the lifecycle of these devices and making sure they get installed properly is the value proposition. There is new story every day, e.g. http://www.theregister.co.uk/2016/03/14/cctv_insecurity_rife/?utm_source=dlv... <http://www.theregister.co.uk/2016/03/14/cctv_insecurity_rife/?utm_source=dlvr.it&utm_medium=linkedin> &utm_medium=linkedin <- and fwiw we could do this exploit every day and have been showing it to vendors as part of our security practice for almost 10 years… And don’t worry, there’s nothing on our web site (it’s ancient, not really about this, though it will shortly be upgraded) certainly nothing you could click that would track you.. ;-) Cheers, Sal From: wg-uma-bounces@kantarainitiative.org [mailto:wg-uma-bounces@kantarainitiative.org] On Behalf Of John Wunderlich Sent: Monday, March 14, 2016 3:54 PM To: wg-uma Subject: [WG-UMA] First IoT Project Builder UMA on Raspberry Pi? Cool idea, but trying to sign up for this leads to data tracking hell. Can’t ‘register’ even though whitelisted in Ghostery and turn off uBlock origin. Who knows what kinda crap is going on in the backend. But if you’re curious, consider yourself warned: http://www.cayenne-mydevices.com/ Sincerely, John Wunderlich @PrivacyCDN Call: +1 (647) 669-4749 <tel:%2B1%20%28647%29%20669-4749> eMail: john@wunderlich.ca This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. _______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

Hi John, Yes that seems to make sense. Funny I was just looking at the latest ones http://www.pcmag.com/article2/0,2817,2398080,00.asp and one of the features in the table are parental controls controls. Beware I am sure the link hits you with multiple cookies… ;-). I do think the mfgrs have a trust and culture hill to climb. I mentioned the reverse proxy acting as web app/IoT application as a service in an email to Adrian. Another approach would be to do something with something like Cisco IOS http://www.cisco.com/c/en/us/products/ios-nx-os-software/index.html My experience is that you bring a big deal to the table and they might listen otherwise tough to get bandwidth (no pun intended but it does work ;-). The combination of these things; little device, UMAaaS, OEM UMA is why I think the future is bright and eventually the pushme-pullyou will get it there. Sincerely, Sal From: John Wunderlich [mailto:john@wunderlich.ca] Sent: Tuesday, March 15, 2016 7:02 PM To: Salvatore D'Agostino Cc: wg-uma Subject: Re: First IoT Project Builder Sal; What you suggest seems likely for early adopters and particylular use cases. In terms of mass user adoption following up on that I think the most likely vectors are as a feature IN the router, not a new box to be purchased, or a service provided by some one the consumer is dealing with like an ISP or email cloud service provider. On Tuesday, 15 March 2016, Salvatore D'Agostino <sal@idmachines.com> wrote: Hi John, So we have some thoughts about this. Current working premise would be to have the AS as a reverse proxy sitting in between you wireless router and ISP box and that the device might be a Pi akin to some of the example Adrian mentioned. Alternately someone could provide UMA as a service, again possibly as a reverse proxy much like some other web application security as a service do today. Not quite out there but again given the benefits and nature of some of the deployment progress I wouldn’t be surprised to see one pop up. It could also be part of other services. Cheers, Sal From: John Wunderlich [mailto:john@wunderlich.ca <javascript:_e(%7B%7D,'cvml','john@wunderlich.ca');> ] Sent: Tuesday, March 15, 2016 3:19 PM To: Salvatore D'Agostino Cc: wg-uma Subject: Re: [WG-UMA] First IoT Project Builder Sal; I was looking for a drop dead simple and easy way for a newb to build UMA and security into an IoT implementation. Especially for resource constrained devices that will be installed somewhere and forgotten about for their lifespan. Sincerely, John Wunderlich @PrivacyCDN Call: +1 (647) 669-4749 eMail: john@wunderlich.ca <javascript:_e(%7B%7D,'cvml','john@wunderlich.ca');> On 14 March 2016 at 21:52, Salvatore D'Agostino <sal@idmachines.com <javascript:_e(%7B%7D,'cvml','sal@idmachines.com');> > wrote: Minor rant on link, IoT and Pi you can stop here is you like. I don’t get the uniqueness here, you can put a full Linux distro on a Pi and do quite a lot, we certainly do. We prototyped one some time ago doing physical access control based on UMA. Works very nicely actually. Access control server is the AS (could be a Pi), door controller is the RS (also a Linux distro but usually an ARM could be a Pi, but most mfgrs have to go through UL and other things so typically build their own or get and OEM modules such as http://www.mercury-security.com/ <- when it is up… ), enterprise is RO, client is person getting in the door with tokens on either smart card or smart phone. Need a few other sensors connected to the RS to make it work and typically a network connection between AS and RS but not necessarily as the UMA use case can support distributed authorization, that’s the cool thing. Not trying to promote anything but just as an example of what we actually use Pi’s for (an appropriate discussion for 0311416) in terms of an initial offering it is focused at technical automation for IoT, our plans for UMA follow on from there. In case anyone is interested short description is we connect the Linux distro (in some cases a Pi) to real world physical security systems and provide quite a lot of information about the devices in much the same way that modern IT scanning tools do, the difference is that we provide a UI that can be used by an electrician at the push of a button and we have worked with manufacturers to make sure that their implementations actually adopt IT standards so the monitoring of the devices is efficient and fruitful. Its one of the tricky things with IoT to get standards properly implemented let alone securely. Managing the lifecycle of these devices and making sure they get installed properly is the value proposition. There is new story every day, e.g. http://www.theregister.co.uk/2016/03/14/cctv_insecurity_rife/?utm_source=dlv... <http://www.theregister.co.uk/2016/03/14/cctv_insecurity_rife/?utm_source=dlvr.it&utm_medium=linkedin> &utm_medium=linkedin <- and fwiw we could do this exploit every day and have been showing it to vendors as part of our security practice for almost 10 years… And don’t worry, there’s nothing on our web site (it’s ancient, not really about this, though it will shortly be upgraded) certainly nothing you could click that would track you.. ;-) Cheers, Sal From: wg-uma-bounces@kantarainitiative.org <javascript:_e(%7B%7D,'cvml','wg-uma-bounces@kantarainitiative.org');> [mailto:wg-uma-bounces@kantarainitiative.org <javascript:_e(%7B%7D,'cvml','wg-uma-bounces@kantarainitiative.org');> ] On Behalf Of John Wunderlich Sent: Monday, March 14, 2016 3:54 PM To: wg-uma Subject: [WG-UMA] First IoT Project Builder UMA on Raspberry Pi? Cool idea, but trying to sign up for this leads to data tracking hell. Can’t ‘register’ even though whitelisted in Ghostery and turn off uBlock origin. Who knows what kinda crap is going on in the backend. But if you’re curious, consider yourself warned: http://www.cayenne-mydevices.com/ Sincerely, John Wunderlich @PrivacyCDN Call: +1 (647) 669-4749 <tel:%2B1%20%28647%29%20669-4749> eMail: john@wunderlich.ca <javascript:_e(%7B%7D,'cvml','john@wunderlich.ca');> This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. _______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org <javascript:_e(%7B%7D,'cvml','WG-UMA@kantarainitiative.org');> http://kantarainitiative.org/mailman/listinfo/wg-uma This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. -- John Wunderlich Fat fingered from a mobile device Pleez 4give spelling errurz! This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

Is there any promise that the data coming out of your ass belongs to you alone? Or is it sold to other parties? I can find no terms of use or privacy policies on their website <https://kinsahealth.com <https://kinsahealth.com/>>, but maybe I’m missing them. BTW, one reason I got a Withings scale, years ago, because they said the data it generated was mine alone, and that they didn’t ever see it. Also they said (as I recall) this was in compliance with French law, and since they were a French company… Now I get regular emailings reminding me of what I weigh and telling me what I should do about it. I’m not a happy camper about that. Doc

On Mar 16, 2016, at 10:50 PM, Adrian Gropper <agropper@healthurl.com> wrote:

My kind of IoT:

https://motherboard.vice.com/read/this-rectal-thermometer-is-the-logical-con... <https://motherboard.vice.com/read/this-rectal-thermometer-is-the-logical-conclusion-of-the-internet-of-things>

and the article it came from:

http://www.faz.net/aktuell/feuilleton/debatten/the-digital-debate/shoshana-z... <http://www.faz.net/aktuell/feuilleton/debatten/the-digital-debate/shoshana-zuboff-secrets-of-surveillance-capitalism-14103616-p2.html> Adrian

On Tue, Mar 15, 2016 at 7:26 PM, Salvatore D'Agostino <sal@idmachines.com <mailto:sal@idmachines.com>> wrote: Hi John,

Yes that seems to make sense. Funny I was just looking at the latest ones http://www.pcmag.com/article2/0,2817,2398080,00.asp <http://www.pcmag.com/article2/0,2817,2398080,00.asp> and one of the features in the table are parental controls controls. Beware I am sure the link hits you with multiple cookies… ;-). I do think the mfgrs have a trust and culture hill to climb.

I mentioned the reverse proxy acting as web app/IoT application as a service in an email to Adrian.

Another approach would be to do something with something like Cisco IOS http://www.cisco.com/c/en/us/products/ios-nx-os-software/index.html <http://www.cisco.com/c/en/us/products/ios-nx-os-software/index.html>

My experience is that you bring a big deal to the table and they might listen otherwise tough to get bandwidth (no pun intended but it does work ;-).

The combination of these things; little device, UMAaaS, OEM UMA is why I think the future is bright and eventually the pushme-pullyou will get it there.

Sincerely,

Sal

From: John Wunderlich [mailto:john@wunderlich.ca <mailto:john@wunderlich.ca>] Sent: Tuesday, March 15, 2016 7:02 PM To: Salvatore D'Agostino Cc: wg-uma Subject: Re: First IoT Project Builder

Sal;

What you suggest seems likely for early adopters and particylular use cases. In terms of mass user adoption following up on that I think the most likely vectors are as a feature IN the router, not a new box to be purchased, or a service provided by some one the consumer is dealing with like an ISP or email cloud service provider.

On Tuesday, 15 March 2016, Salvatore D'Agostino <sal@idmachines.com <mailto:sal@idmachines.com>> wrote:

Hi John,

So we have some thoughts about this. Current working premise would be to have the AS as a reverse proxy sitting in between you wireless router and ISP box and that the device might be a Pi akin to some of the example Adrian mentioned. Alternately someone could provide UMA as a service, again possibly as a reverse proxy much like some other web application security as a service do today. Not quite out there but again given the benefits and nature of some of the deployment progress I wouldn’t be surprised to see one pop up. It could also be part of other services.

Cheers,

Sal

From: John Wunderlich [mailto:john@wunderlich.ca <>] Sent: Tuesday, March 15, 2016 3:19 PM To: Salvatore D'Agostino Cc: wg-uma Subject: Re: [WG-UMA] First IoT Project Builder

Sal;

I was looking for a drop dead simple and easy way for a newb to build UMA and security into an IoT implementation. Especially for resource constrained devices that will be installed somewhere and forgotten about for their lifespan.

Sincerely, John Wunderlich @PrivacyCDN

Call: +1 (647) 669-4749 <tel:%2B1%20%28647%29%20669-4749> eMail: john@wunderlich.ca <>

On 14 March 2016 at 21:52, Salvatore D'Agostino <sal@idmachines.com <>> wrote:

Minor rant on link, IoT and Pi you can stop here is you like.

I don’t get the uniqueness here, you can put a full Linux distro on a Pi and do quite a lot, we certainly do.

We prototyped one some time ago doing physical access control based on UMA. Works very nicely actually. Access control server is the AS (could be a Pi), door controller is the RS (also a Linux distro but usually an ARM could be a Pi, but most mfgrs have to go through UL and other things so typically build their own or get and OEM modules such as http://www.mercury-security.com/ <http://www.mercury-security.com/> <- when it is up… ), enterprise is RO, client is person getting in the door with tokens on either smart card or smart phone. Need a few other sensors connected to the RS to make it work and typically a network connection between AS and RS but not necessarily as the UMA use case can support distributed authorization, that’s the cool thing.

Not trying to promote anything but just as an example of what we actually use Pi’s for (an appropriate discussion for 0311416) in terms of an initial offering it is focused at technical automation for IoT, our plans for UMA follow on from there. In case anyone is interested short description is we connect the Linux distro (in some cases a Pi) to real world physical security systems and provide quite a lot of information about the devices in much the same way that modern IT scanning tools do, the difference is that we provide a UI that can be used by an electrician at the push of a button and we have worked with manufacturers to make sure that their implementations actually adopt IT standards so the monitoring of the devices is efficient and fruitful. Its one of the tricky things with IoT to get standards properly implemented let alone securely. Managing the lifecycle of these devices and making sure they get installed properly is the value proposition. There is new story every day, e.g. http://www.theregister.co.uk/2016/03/14/cctv_insecurity_rife/?utm_source=dlvr.it&utm_medium=linkedin <http://www.theregister.co.uk/2016/03/14/cctv_insecurity_rife/?utm_source=dlvr.it&utm_medium=linkedin> <- and fwiw we could do this exploit every day and have been showing it to vendors as part of our security practice for almost 10 years…

And don’t worry, there’s nothing on our web site (it’s ancient, not really about this, though it will shortly be upgraded) certainly nothing you could click that would track you.. ;-)

Cheers,

Sal

From: wg-uma-bounces@kantarainitiative.org <> [mailto:wg-uma-bounces@kantarainitiative.org <>] On Behalf Of John Wunderlich Sent: Monday, March 14, 2016 3:54 PM To: wg-uma Subject: [WG-UMA] First IoT Project Builder

UMA on Raspberry Pi? Cool idea, but trying to sign up for this leads to data tracking hell. Can’t ‘register’ even though whitelisted in Ghostery and turn off uBlock origin. Who knows what kinda crap is going on in the backend. But if you’re curious, consider yourself warned:

http://www.cayenne-mydevices.com/ <http://www.cayenne-mydevices.com/>

Sincerely, John Wunderlich @PrivacyCDN

Call: +1 (647) 669-4749 <tel:%2B1%20%28647%29%20669-4749> eMail: john@wunderlich.ca <>

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org <> http://kantarainitiative.org/mailman/listinfo/wg-uma <http://kantarainitiative.org/mailman/listinfo/wg-uma>

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

-- John Wunderlich

Fat fingered from a mobile device Pleez 4give spelling errurz!

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org <mailto:WG-UMA@kantarainitiative.org> http://kantarainitiative.org/mailman/listinfo/wg-uma <http://kantarainitiative.org/mailman/listinfo/wg-uma>

--

Adrian Gropper MD

PROTECT YOUR FUTURE - RESTORE Health Privacy! HELP us fight for the right to control personal health data. DONATE: http://patientprivacyrights.org/donate-2/ <http://patientprivacyrights.org/donate-2/>_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma

Emailed in clear text.. ;-) ? Good points Doc. From: Doc Searls [mailto:dsearls@cyber.law.harvard.edu] Sent: Wednesday, March 16, 2016 11:16 PM To: Adrian Gropper Cc: Salvatore D'Agostino; wg-uma Subject: Re: [WG-UMA] First IoT Project Builder Is there any promise that the data coming out of your ass belongs to you alone? Or is it sold to other parties? I can find no terms of use or privacy policies on their website <https://kinsahealth.com>, but maybe I’m missing them. BTW, one reason I got a Withings scale, years ago, because they said the data it generated was mine alone, and that they didn’t ever see it. Also they said (as I recall) this was in compliance with French law, and since they were a French company… Now I get regular emailings reminding me of what I weigh and telling me what I should do about it. I’m not a happy camper about that. Doc On Mar 16, 2016, at 10:50 PM, Adrian Gropper <agropper@healthurl.com> wrote: My kind of IoT: https://motherboard.vice.com/read/this-rectal-thermometer-is-the-logical-con... and the article it came from: http://www.faz.net/aktuell/feuilleton/debatten/the-digital-debate/shoshana-z... Adrian On Tue, Mar 15, 2016 at 7:26 PM, Salvatore D'Agostino <sal@idmachines.com> wrote: Hi John, Yes that seems to make sense. Funny I was just looking at the latest ones http://www.pcmag.com/article2/0,2817,2398080,00.asp and one of the features in the table are parental controls controls. Beware I am sure the link hits you with multiple cookies… ;-). I do think the mfgrs have a trust and culture hill to climb. I mentioned the reverse proxy acting as web app/IoT application as a service in an email to Adrian. Another approach would be to do something with something like Cisco IOS http://www.cisco.com/c/en/us/products/ios-nx-os-software/index.html My experience is that you bring a big deal to the table and they might listen otherwise tough to get bandwidth (no pun intended but it does work ;-). The combination of these things; little device, UMAaaS, OEM UMA is why I think the future is bright and eventually the pushme-pullyou will get it there. Sincerely, Sal From: John Wunderlich [mailto:john@wunderlich.ca] Sent: Tuesday, March 15, 2016 7:02 PM To: Salvatore D'Agostino Cc: wg-uma Subject: Re: First IoT Project Builder Sal; What you suggest seems likely for early adopters and particylular use cases. In terms of mass user adoption following up on that I think the most likely vectors are as a feature IN the router, not a new box to be purchased, or a service provided by some one the consumer is dealing with like an ISP or email cloud service provider. On Tuesday, 15 March 2016, Salvatore D'Agostino <sal@idmachines.com> wrote: Hi John, So we have some thoughts about this. Current working premise would be to have the AS as a reverse proxy sitting in between you wireless router and ISP box and that the device might be a Pi akin to some of the example Adrian mentioned. Alternately someone could provide UMA as a service, again possibly as a reverse proxy much like some other web application security as a service do today. Not quite out there but again given the benefits and nature of some of the deployment progress I wouldn’t be surprised to see one pop up. It could also be part of other services. Cheers, Sal From: John Wunderlich [mailto:john@wunderlich.ca] Sent: Tuesday, March 15, 2016 3:19 PM To: Salvatore D'Agostino Cc: wg-uma Subject: Re: [WG-UMA] First IoT Project Builder Sal; I was looking for a drop dead simple and easy way for a newb to build UMA and security into an IoT implementation. Especially for resource constrained devices that will be installed somewhere and forgotten about for their lifespan. Sincerely, John Wunderlich @PrivacyCDN Call: +1 (647) 669-4749 <tel:%2B1%20%28647%29%20669-4749> eMail: john@wunderlich.ca On 14 March 2016 at 21:52, Salvatore D'Agostino <sal@idmachines.com> wrote: Minor rant on link, IoT and Pi you can stop here is you like. I don’t get the uniqueness here, you can put a full Linux distro on a Pi and do quite a lot, we certainly do. We prototyped one some time ago doing physical access control based on UMA. Works very nicely actually. Access control server is the AS (could be a Pi), door controller is the RS (also a Linux distro but usually an ARM could be a Pi, but most mfgrs have to go through UL and other things so typically build their own or get and OEM modules such as http://www.mercury-security.com/ <- when it is up… ), enterprise is RO, client is person getting in the door with tokens on either smart card or smart phone. Need a few other sensors connected to the RS to make it work and typically a network connection between AS and RS but not necessarily as the UMA use case can support distributed authorization, that’s the cool thing. Not trying to promote anything but just as an example of what we actually use Pi’s for (an appropriate discussion for 0311416) in terms of an initial offering it is focused at technical automation for IoT, our plans for UMA follow on from there. In case anyone is interested short description is we connect the Linux distro (in some cases a Pi) to real world physical security systems and provide quite a lot of information about the devices in much the same way that modern IT scanning tools do, the difference is that we provide a UI that can be used by an electrician at the push of a button and we have worked with manufacturers to make sure that their implementations actually adopt IT standards so the monitoring of the devices is efficient and fruitful. Its one of the tricky things with IoT to get standards properly implemented let alone securely. Managing the lifecycle of these devices and making sure they get installed properly is the value proposition. There is new story every day, e.g. http://www.theregister.co.uk/2016/03/14/cctv_insecurity_rife/?utm_source=dlv... <http://www.theregister.co.uk/2016/03/14/cctv_insecurity_rife/?utm_source=dlvr.it&utm_medium=linkedin> &utm_medium=linkedin <- and fwiw we could do this exploit every day and have been showing it to vendors as part of our security practice for almost 10 years… And don’t worry, there’s nothing on our web site (it’s ancient, not really about this, though it will shortly be upgraded) certainly nothing you could click that would track you.. ;-) Cheers, Sal From: wg-uma-bounces@kantarainitiative.org [mailto:wg-uma-bounces@kantarainitiative.org] On Behalf Of John Wunderlich Sent: Monday, March 14, 2016 3:54 PM To: wg-uma Subject: [WG-UMA] First IoT Project Builder UMA on Raspberry Pi? Cool idea, but trying to sign up for this leads to data tracking hell. Can’t ‘register’ even though whitelisted in Ghostery and turn off uBlock origin. Who knows what kinda crap is going on in the backend. But if you’re curious, consider yourself warned: http://www.cayenne-mydevices.com/ Sincerely, John Wunderlich @PrivacyCDN Call: +1 (647) 669-4749 <tel:%2B1%20%28647%29%20669-4749> eMail: john@wunderlich.ca This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. _______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. -- John Wunderlich Fat fingered from a mobile device Pleez 4give spelling errurz! This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. _______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma -- Adrian Gropper MD PROTECT YOUR FUTURE - RESTORE Health Privacy! HELP us fight for the right to control personal health data. DONATE: <http://patientprivacyrights.org/donate-2/> http://patientprivacyrights.org/donate-2/ _______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma