[DG-IDoT] Common identity standard

afesta at alfweb.com afesta at alfweb.com
Mon Jul 27 13:47:31 CDT 2015


Blogged about an idea around relationships and identifier last year thought could be good to share as recap of a possible solution(not complete anyway)http://alfweb.com/bg/byoi-bring-your-own-identity-actionable-relationships-an-approach/
Alex

Alessandro Festa
web:http://alfweb.com
twitter:@festaatdell
mail:afesta at alfweb.com




On Mon, Jul 27, 2015 at 11:44 AM -0700, "j stollman" <stollman.j at gmail.com> wrote:










Ranjan,
What would the GUID be based on?  How would you ensure its Uniqueness across industry sectors, across the globe, and over time?
Jeff

---------------------------------Jeff Stollman
stollman.j at gmail.com
1 202.683.8699
Truth never triumphs — its opponents just die out.Science advances one funeral at a time.                                    Max Planck

On Mon, Jul 27, 2015 at 2:41 PM, Ranjan Jain (ranjain) <ranjain at cisco.com> wrote:
All great ideas so far.
How about using GUID as the identifier which can be tied to a “thing” and this GUID can have multiple personas based on the relationship? Ofcourse we’ll need some kind of discovery service and the things need to publish their meta data for usage but just wanted to get initial assessment. 
From:  "Ingo.Friese at telekom.de" <Ingo.Friese at telekom.de>
Date:  Monday, July 27, 2015 at 7:50 AM
To:  "stollman.j at gmail.com" <stollman.j at gmail.com>, "afesta at alfweb.com" <afesta at alfweb.com>
Cc:  "dg-idot at kantarainitiative.org" <dg-idot at kantarainitiative.org>
Subject:  Re: [DG-IDoT] Common identity standard



Hi Jeff,

 

Regarding point 3. following thoughts:

 

-         
The owner, admin, or user of a thing has to trigger an update…their might be services that do the update on behalf

-         
In general we need an update mechanism, if e.g. an owner changes, it should be changed in discovery/search...not a big deal. Isn’ it?


 

From: dg-idot-bounces at kantarainitiative.org [mailto:dg-idot-bounces at kantarainitiative.org]
On Behalf Of j stollman
Sent: Freitag, 24. Juli 2015 19:21
To: Alessandro Festa
Cc: dg-idot at kantarainitiative.org
Subject: Re: [DG-IDoT] Common identity standard



 

I am with Alessandro in the complexity of this solution in the real world.

 
An iPhone is a collection of IoT devices (camera, audio recorder, touch screen, telephone, computer, etc.).  Should each of these have its own "good key pair"?  If not how do we handle the sale of just the camera by the same OEM who sells the camera to Apple? 
 Do we need a way to aggregate devices?
Separately, what constitutes a "good key pair"?  Will all of the many unenlightened, non-high-tech manufacturers in the world participate?  What is the likelihood that they will create duplicate key pairs when there are billions of devices?  We tend to consider
 that we are servicing an environment where everyone is paying attention to international standards.  Standards in markets as broad as we are discussion take decades to become pervasive.  How many types of screws do we have?  It isn't just metric versus "standard."
  Screws differ in diameter, pitch, head shape (flat, pan, etc.), and driver type (straight blade, phillips, head, star, etc.).  And then there are custom screws.  In IoT we will have hobbyist-types creating devices, along with old-line manufacturers.  It isn't
 just an Apply and Samsung world.
To Ingo's comment about relationships, how do we track changes in those relationships without creating a massive infrastructure?  What happens when company A has a device that is used by employees A1, A2, and A3, sells the device to company B for use by B7,
 B8, and B9?

Jeff

 




 

---------------------------------

Jeff Stollman
stollman.j at gmail.com

1 202.683.8699

 

Truth never triumphs — its opponents just die out.

Science advances one funeral at a time.

                                    Max Planck

 

On Fri, Jul 24, 2015 at 7:34 AM, Alessandro Festa <afesta at alfweb.com> wrote:

Hi Nat,

related to the private key embeded by manufacturer I am wondering who would embed what in the case of a multi-manufacturer.

use case:

1) thing created by original manufacturer : embed a priv key

2) thing crafted/customized (oem) by second manufacturer : embed a priv key

 

when thing will need to act on behalf I expect to reflect a 1 to many relationship at this point and so I'll need as user to decide the degree of relationship
 between the various keys or only one single key pair will be allowed and this means we need to define a hierarchical policy to decide who will embed what.

 

I immagine an onion ring model based on user consent and relationship constrain: user to seller, seller to manufacturer (original or oem), manufacturer
 (oem) to manufacturer

 

 

Alex

 

-

Alessandro Festa 

website:http://alfweb.com

twitter:@festaatdell

email:afesta at alfweb.com

 

 

Il Venerdì 24 Luglio 2015 13:10, Paul Madsen <pmadsen at pingidentity.com> ha
 scritto:

 

Hi nat, I would follow on to your steps below

On 7/24/15 4:56 AM, Nat Sakimura wrote:

Yeah, it is nice, but WSDL would be too big. 


Remember that sending 1 byte over the radio takes as much power as encrypting 1000 bytes. Also, memory and processing power is becoming cheap, so in
 IoT context, we should probably treat "minimizing the radio packet" as the priority. 

 

As to the identification of the things are cocerned, the viable model that I imagine is as follows: 

 The device manufacutrer creates a good keypair and embeds the private key (and its key thumbprint) in the device. For device authentication, use the key to sign the message.


When acting on behalf of a user


3. Authenticated user facilitates delivery of tokens to device

4. Device authenticates to AS using embedded keys in order to obtain tokens

5. Device uses tokens to authenticate to cloud endpoints, other device etc


Tokens thereby reflect 'relationship' of user & device





Nat

 

 

2015-07-22 1:33 GMT+09:00 Aninda Bhunia <abhunia at inc38.com>:

It would be interesting if we could create a standard that would allow even non IP devices to publish their identity through a wsdl type structure.
 Even if they are non IP at some point in their upwards relationship hierarchy their master gateway would be IP based and could be responsible for publishing the identity wsdls for the entities it brokers.

Thoughts ?

On Jul 21, 2015 11:52 AM, "Joni Brennan" <joni at kantarainitiative.org> wrote:

Noting I have no vote =)


 

I agree with Paul and others regarding discovery as the key initial mechanism.  I believe Ingo has also noted this in the summaries from IDoT.  Sal
 mentions NMAP / SNMP are there other exiting approaches?  (apologies if this has been discussed in detail already)

 

- Joni




Best Regards,



Joni Brennan

Kantara Initiative | Executive Director

email: joni @ kantarainitiative.org

Connecting Identity for a more trustworthy Internet -

Overview

 

 

On Tue, Jul 21, 2015 at 8:42 AM, Salvatore D'Agostino <sal at idmachines.com> wrote:

Other than ip devices?  In that case there are mechanisms support scanning ( eg NMAP) or SNMP that have been around for a while these are typically
 not exactly API friendly but do provide a starting point and we make good use in our offerings.


Salvatore D'Agostino 

IDmachines LLC |1264 Beacon Street, #5


Brookline, MA. 02446 | USA

http://www.idmachines.com



On Jul 21, 2015, at 10:46 AM, Paul Madsen <pmadsen at pingidentity.com> wrote:

(one of) what is needed is a standardized mechanism for devices to present their identity (and those humans for which they are
 acting) to other things, cloud endpoints & applications




On 7/16/15 2:38 PM, Ranjan Jain (ranjain) wrote:

Hey y’all,

Hope everyone is doing well. Just wanted to bounce a question which I’m consistently getting asked around Identity, IoT perspective. Is there any industry
 standard in place or in works which can be used as a common standard across multiple identities. What I mean by this is that humans have SSN as an identity while a thermostat may have serial number while a network device may have a Mac ID as their identity.
 So, while individually they all have their own identity standard, when in the IoT world, all these entities start interacting with each other, how do we translate one identity into another or how will one identity interact with another identity in a standards
 way?

 

Thanks

Ranjan

 

 

 



Ranjan Jain
ARCHITECT.IT

Information Technology
ranjain at cisco.com

Phone: +1 408 853 4396

Mobile: +1 408 627 9538

Cisco Systems, Inc.

400 East Tasman Drive

San Jose

California

95134

United States
Cisco.com

 

 Think before you print.

This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is
 strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message.

 _______________________________________________DG-IDoT mailing listDG-IDoT at kantarainitiative.orghttp://kantarainitiative.org/mailman/listinfo/dg-idot

 

_______________________________________________

DG-IDoT mailing list
DG-IDoT at kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/dg-idot



_______________________________________________

DG-IDoT mailing list
DG-IDoT at kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/dg-idot

 



_______________________________________________

DG-IDoT mailing list
DG-IDoT at kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/dg-idot



_______________________________________________

DG-IDoT mailing list
DG-IDoT at kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/dg-idot





 

--


Nat Sakimura (=nat)


Chairman, OpenID Foundation
http://nat.sakimura.org/

@_nat_en

 _______________________________________________DG-IDoT mailing listDG-IDoT at kantarainitiative.orghttp://kantarainitiative.org/mailman/listinfo/dg-idot

 

 

_______________________________________________

DG-IDoT mailing list
DG-IDoT at kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/dg-idot

 



_______________________________________________

DG-IDoT mailing list
DG-IDoT at kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/dg-idot

 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kantarainitiative.org/pipermail/dg-idot/attachments/20150727/f10bec5e/attachment-0001.html>


More information about the DG-IDoT mailing list