<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta name=Generator content="Microsoft Word 12 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p
        {mso-style-priority:99;
        mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
        {mso-style-priority:99;
        mso-style-link:"Balloon Text Char";
        margin:0in;
        margin-bottom:.0001pt;
        font-size:8.0pt;
        font-family:"Tahoma","sans-serif";}
span.BalloonTextChar
        {mso-style-name:"Balloon Text Char";
        mso-style-priority:99;
        mso-style-link:"Balloon Text";
        font-family:"Tahoma","sans-serif";}
span.EmailStyle20
        {mso-style-type:personal;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
span.EmailStyle21
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>A couple more touches.  <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p>&nbsp;</o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Dagg, Kenneth [mailto:Kenneth.Dagg@tbs-sct.gc.ca] <br><b>Sent:</b> Wednesday, May 29, 2013 4:04 PM<br><b>To:</b> 'Joni Brennan'; 'Salvatore D'Agostino'<br><b>Cc:</b> 'ingo.friese@telekom.de'; 'Smedinghoff, Tom'; 'Colin Soutar'; 'LC@kantarainitiative.org'; 'trustees@kantarainitiative.org'; 'Anna Slomovic/Equifax'; 'Mark Lizar'<br><b>Subject:</b> RE: [KI-LC] [BoT] Round 2 FTC Kantara Input regarding Security and Privacy<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p>&nbsp;</o:p></p><p class=MsoNormal><span lang=EN-CA style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Joni,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-CA style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span lang=EN-CA style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I took a fast crack at editing as I found some of the wording rough. I also tried to incorporate the ideas around Access Control more explicitly.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-CA style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span lang=EN-CA style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I liked the concept you introduced that the IoT is not all new &#8211; just a new application of or way of looking at the existing. I tried to build upon that idea.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-CA style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span lang=EN-CA style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Hopefully they help.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-CA style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span lang=EN-CA style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Ken<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-CA style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span lang=FR-CA style='font-size:10.0pt;font-family:"Arial","sans-serif";color:black'>Kenneth Dagg<br>Senior Project Co-ordinator | Coordonnateur de projet supérieur<br>Security and Identity Management | Sécurité et gestion des identités<br>Chief Information Officer Branch | Direction du dirigeant principal de l'information<br>Treasury Board of Canada Secretariat | Secrétariat du Conseil du Trésor du Canada<br>Ottawa, Canada K1A 0R5<br><a href="mailto:Kenneth.Dagg@tbs-sct.gc.ca">Kenneth.Dagg@tbs-sct.gc.ca</a><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:12.0pt'><span lang=FR-CA style='font-size:10.0pt;font-family:"Arial","sans-serif";color:black'>Telephone | Téléphone 613-957-7041 / Facsimile | Télécopieur 613-954-6642 / Teletypewriter | Téléimprimeur 613-957-9090<br>Government of Canada | Gouvernement du Canada<br><br></span><span lang=EN-CA style='font-size:10.0pt;font-family:"Arial","sans-serif";color:black'><img border=0 width=576 height=61 id="Picture_x0020_1" src="cid:image001.gif@01CE5C93.79B1DAD0" alt="cid:image001.gif@01CDF886.3DB7BC50"></span><span lang=FR-CA style='font-size:10.0pt;font-family:"Arial","sans-serif";color:black'><o:p></o:p></span></p><p class=MsoNormal><span lang=FR-CA style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> <a href="mailto:jonibrennan@gmail.com">jonibrennan@gmail.com</a> [<a href="mailto:jonibrennan@gmail.com">mailto:jonibrennan@gmail.com</a>] <b>On Behalf Of </b>Joni Brennan<br><b>Sent:</b> May-29-13 3:04 PM<br><b>To:</b> Salvatore D'Agostino<br><b>Cc:</b> Dagg, Kenneth; <a href="mailto:ingo.friese@telekom.de">ingo.friese@telekom.de</a>; Smedinghoff, Tom; Colin Soutar; <a href="mailto:LC@kantarainitiative.org">LC@kantarainitiative.org</a>; <a href="mailto:trustees@kantarainitiative.org">trustees@kantarainitiative.org</a>; Anna Slomovic/Equifax; Mark Lizar<br><b>Subject:</b> Re: [KI-LC] [BoT] Round 2 FTC Kantara Input regarding Security and Privacy<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-CA><o:p>&nbsp;</o:p></span></p><div><div><div><div><p class=MsoNormal style='margin-bottom:12.0pt'><span lang=EN-CA>Dear All,<br><br>Please find attached draft 2 of the FTC comments where I have attempted to reconcile the use cases and comments shared to date.&nbsp; <o:p></o:p></span></p></div><p class=MsoNormal style='margin-bottom:12.0pt'><span lang=EN-CA>Heather would you please start an overall editorial pass on this document noting that there may be a few more comments of substance for inclusion.&nbsp; <o:p></o:p></span></p></div><p class=MsoNormal style='margin-bottom:12.0pt'><span lang=EN-CA>Let's set a goal that we conclude revisions on the draft by not later than mid day (PT) tomorrow.&nbsp; <br><br>ACTION: Please start reviewing content now if you have not done so already. If there are no objections from LC or BoT by CoB PT on Friday I will send the final draft as a letter from the Executive director with a short forward that indicates comments included were gathered from the Trustees and LC but not necessarily representative of the entire organization. <o:p></o:p></span></p></div><p class=MsoNormal><span lang=EN-CA>Thank you for pulling this together in such a short time! <o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-bottom:12.0pt'><span lang=EN-CA><o:p>&nbsp;</o:p></span></p><div><p class=MsoNormal><span lang=EN-CA>On Wed, May 29, 2013 at 10:41 AM, Joni Brennan &lt;<a href="mailto:joni@ieee-isto.org" target="_blank">joni@ieee-isto.org</a>&gt; wrote:<o:p></o:p></span></p><div><div><p class=MsoNormal style='margin-bottom:12.0pt'><span lang=EN-CA>And Sal I know you have the real world experience in some of this Truck use case model and appreciate all the comments thus far.&nbsp; Ken, Sal, Ingo, Colin, etc... I'm taking a pass at working all of this in over the next hour.&nbsp; Then I'll push it back to this group and ask Heather to take an editor pass.&nbsp; Hopefully this brings us our final &quot;light-touch&quot; comments to FTC. <br><br>I am working on a similar statement in another identity and I hope to incorporate similar concepts across both approaches where I am holder of pen for this item.&nbsp; I hope that this admission is not an issue and, rather, I suspect it can bolster the importance of the issues we are raising as a community.&nbsp; If there are any concerns please contact me directly. <o:p></o:p></span></p></div><p class=MsoNormal><span lang=EN-CA>Next draft in ~ 1 hour.<o:p></o:p></span></p></div><div><div><div><p class=MsoNormal style='margin-bottom:12.0pt'><span lang=EN-CA><o:p>&nbsp;</o:p></span></p><div><p class=MsoNormal><span lang=EN-CA>On Wed, May 29, 2013 at 8:15 AM, Salvatore D'Agostino &lt;<a href="mailto:sal@idmachines.com" target="_blank">sal@idmachines.com</a>&gt; wrote:<o:p></o:p></span></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>So in previous lives &#8220;we&#8221; made vehicle and part identification systems and have in fact used the quality control and the intelligent transportation experience as a very useful paradigm for security and access control.&nbsp; Think of a toll booth, electronic ID (leave aside authentication for now), check for valid account, check attributes (vehicle type), flag violation (error report, time stamp), update account and create log among other things (and improve user experience..).&nbsp; Same thing applies to parts in production and can be extended to process control.&nbsp; So perhaps a light touch is a way to look at how these do relate.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>&nbsp;</span><o:p></o:p></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> <a href="mailto:lc-bounces@kantarainitiative.org" target="_blank">lc-bounces@kantarainitiative.org</a> [mailto:<a href="mailto:lc-bounces@kantarainitiative.org" target="_blank">lc-bounces@kantarainitiative.org</a>] <b>On Behalf Of </b>Dagg, Kenneth<br><b>Sent:</b> Wednesday, May 29, 2013 10:49 AM<br><b>To:</b> '<a href="mailto:Ingo.Friese@telekom.de" target="_blank">Ingo.Friese@telekom.de</a>'; '<a href="mailto:joni@ieee-isto.org" target="_blank">joni@ieee-isto.org</a>'</span><o:p></o:p></p><div><p class=MsoNormal><br><b>Cc:</b> '<a href="mailto:Smedinghoff@wildman.com" target="_blank">Smedinghoff@wildman.com</a>'; '<a href="mailto:email@colinsoutar.com" target="_blank">email@colinsoutar.com</a>'; '<a href="mailto:LC@kantarainitiative.org" target="_blank">LC@kantarainitiative.org</a>'; '<a href="mailto:trustees@kantarainitiative.org" target="_blank">trustees@kantarainitiative.org</a>'; '<a href="mailto:anna.slomovic@equifax.com" target="_blank">anna.slomovic@equifax.com</a>'; '<a href="mailto:mark.lizar@gmail.com" target="_blank">mark.lizar@gmail.com</a>'<o:p></o:p></p></div><div><p class=MsoNormal><b>Subject:</b> Re: [KI-LC] [BoT] Round 2 FTC Kantara Input regarding Security and Privacy<o:p></o:p></p></div></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>&nbsp;<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-CA style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Ingo,</span><o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-CA style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>&nbsp;</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-CA style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I would suggest that the use-cases where it appears that access-control (as it currently is known) need to be re-examined with a view to either updating the use-case or access-control. &nbsp;</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-CA style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>&nbsp;</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-CA style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>For the use-case of a </span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>truck accessing Hamburg harbor I am not clear why the truck is not able to authenticate. It may not be able to provide a traditional LOA2 username/password but it should be able to provide some sort of equivalent LOA2 token. Or maybe the truck, the driver and the truck-driver association are all validated and access-control is strengthened.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>&nbsp;</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>The &#8220;fake&#8221; product scenario is also interesting.&nbsp; However, it is very similar, at least in my mind, to ensuring that the credential remains under the control of the entity (a part in this case) to which it was issued and that it is not a &#8220;fake/counterfeit&#8221; credential.&nbsp; These are challenges that high-level (2 and above) authentication is supposed to address.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>&nbsp;</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>It is my still my belief (I&#8217;m not sure how yet) that a vast majority of these scenarios should be addressable / enhancable by the approaches suggested in Attribute Based Access Control (ABAC). That is not to say that we won&#8217;t have to explore new and different directions but rather that we work hard to scope the these to a few exceptions rather than the norm.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>&nbsp;</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>All this being said, I would endorse the approach that Kantara&#8217;s contribution should be a light touch at this time. I would endorse Colin&#8217;s suggestion that we use our response to raise some issues/questions and identify some potentially applicable approaches that don&#8217;t leave people with the impression that the IoT is a brand new thing.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>&nbsp;</span><o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Ken</span><o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-CA style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span><o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=FR-CA style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Kenneth Dagg<br>Senior Project Co-ordinator | Coordonnateur de projet supérieur<br>Security and Identity Management | Sécurité et gestion des identités<br>Chief Information Officer Branch | Direction du dirigeant principal de l'information<br>Treasury Board of Canada Secretariat | Secrétariat du Conseil du Trésor du Canada<br>Ottawa, Canada K1A 0R5<br><a href="mailto:Kenneth.Dagg@tbs-sct.gc.ca" target="_blank">Kenneth.Dagg@tbs-sct.gc.ca</a></span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'><span lang=FR-CA style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Telephone | Téléphone <a href="tel:613-957-7041" target="_blank">613-957-7041</a> / Facsimile | Télécopieur <a href="tel:613-954-6642" target="_blank">613-954-6642</a> / Teletypewriter | Téléimprimeur <a href="tel:613-957-9090" target="_blank">613-957-9090</a><br>Government of Canada | Gouvernement du Canada<br><br></span><span lang=EN-CA style='font-size:10.0pt;font-family:"Arial","sans-serif"'><img border=0 width=576 height=61 id="_x0000_i1026" src="cid:image001.gif@01CE5C93.79B1DAD0" alt="cid:image001.gif@01CDF886.3DB7BC50"></span><o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=FR-CA style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>&nbsp;</span><o:p></o:p></p></div><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> <a href="mailto:Ingo.Friese@telekom.de" target="_blank">Ingo.Friese@telekom.de</a> [<a href="mailto:Ingo.Friese@telekom.de" target="_blank">mailto:Ingo.Friese@telekom.de</a>] </span><o:p></o:p></p><div><p class=MsoNormal><b>Sent:</b> May-29-13 10:27 AM<br><b>To:</b> <a href="mailto:joni@ieee-isto.org" target="_blank">joni@ieee-isto.org</a>; Dagg, Kenneth<br><b>Cc:</b> <a href="mailto:Smedinghoff@wildman.com" target="_blank">Smedinghoff@wildman.com</a>; <a href="mailto:email@colinsoutar.com" target="_blank">email@colinsoutar.com</a>; <a href="mailto:LC@kantarainitiative.org" target="_blank">LC@kantarainitiative.org</a>; <a href="mailto:trustees@kantarainitiative.org" target="_blank">trustees@kantarainitiative.org</a>; <a href="mailto:anna.slomovic@equifax.com" target="_blank">anna.slomovic@equifax.com</a>; <a href="mailto:mark.lizar@gmail.com" target="_blank">mark.lizar@gmail.com</a><o:p></o:p></p></div><p class=MsoNormal><b>Subject:</b> RE: [KI-LC] [BoT] Round 2 FTC Kantara Input regarding Security and Privacy<o:p></o:p></p></div></div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-CA>&nbsp;</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Hi Joni,</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Hi Ken,</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>&nbsp;</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Thank you for revising the paper. I like it. Joni I agree, this should be (like you said) a n early light touch contribution. </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Ken , thank you for your comments. Let me try to answer:</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>&nbsp;</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Frist of all it would be great if we could apply access control as known also to the IoT, because we don&#8217;t want to re-invent the wheel.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Unfortunately we have many use-cases where the old way won&#8217;t work.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>e.g.: A truck accessing Hamburg harbor is not able to use username/password for authentication. In this case we need generic identifiers and other ways for authentication</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Another example &#8211; faked products or machine parts (companies think they bought a high-tech Siemens rotor &#8211; and they get a low cost plagiarism). </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>So how to check and authenticate parts online along their way from production to the customer? I think sometimes we can apply known access control stuff and sometimes we have to go new directions.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>&nbsp;</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>&nbsp;</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Regarding your architecture comment : You are right, we should help to develop an IoT architecture at least from an IdM part of view.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>&nbsp;</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Joni it&#8217;s a good paper (considering the few days we had for preparation). Like Colin said lets integrate, e.g. the architecture remark etc. and that&#8217;s it.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>&nbsp;</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>&nbsp;</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Best regards,</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>&nbsp;</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Ingo </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>&nbsp;</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>&nbsp;</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> <a href="mailto:lc-bounces@kantarainitiative.org" target="_blank">lc-bounces@kantarainitiative.org</a> [<a href="mailto:lc-bounces@kantarainitiative.org" target="_blank">mailto:lc-bounces@kantarainitiative.org</a>] <b>On Behalf Of </b>Joni Brennan<br><b>Sent:</b> Donnerstag, 23. Mai 2013 21:35<br><b>To:</b> Dagg, Kenneth<br><b>Cc:</b> Smedinghoff, Tom; Colin Soutar; <a href="mailto:LC@kantarainitiative.org" target="_blank">LC@kantarainitiative.org</a>; <a href="mailto:trustees@kantarainitiative.org" target="_blank">trustees@kantarainitiative.org</a>; Anna Slomovic/Equifax; Mark Lizar<br><b>Subject:</b> Re: [KI-LC] [BoT] Round 2 FTC Kantara Input regarding Security and Privacy</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>&nbsp;<o:p></o:p></p><div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'>Thank you for the comments Ken.&nbsp; I will seek to work them in to a next draft.&nbsp; The paper is very comprehensive and the original intent of LC was to make an early light touch contribution.&nbsp; Note that there is likely soon to be an Identity of Things (IDoT) DG in Kantara which would explore the issues in much more detail and then potentially develop some recommendations about how Kantara might provide value in the space etc.&nbsp; Modeling that you described could very likely be a part of the IDoT DG early approach if not as recommended for a WG to take action on. <o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'>We continue to welcome comments from others as well.&nbsp; <o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Best Regards,<br>Joni<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'>&nbsp;<o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>On Thu, May 23, 2013 at 12:29 PM, Dagg, Kenneth &lt;<a href="mailto:Kenneth.Dagg@tbs-sct.gc.ca" target="_blank">Kenneth.Dagg@tbs-sct.gc.ca</a>&gt; wrote:<o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-CA style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Joni,</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-CA style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>&nbsp;</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-CA style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I reviewed the document and found some shortcomings. My personal concerns could be mitigated if there are other documents that describe the context of the Internet of Things (IoT). I have used COMMENTS to voice my personal concerns. My apologies, but given the short turnaround time, I regret not being able to recommend how the text could be changed but I just do not have the cycles.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-CA style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>&nbsp;</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-CA style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>It appears to me, with my minimal technical knowledge about the IoT, that the basic concepts of Access Control should apply to the IoT. If this is true, then I would suggest that a lot of the privacy and security implications have been identified. The prime difference, in my personal opinion, with traditional Access Control is the components, like they are in Trust Frameworks and Federations, are decoupled.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-CA style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>&nbsp;</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-CA style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I also believe that a conceptual architecture of the IoT needs to be developed (if it already exists then I stand corrected). Without this type of understanding, it is my personal opinion that any standards / frameworks / infrastructures that are developed will be tend to be restrictive rather than accommodating. If my belief that Access Control applies then the architecture may essentially be done (could be based on the Attribute Based Access Control &#8211; NIST Special Publication 800-162).</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-CA style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>&nbsp;</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-CA style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>The conceptual architecture would also include an architecture for &#8220;things&#8221; that identifies the type of information they contain, its functions (e.g., authentication), etc.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-CA style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>&nbsp;</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-CA style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Ken</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-CA style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>&nbsp;</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-CA style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Kenneth Dagg<br>Senior Project Co-ordinator | Coordonnateur de projet supéri</span><span lang=FR-CA style='font-size:10.0pt;font-family:"Arial","sans-serif"'>eur<br>Security and Identity Management | Sécurité et gestion des identités<br>Chief Information Officer Branch | Direction du dirigeant principal de l'information<br>Treasury Board of Canada Secretariat | Secrétariat du Conseil du Trésor du Canada<br>Ottawa, Canada K1A 0R5<br><a href="mailto:Kenneth.Dagg@tbs-sct.gc.ca" target="_blank">Kenneth.Dagg@tbs-sct.gc.ca</a></span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'><span lang=FR-CA style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Telephone | Téléphone <a href="tel:613-957-7041" target="_blank">613-957-7041</a> / Facsimile | Télécopieur <a href="tel:613-954-6642" target="_blank">613-954-6642</a> / Teletypewriter | Téléimprimeur <a href="tel:613-957-9090" target="_blank">613-957-9090</a><br>Government of Canada | Gouvernement du Canada<br><br></span><span lang=EN-CA style='font-size:10.0pt;font-family:"Arial","sans-serif"'><img border=0 width=576 height=61 id="_x0000_i1027" src="cid:image001.gif@01CE5C93.79B1DAD0" alt="cid:image001.gif@01CDF886.3DB7BC50"></span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=FR-CA style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>&nbsp;</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> <a href="mailto:trustees-bounces@kantarainitiative.org" target="_blank">trustees-bounces@kantarainitiative.org</a> [mailto:<a href="mailto:trustees-bounces@kantarainitiative.org" target="_blank">trustees-bounces@kantarainitiative.org</a>] <b>On Behalf Of </b>Joni Brennan<br><b>Sent:</b> May-23-13 2:10 PM<br><b>To:</b> <a href="mailto:trustees@kantarainitiative.org" target="_blank">trustees@kantarainitiative.org</a>; <a href="mailto:LC@kantarainitiative.org" target="_blank">LC@kantarainitiative.org</a><br><b>Cc:</b> Smedinghoff, Tom; Mark Lizar; Colin Soutar; Anna Slomovic/Equifax<br><b>Subject:</b> [BoT] Round 2 FTC Kantara Input regarding Security and Privacy</span><o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-CA>&nbsp;</span><o:p></o:p></p><div><div><div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'><span lang=EN-CA>Hello,<br><br>Thank you Ingo for your first take at the FTC comments [1]!&nbsp; I have edited them slightly and made some contributions to the document.&nbsp; </span><o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'><span lang=EN-CA>Please see attached.&nbsp; Trustees and LC please advise of suggested inclusions or edits for the document.&nbsp; I'm hopeful that some of our Privacy based membership will have additional comments. (I've copied a few of you directly but this is an open paper so don't hesitate to add others!)</span><o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'><span lang=EN-CA>Ideally we need to have the document finalized by May 29 (with no LC objections).&nbsp; I would then like to submit the document as the Kantara ED and on behalf of the Leadership Council.&nbsp; </span><o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'><span lang=EN-CA>Please advise with any further comments or considerations to this activity.&nbsp; <br><br>[1] <a href="http://www.ftc.gov/opa/2013/04/internetthings.shtm" target="_blank">http://www.ftc.gov/opa/2013/04/internetthings.shtm</a></span><o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-CA>Best Regards,<br>Joni</span><o:p></o:p></p></div></div></div></div></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>&nbsp;<o:p></o:p></p></div></div></div></div></div></div><p class=MsoNormal><span lang=EN-CA><o:p>&nbsp;</o:p></span></p></div></div></div></div><p class=MsoNormal><span lang=EN-CA><o:p>&nbsp;</o:p></span></p></div></div></body></html>