mmccool
commented
4 years ago Meeting:
- ACE is just part of the solution, Anima is necessary for complete implementation
- We can add the reference, but need to say something intelligent about it
- Anima is an example of how to set up security relationships
- Want to including ongoing developments in IoT/IETF; evolving situation
Plan:
- Add Anima reference
- When we introduce ACE, should also introduce Anima and explain how it relates to it and is necessary for an operational environment, since it covers (is mostly about) onboarding
- Since it is about onboarding, we can introduce Anima; ACE is more for operational phase
This is in alignment with our goals to add onboarding to the current scope. In which case we may need to add a section and revise the scope. Maybe expanding the scope should be another issue...
The IETF ACE WG is referred to in https://w3c.github.io/wot-security/#references-to-existing-security-best-practices
If I recall the deliverables/objectives of ACE correctly, ACE is mostly concerned with elaborating security in a relational context (there are components A, B, C in a site/domain, how can they interact securely)
This comes with an assumption of a prior step in an indiviual context (how to make A part of the site/domain, how to make B site/domain...)
In the IETF there is another WG (Anima, https://datatracker.ietf.org/wg/anima/documents/) elaborating techniques for this prior step that can then be used by ACE
From my perspective, referring to this WG is at least as important than referring to ACE (as long as one does not aim at granularity such as A may talk to B but not to C [at least not on weekdays] an adoption of IETF Anima suffices to enable security in a site/domain)