search

w3c / wot-security

a repo exclusively for security to better manage issues and security considerations for WoT
https://w3c.github.io/wot-security/
18 stars 22 forks source link

Review updated Lifecycle in Architecture #192

Open mmccool opened 3 years ago

mmccool commented 3 years ago

See PR https://github.com/w3c/wot-architecture/pull/539 when it is complete. This better aligns the lifecycle with the IETF/T2TRG document and modifies the diagram, pulling out detail into the main body text.

mmccool commented 3 years ago

There is still some ongoing discussion based on feedback at TPAC. We probably should leave this open until the lifecycle is finalized and we have a chance to do a final security review. The PR above, however, has been merged.

@OliverPfaff has agreed to review the current status and provide input on whether any additional updates are needed from a security perspective.

OliverPfaff commented 3 years ago

abc

OliverPfaff commented 3 years ago

Review comments for https://w3c.github.io/wot-architecture/#lifecycle

  1. Organization: in a *-of-things document, start with Thing Lifecycle (reflecting the given starting point), then System Lifecycle (saying there is more than a/one thing that matters), then Information Lifecycle (to contrast against IT)

  2. Terminology: using "thing" and "device" as synonym terms (?) is unfortunate. Suggestion: use "thing", do not use "device" (the current usage of "device" creates confusion for people with an OT background)

  3. Thing lifecycle stage "Bootstrapped": the current text focusses on "establishing identity and ownership". This is just a small minority of what has to happen after "Manufactured" and before "Operational" (supply network address esp. IP address, supply naming information esp. application naming, supply configuration information [independent from security items])

  4. Ownership: is addressed in text but not covered in Figure (and the text section about state changes). This seems to be not well-balanced

  5. Multiplicity of identifier(s): in general the relationship between "thing" and "identifier" is 1:n (one thing typically has 1 MAC address, 1 IP address and 1 application name per application resulting in n+2 identifiers if it runs n applications). The term "identity" can cope with this. But it still creates misconceptions: it is not uncommon to read/comprehend "1 identity" as "1 identifier"

  6. System: consider to differentiate instances of "system" according "machine" (a "system" with a dedicated physical body such as an industrial robot) and others (a "system" without such body e.g. a home or office automation system)

  7. Simple System Lifecycle: I don't really understand the rationale behind this differentiation

  8. System Lifecycle with Registration: same comment as for Simple System Lifecycle

mmccool commented 3 years ago

Notes from security meeting Nov 30:

  1. Contrasting IT and OT is interesting. In general, HW and SW are more closely coupled in OT. This is probably also true of information managed by the SW, which is our primary concern for privacy. For a discussion of OT, see: https://en.wikipedia.org/wiki/Operational_technology Another interesting reference: https://www.felser.ch/papers/2019-IEEE-OT-IT.pdf Related issue: https://github.com/w3c/wot-architecture/issues/553 and also https://github.com/w3c/wot-architecture/issues/561 (we should clearly define why we need an information lifecycle)
  2. Actually, "Thing" and "Device" should not be synonymous. My understanding is that "Thing" (note caps) is the software abstraction or representation of a physical Device. But these terms are often not used as carefully as they should be... probably the doc needs a close reading to sort out places where they are not used correctly. I definitely saw many places where "Thing" is used for a physical device. Maybe we should use "physical Thing" in place of "device"...
  3. I personally think that breaking the (complex) bootstrapping process into substeps in the main state machine is useful. However, we do need to capture all the substeps that are included in that state, perhaps in its description. What really matters is the state of the device when it leave that state (IP address assigned, security keys provisioned, etc). While identity is important, current text is incomplete and should be more inclusive.
  4. Needs some modification to text around ownership to balance it. Creating an issue to follow up: https://github.com/w3c/wot-architecture/issues/570
  5. Good point. Need to clearly define "Identity" and "Identifier" as defined terminology. Creating an issue to follow up: https://github.com/w3c/wot-architecture/issues/571
  6. I think the way the term is used here is "an entity with multiple interacting components". The components must also be somehow visible, e.g. Things, Directories, etc. Maybe this just needs a formal definition (e.g. the sentence above). But we still have places in the text where system is used less formally (eg a machine which is actually a device without visible internal components). There might also be "systems" also treated as "things" (e.g. there is a single management interface for a thing composed internally of microservices). The main usage here is however "System Lifecycle" as distinguished from other lifecycles, and we have to make clear here that we are talking about separate interacting entities (directories, devices, etc). Suggest at least making an issue to define "System" formally: https://github.com/w3c/wot-architecture/issues/572 7, 8: These need more text to explain them. These sections are new and related to some other issues currently under discussion: https://github.com/w3c/wot-architecture/issues/554
mmccool commented 1 year ago

We still have a lifecycle in the S&P Guidelines but perhaps it should be removed and just reference the lifecycle in Arch 1.1.