Date   

Re: Intel EPID For Device Onboarding

Drasko DRASKOVIC
 

On Tue, Oct 31, 2017 at 2:16 PM, Gardner, Doug <Doug.Gardner@...> wrote:
Hello Drasko,

We have looked into EPID also. It is interesting if the customer is concerned about privacy (consumer). The issues with the system is you must get all your keys from Intel as they are the only EPID key provider today.
I actually understood that they pushed this as a open ISO standard, so
that everybody would be capable to implement both server side (key
production and storage) and device side SW.

They say in the paper:
"To help take Intel EPID adoption to the next level, Intel has
contributed Intel EPID technology to leading industry organizations
for certification. As a result, Intel EPID is now:
- An International Standards Organization standard for identity and
privacy (ISO/IEC 20008, 20009)
- A Trusted Computing Group (TCG) standard for attestation.
Intel has also made Intel EPID technology available to processor,
microcontroller, and device manufacturers as open source under the
Apache 2 license."

These are the standards they are mentioning:
https://www.iso.org/standard/57018.html and
https://www.iso.org/standard/50341.html.

Best regards,
Drasko DRASKOVIC
Mainflux Author and Technical Advisor

www.mainflux.com | Industrial IoT Cloud
-------------------------------------------------------------------
Engineering Division | Paris, France

LinkedIn: https://www.linkedin.com/in/draskodraskovic
Twitter: @draskodraskovic


Re: Intel EPID For Device Onboarding

Zolfonoon, Riaz
 

At RSA, we have also looked into Intel SDO both jointly with Dell and separately before our merging. We came to the same conclusion as Jason mentioned. The solution solves a real need, but due to impact on the entire chain, from manufacturing to deployment, it will take time to gain traction in the market.

FYI, another option that RSA has looked into is FIDO and its attestation technique. Recently, FIDO formed a study group to explore the applicability and use cases for FIDO in IoT space. The objective was to explore if there are opportunities for FIDO to consider making the necessary changes to its specs to make them applicable to authentication of devices (in addition to today's focus which is user authentication). RSA was involved in this exercise. Among areas that the study group identified, one was FIDO attestation for IoT device onboarding. In this case, similar to EPID, silicon manufacturers need to engage as well, but the rest of the process is simpler than SDO. This work is still in progress and FIDO board is considering the recommendations from the study group.

I've also heard of some other proprietary methods discussed by vendors, but I'm not aware of any other standards. Does anyone know if OMA's LWM2M or other standards offer any secure onboarding solution that may already be implemented/deployed?

Riaz

Riaz Zolfonoon | Distinguished Engineer | RSA | www.rsa.com | o: +1 781-515-7168 | c: +1 617-283-4822

-----Original Message-----
From: edgex-tsc-security-bounces@... [mailto:edgex-tsc-security-bounces@...] On Behalf Of Jason.A.Shepherd@...
Sent: Tuesday, October 31, 2017 8:47 AM
To: drasko@...; edgex-tsc-security@...; edgex-tsc-systems-mgmt@...; edgex-devel@...; Boran.Car@...
Subject: Re: [Edgex-tsc-security] Intel EPID For Device Onboarding

Dell - Internal Use - Confidential

Hi Drasko -

We actually aren't leveraging EPID on our gateway hardware today (just TPM) but are looking at it as part of the overall solution stack. FYI, the solution that Jennifer talks about in that video from about a year ago is Intel's Secure Device Onboard (SDO) which they just announced at Solutions World Congress: https://www.intel.com/content/www/us/en/internet-of-things/secure-device-onboard.html

Simplifying how devices are securely on-boarded is definitely key for deployment scale, however the way these types of solutions typically address the issue is to push the problem up the supply chain. So, in order for them to work the manufacturer/OEM has to program a unique identifier into every device that leaves their factory which is a major undertaking. Considerations also have to be made in the channel as devices inevitably pass through multiple levels of ownership before hitting the end user. While all possible, this will only be attractive to lots of device makers if the solution is pervasive and therefore really valuable to their customers.

I believe the interoperability between sensors and applications facilitated by the EdgeX ecosystem is key to the success of this type of solution because it will make it worthwhile for OEMs to do the extra work. EdgeX could potentially also be used to federate various ecosystems for this type of onboarding.

In any event, simple and secure onboarding is a key market need and we'll want to make sure we address it one way or another. We're in the process of re-engaging with a number of the major silicon providers (including Intel) on the heels of the Barcelona release and this will be a point of discussion.

Would be good to make this a topic in an upcoming security working group meeting.

-Jason



-----Original Message-----
From: edgex-tsc-security-bounces@... [mailto:edgex-tsc-security-bounces@...] On Behalf Of Drasko DRASKOVIC
Sent: Tuesday, October 31, 2017 3:33 AM
To: edgex-tsc-security@...; edgex-tsc-systems-mgmt@...; edgex-devel@...; Car, Boran <Boran.Car@...>
Subject: [Edgex-tsc-security] Intel EPID For Device Onboarding

HI all,
during the last f2f meeting in Barcelona, we mentioned problem of device onboarding, and problem of dedicating a distinctive asymmetric key to each device during manufacturing phase.

I was looking yesterday a video on edge security:
https://www.youtube.com/watch?v=A6KoS7CQaqs, and saw that there are already implementation of Intel's EPID
(https://en.wikipedia.org/wiki/Enhanced_privacy_ID) used on Dell's gateways.

On a very fast glance
(https://img.en25.com/Web/McAfeeE10BuildProduction/%7Ba6dd7393-63f8-4c08-b3aa-89923182a7e5%7D_EPID_Overview_Public_2016-02-08.pdf?elqTrackId=48387d7899274c7985c6ac808d6ecbac&elqaid=7811&elqat=2),
I like the idea of having one-to-many mapping of public-private keys, at least for two reasons:
1) It is easier to keep just one public on a server and not to have quaries each time a device onboards to find it's public key (although probably query for the group must be done) 2)You can keep anonymity on a group level


I was wondering - did anybody had experience with EPID before? I see that it is open standard, I saw even some Apache-2.0 device-side implementations (https://github.com/Intel-EPID-SDK/epid-sdk), but I was wondering how open it is and can it be useful for EdgeX case?

Best regards,
Drasko DRASKOVIC
Mainflux Author and Technical Advisor

www.mainflux.com | Industrial IoT Cloud
-------------------------------------------------------------------
Engineering Division | Paris, France

LinkedIn: https://www.linkedin.com/in/draskodraskovic
Twitter: @draskodraskovic

_______________________________________________
EdgeX-TSC-Security mailing list
EdgeX-TSC-Security@...
https://lists.edgexfoundry.org/mailman/listinfo/edgex-tsc-security
_______________________________________________
EdgeX-TSC-Security mailing list
EdgeX-TSC-Security@...
https://lists.edgexfoundry.org/mailman/listinfo/edgex-tsc-security


Re: Intel EPID For Device Onboarding

Gardner, Doug
 

Hello Drasko,

We have looked into EPID also. It is interesting if the customer is concerned about privacy (consumer). The issues with the system is you must get all your keys from Intel as they are the only EPID key provider today. For the ICS use case, privacy is not a big driving factor and the complexity of the supply chain signing equipment at transfer points is not currently used. In general, we are monitoring EPID but have no plans to add it to our products and have no customers requesting EPID. Most of our customers want support for normal PKI certificates and PKI CA for identity management.

​​​​​
Thanks
Doug Gardner
doug.gardner@...
Office: 813.559.6617

-----Original Message-----
From: edgex-tsc-security-bounces@... [mailto:edgex-tsc-security-bounces@...] On Behalf Of Jason.A.Shepherd@...
Sent: Tuesday, October 31, 2017 8:47 AM
To: drasko@...; edgex-tsc-security@...; edgex-tsc-systems-mgmt@...; edgex-devel@...; Boran.Car@...
Subject: Re: [Edgex-tsc-security] Intel EPID For Device Onboarding

Dell - Internal Use - Confidential

Hi Drasko -

We actually aren't leveraging EPID on our gateway hardware today (just TPM) but are looking at it as part of the overall solution stack. FYI, the solution that Jennifer talks about in that video from about a year ago is Intel's Secure Device Onboard (SDO) which they just announced at Solutions World Congress: https://www.intel.com/content/www/us/en/internet-of-things/secure-device-onboard.html

Simplifying how devices are securely on-boarded is definitely key for deployment scale, however the way these types of solutions typically address the issue is to push the problem up the supply chain. So, in order for them to work the manufacturer/OEM has to program a unique identifier into every device that leaves their factory which is a major undertaking. Considerations also have to be made in the channel as devices inevitably pass through multiple levels of ownership before hitting the end user. While all possible, this will only be attractive to lots of device makers if the solution is pervasive and therefore really valuable to their customers.

I believe the interoperability between sensors and applications facilitated by the EdgeX ecosystem is key to the success of this type of solution because it will make it worthwhile for OEMs to do the extra work. EdgeX could potentially also be used to federate various ecosystems for this type of onboarding.

In any event, simple and secure onboarding is a key market need and we'll want to make sure we address it one way or another. We're in the process of re-engaging with a number of the major silicon providers (including Intel) on the heels of the Barcelona release and this will be a point of discussion.

Would be good to make this a topic in an upcoming security working group meeting.

-Jason



-----Original Message-----
From: edgex-tsc-security-bounces@... [mailto:edgex-tsc-security-bounces@...] On Behalf Of Drasko DRASKOVIC
Sent: Tuesday, October 31, 2017 3:33 AM
To: edgex-tsc-security@...; edgex-tsc-systems-mgmt@...; edgex-devel@...; Car, Boran <Boran.Car@...>
Subject: [Edgex-tsc-security] Intel EPID For Device Onboarding

HI all,
during the last f2f meeting in Barcelona, we mentioned problem of device onboarding, and problem of dedicating a distinctive asymmetric key to each device during manufacturing phase.

I was looking yesterday a video on edge security:
https://www.youtube.com/watch?v=A6KoS7CQaqs, and saw that there are already implementation of Intel's EPID
(https://en.wikipedia.org/wiki/Enhanced_privacy_ID) used on Dell's gateways.

On a very fast glance
(https://img.en25.com/Web/McAfeeE10BuildProduction/%7Ba6dd7393-63f8-4c08-b3aa-89923182a7e5%7D_EPID_Overview_Public_2016-02-08.pdf?elqTrackId=48387d7899274c7985c6ac808d6ecbac&elqaid=7811&elqat=2),
I like the idea of having one-to-many mapping of public-private keys, at least for two reasons:
1) It is easier to keep just one public on a server and not to have quaries each time a device onboards to find it's public key (although probably query for the group must be done) 2)You can keep anonymity on a group level


I was wondering - did anybody had experience with EPID before? I see that it is open standard, I saw even some Apache-2.0 device-side implementations (https://github.com/Intel-EPID-SDK/epid-sdk), but I was wondering how open it is and can it be useful for EdgeX case?

Best regards,
Drasko DRASKOVIC
Mainflux Author and Technical Advisor

www.mainflux.com | Industrial IoT Cloud
-------------------------------------------------------------------
Engineering Division | Paris, France

LinkedIn: https://www.linkedin.com/in/draskodraskovic
Twitter: @draskodraskovic

_______________________________________________
EdgeX-TSC-Security mailing list
EdgeX-TSC-Security@...
https://lists.edgexfoundry.org/mailman/listinfo/edgex-tsc-security
_______________________________________________
EdgeX-TSC-Security mailing list
EdgeX-TSC-Security@...
https://lists.edgexfoundry.org/mailman/listinfo/edgex-tsc-security


Re: Intel EPID For Device Onboarding

Shepherd, Jason A
 

Dell - Internal Use - Confidential

Hi Drasko -

We actually aren't leveraging EPID on our gateway hardware today (just TPM) but are looking at it as part of the overall solution stack. FYI, the solution that Jennifer talks about in that video from about a year ago is Intel's Secure Device Onboard (SDO) which they just announced at Solutions World Congress: https://www.intel.com/content/www/us/en/internet-of-things/secure-device-onboard.html

Simplifying how devices are securely on-boarded is definitely key for deployment scale, however the way these types of solutions typically address the issue is to push the problem up the supply chain. So, in order for them to work the manufacturer/OEM has to program a unique identifier into every device that leaves their factory which is a major undertaking. Considerations also have to be made in the channel as devices inevitably pass through multiple levels of ownership before hitting the end user. While all possible, this will only be attractive to lots of device makers if the solution is pervasive and therefore really valuable to their customers.

I believe the interoperability between sensors and applications facilitated by the EdgeX ecosystem is key to the success of this type of solution because it will make it worthwhile for OEMs to do the extra work. EdgeX could potentially also be used to federate various ecosystems for this type of onboarding.

In any event, simple and secure onboarding is a key market need and we'll want to make sure we address it one way or another. We're in the process of re-engaging with a number of the major silicon providers (including Intel) on the heels of the Barcelona release and this will be a point of discussion.

Would be good to make this a topic in an upcoming security working group meeting.

-Jason

-----Original Message-----
From: edgex-tsc-security-bounces@... [mailto:edgex-tsc-security-bounces@...] On Behalf Of Drasko DRASKOVIC
Sent: Tuesday, October 31, 2017 3:33 AM
To: edgex-tsc-security@...; edgex-tsc-systems-mgmt@...; edgex-devel@...; Car, Boran <Boran.Car@...>
Subject: [Edgex-tsc-security] Intel EPID For Device Onboarding

HI all,
during the last f2f meeting in Barcelona, we mentioned problem of
device onboarding, and problem of dedicating a distinctive asymmetric
key to each device during manufacturing phase.

I was looking yesterday a video on edge security:
https://www.youtube.com/watch?v=A6KoS7CQaqs, and saw that there are
already implementation of Intel's EPID
(https://en.wikipedia.org/wiki/Enhanced_privacy_ID) used on Dell's
gateways.

On a very fast glance
(https://img.en25.com/Web/McAfeeE10BuildProduction/%7Ba6dd7393-63f8-4c08-b3aa-89923182a7e5%7D_EPID_Overview_Public_2016-02-08.pdf?elqTrackId=48387d7899274c7985c6ac808d6ecbac&elqaid=7811&elqat=2),
I like the idea of having one-to-many mapping of public-private keys,
at least for two reasons:
1) It is easier to keep just one public on a server and not to have
quaries each time a device onboards to find it's public key (although
probably query for the group must be done)
2)You can keep anonymity on a group level


I was wondering - did anybody had experience with EPID before? I see
that it is open standard, I saw even some Apache-2.0 device-side
implementations (https://github.com/Intel-EPID-SDK/epid-sdk), but I
was wondering how open it is and can it be useful for EdgeX case?

Best regards,
Drasko DRASKOVIC
Mainflux Author and Technical Advisor

www.mainflux.com | Industrial IoT Cloud
-------------------------------------------------------------------
Engineering Division | Paris, France

LinkedIn: https://www.linkedin.com/in/draskodraskovic
Twitter: @draskodraskovic

_______________________________________________
EdgeX-TSC-Security mailing list
EdgeX-TSC-Security@...
https://lists.edgexfoundry.org/mailman/listinfo/edgex-tsc-security


Intel EPID For Device Onboarding

Drasko DRASKOVIC
 

HI all,
during the last f2f meeting in Barcelona, we mentioned problem of
device onboarding, and problem of dedicating a distinctive asymmetric
key to each device during manufacturing phase.

I was looking yesterday a video on edge security:
https://www.youtube.com/watch?v=A6KoS7CQaqs, and saw that there are
already implementation of Intel's EPID
(https://en.wikipedia.org/wiki/Enhanced_privacy_ID) used on Dell's
gateways.

On a very fast glance
(https://img.en25.com/Web/McAfeeE10BuildProduction/%7Ba6dd7393-63f8-4c08-b3aa-89923182a7e5%7D_EPID_Overview_Public_2016-02-08.pdf?elqTrackId=48387d7899274c7985c6ac808d6ecbac&elqaid=7811&elqat=2),
I like the idea of having one-to-many mapping of public-private keys,
at least for two reasons:
1) It is easier to keep just one public on a server and not to have
quaries each time a device onboards to find it's public key (although
probably query for the group must be done)
2)You can keep anonymity on a group level


I was wondering - did anybody had experience with EPID before? I see
that it is open standard, I saw even some Apache-2.0 device-side
implementations (https://github.com/Intel-EPID-SDK/epid-sdk), but I
was wondering how open it is and can it be useful for EdgeX case?

Best regards,
Drasko DRASKOVIC
Mainflux Author and Technical Advisor

www.mainflux.com | Industrial IoT Cloud
-------------------------------------------------------------------
Engineering Division | Paris, France

LinkedIn: https://www.linkedin.com/in/draskodraskovic
Twitter: @draskodraskovic


Updated invitation: EdgeX: Security Working Group - Weekly Call @ Weekly from 8am to 9am on Wednesday from Wed Aug 16 to Wed Dec 27 (PDT) (edgex-tsc-security@lists.edgexfoundry.org)

Brett Preston
 

This event has been changed.

Changed: EdgeX: Security Working Group - Weekly Call

When
Weekly from 8am to 9am on Wednesday from Wed Aug 16 to Wed Dec 27 Pacific Time
Where
https://zoom.us/j/576218946 (map)
Calendar
edgex-tsc-security@...
Who
(Guest list has been hidden at organizer's request)
Hi there,

EdgeX Working Group 2 is inviting you to a scheduled Zoom meeting.

Join from PC, Mac, Linux, iOS or Android: https://zoom.us/j/576218946

Or iPhone one-tap (US Toll): +14086380968,,576218946# or +16465588656,,576218946#

Or Telephone:
Dial: +1 408 638 0968 (US Toll) or +1 646 558 8656 (US Toll)
+1 855 880 1246 (US Toll Free)
+1 877 369 0926 (US Toll Free)
Meeting ID: 576 218 946
International numbers available: https://zoom.us/zoomconference?m=t6UX5OTIE0SFrIk-9MMnBPbFjE3dZ_xx

Going?   All events in this series:   Yes - Maybe - No    more options »

Invitation from Google Calendar

You are receiving this courtesy email at the account edgex-tsc-security@... because you are an attendee of this event.

To stop receiving future updates for this event, decline this event. Alternatively you can sign up for a Google account at https://www.google.com/calendar/ and control your notification settings for your entire calendar.

Forwarding this invitation could allow any recipient to modify your RSVP response. Learn More.


Canceled event: EdgeX: Security + Systems Mgmt Working Group - Weekly Call @ Wed Oct 4, 2017 8am - 9am (PDT) (edgex-tsc-security@lists.edgexfoundry.org)

Brett Preston
 

This event has been canceled and removed from your calendar.

EdgeX: Security + Systems Mgmt Working Group - Weekly Call

When
Wed Oct 4, 2017 8am – 9am Pacific Time
Where
https://zoom.us/j/576218946 (map)
Calendar
edgex-tsc-security@...
Who
(Guest list has been hidden at organizer's request)
Hi there,

EdgeX Working Group 2 is inviting you to a scheduled Zoom meeting.

Join from PC, Mac, Linux, iOS or Android: https://zoom.us/j/576218946

Or iPhone one-tap (US Toll): +14086380968,,576218946# or +16465588656,,576218946#

Or Telephone:
Dial: +1 408 638 0968 (US Toll) or +1 646 558 8656 (US Toll)
+1 855 880 1246 (US Toll Free)
+1 877 369 0926 (US Toll Free)
Meeting ID: 576 218 946
International numbers available: https://zoom.us/zoomconference?m=t6UX5OTIE0SFrIk-9MMnBPbFjE3dZ_xx

Invitation from Google Calendar

You are receiving this courtesy email at the account edgex-tsc-security@... because you are an attendee of this event.

To stop receiving future updates for this event, decline this event. Alternatively you can sign up for a Google account at https://www.google.com/calendar/ and control your notification settings for your entire calendar.

Forwarding this invitation could allow any recipient to modify your RSVP response. Learn More.


Re: EdgeX: Security + Systems Mgmt F2F Meeting in Palo Alto [RSVP requested]

Gabriella Poczo
 

Hi Brett,

I will be there in person.

Looking forward to meeting everyone.

Best,
-gabriella

________________________
Gabriella Poczo
Chief Product Officer
Sixgill, LLC
312 Arizona Ave
Santa Monica, CA 90401
gpoczo@...
Mobile: 424.291.2264
www.sixgill.com




On Aug 24, 2017, at 7:34 AM, Brett Preston <bpreston@...> wrote:

A reminder to please let us know if you plan on participating in the Security/Systems Mgmt WG F2F meeting next week.

Would also be good to capture those who plan on dialing in, so we can gage projected participation both in-person as well as on-line.

Thank you,


Brett


On Mon, Aug 21, 2017 at 9:07 AM, Brett Preston <bpreston@...> wrote:
Members of the EdgeX Security + Systems Management mail lists,

As discussed over email and during last call(s), the group will be meeting face-to-face in Palo Alto on August 29 + August 30 at the VMware campus.

Those planning to attend in person are required to RSVP in advance of the meeting.

So that we may accurately gage participation both in-person, as well as dial-in, please reply directly to me indicating if you will be attending (and planned in-person or dial-in).

Responses requested by EOD Wednesday, August 23.


Thank you,


Brett

--
Brett Preston
The Linux Foundation

Skype: bprestoncf



--
Brett Preston
The Linux Foundation

Skype: bprestoncf
_______________________________________________
EdgeX-TSC-Security mailing list
EdgeX-TSC-Security@...
https://lists.edgexfoundry.org/mailman/listinfo/edgex-tsc-security


Re: EdgeX: Security + Systems Mgmt F2F Meeting in Palo Alto [RSVP requested]

Brett Preston
 

A reminder to please let us know if you plan on participating in the Security/Systems Mgmt WG F2F meeting next week.

Would also be good to capture those who plan on dialing in, so we can gage projected participation both in-person as well as on-line.

Thank you,


Brett


On Mon, Aug 21, 2017 at 9:07 AM, Brett Preston <bpreston@...> wrote:
Members of the EdgeX Security + Systems Management mail lists,

As discussed over email and during last call(s), the group will be meeting face-to-face in Palo Alto on August 29 + August 30 at the VMware campus.

Those planning to attend in person are required to RSVP in advance of the meeting.

So that we may accurately gage participation both in-person, as well as dial-in, please reply directly to me indicating if you will be attending (and planned in-person or dial-in).

Responses requested by EOD Wednesday, August 23.


Thank you,


Brett

--
Brett Preston
The Linux Foundation

Skype: bprestoncf



--
Brett Preston
The Linux Foundation

Skype: bprestoncf


Canceled Event: EdgeX: Security + Systems Mgmt Working Group - Weekly Call @ Wed Aug 30, 2017 8am - 9am (PDT) (edgex-tsc-security@lists.edgexfoundry.org)

Brett Preston
 

This event has been canceled and removed from your calendar.

EdgeX: Security + Systems Mgmt Working Group - Weekly Call

When
Wed Aug 30, 2017 8am – 9am Pacific Time
Where
https://zoom.us/j/576218946 (map)
Calendar
edgex-tsc-security@...
Who
(Guest list has been hidden at organizer's request)
Hi there,

EdgeX Working Group 2 is inviting you to a scheduled Zoom meeting.

Join from PC, Mac, Linux, iOS or Android: https://zoom.us/j/576218946

Or iPhone one-tap (US Toll): +14086380968,,576218946# or +16465588656,,576218946#

Or Telephone:
Dial: +1 408 638 0968 (US Toll) or +1 646 558 8656 (US Toll)
+1 855 880 1246 (US Toll Free)
+1 877 369 0926 (US Toll Free)
Meeting ID: 576 218 946
International numbers available: https://zoom.us/zoomconference?m=t6UX5OTIE0SFrIk-9MMnBPbFjE3dZ_xx

Invitation from Google Calendar

You are receiving this courtesy email at the account edgex-tsc-security@... because you are an attendee of this event.

To stop receiving future updates for this event, decline this event. Alternatively you can sign up for a Google account at https://www.google.com/calendar/ and control your notification settings for your entire calendar.

Forwarding this invitation could allow any recipient to modify your RSVP response. Learn More.


EdgeX: Security + Systems Mgmt F2F Meeting in Palo Alto [RSVP requested]

Brett Preston
 

Members of the EdgeX Security + Systems Management mail lists,

As discussed over email and during last call(s), the group will be meeting face-to-face in Palo Alto on August 29 + August 30 at the VMware campus.

Those planning to attend in person are required to RSVP in advance of the meeting.

So that we may accurately gage participation both in-person, as well as dial-in, please reply directly to me indicating if you will be attending (and planned in-person or dial-in).

Responses requested by EOD Wednesday, August 23.


Thank you,


Brett

--
Brett Preston
The Linux Foundation
+1 (971) 303-9030
bpreston@...

Google Talk: bpreston@...
Skype: bprestoncf


OS and platform security

Stuart Yoder
 

All,

To follow up in writing with my comments on the call today...

In addition to the northbound and southbound interfaces there should be a statement about what assumptions and/or requirements there are with respect to the OS and hardware platform security.

The hardware platform is the system hardware, firmware, bootloaders.  The hardware platform security would include things like hardware root-of-trust, secure boot, secure storage for secrets, and hardware-based attestation mechanisms.  The OS would provide security interfaces based on those mechanisms.

What assumptions, if any, will EdgeX have about the underlying OS and system it is running on?

Potential places where EdgeX may intersect with hardware platform security:
  • How will the EdgeX stack know if it is running on a system with a compromised OS or firmware?
  • Will there be attestation requests from the northbound direction that the EdgeX system must reply to?  How will that be done and what OS and hardware platform security support is needed?
  • Is there data that EdgeX must sign?  If so, where are the keys kept?  Is secure storage needed?
Last week Tony pointed out that there will be systems running EdgeX without a hardware root of trust.  It may be that some kind of differentiation is needed between systems that are fully secure (with a hardware root of trust) and ones that are not.  Perhaps there should be 'secure' and 'non-secure' profiles.

In the end the security of the software stack is only going to be as good as the security of the platform it is running on.

Thanks,
Stuart Yoder
System Architect, ARM


Invitation: EdgeX: Security + Systems Management WGs Face-to-Face Mee... @ Wed Aug 30, 2017 8:30am - 5pm (PDT) (edgex-tsc-security@lists.edgexfoundry.org)

Brett Preston
 

EdgeX: Security + Systems Management WGs Face-to-Face Meeting - Day 2

When
Wed Aug 30, 2017 8:30am – 5pm Pacific Time
Where
https://zoom.us/j/952399945 + VMware Campus, 3401 Hillview Ave, Palo Alto, CA 94304 (map)
Calendar
edgex-tsc-security@...
Who
(Guest list has been hidden at organizer's request)
Meeting Location:
VMware Campus, 3401 Hillview Ave, Palo Alto, CA 94304

*** Those attending in person are requested to RSVP to info@... by Tuesday, August 22

---

Dial-in information:

EdgeX Working Group 2 is inviting you to a scheduled Zoom meeting.

Join from PC, Mac, Linux, iOS or Android: https://zoom.us/j/952399945

Or iPhone one-tap (US Toll): +16699006833,,952399945# or +14086380968,,952399945#

Or Telephone:
Dial: +1 669 900 6833 (US Toll) or +1 408 638 0968 (US Toll)
+1 877 369 0926 (US Toll Free)
+1 877 853 5247 (US Toll Free)
Meeting ID: 952 399 945
International numbers available: https://zoom.us/zoomconference?m=yxE3KCUn8FfqFQS4r375TS2mrjjwalqx

-----

Agenda (will be kept up to date on https://wiki.edgexfoundry.org/display/FA/29+and+30+August+2017%3A+Palo+Alto%2C+CA)

Tuesday Aug 29
•Noon (PDT): Arrival and Check-in. Lunch is available in the VMWare cafeteria in the building
•1:00 PM (PDT): Meeting Start
•3:00 PM (PDT: Coffee/Dessert break
•5:00 PM (PDT): Meeting End
•6:30 PM (PDT): Security Team Dinner (location TBD)

Wednesday Aug 30
•8:00 AM (PDT): Arrival with Breakfast and Coffee
•8:30 AM (PDT): Meeting Start
•Noon (PDT): Lunch at the VMWare cafeteria
•3:00 PM (PDT): Coffee/Dessert break
•5:00 PM (PDT): Meeting End
•6:30 PM (PDT): Optional Security Team Dinner (location TBD)

Going?   Yes - Maybe - No    more options »

Invitation from Google Calendar

You are receiving this courtesy email at the account edgex-tsc-security@... because you are an attendee of this event.

To stop receiving future updates for this event, decline this event. Alternatively you can sign up for a Google account at https://www.google.com/calendar/ and control your notification settings for your entire calendar.

Forwarding this invitation could allow any recipient to modify your RSVP response. Learn More.


Invitation: EdgeX: Security + Systems Management WGs Face-to-Face Mee... @ Tue Aug 29, 2017 1pm - 5pm (PDT) (edgex-tsc-security@lists.edgexfoundry.org)

Brett Preston
 

EdgeX: Security + Systems Management WGs Face-to-Face Meeting - Day 1

When
Tue Aug 29, 2017 1pm – 5pm Pacific Time
Where
https://zoom.us/j/149670643 + VMware Campus, 3401 Hillview Ave, Palo Alto, CA 94304 (map)
Calendar
edgex-tsc-security@...
Who
(Guest list has been hidden at organizer's request)
Meeting Location:
VMware Campus, 3401 Hillview Ave, Palo Alto, CA 94304

*** Those attending in person are requested to RSVP to info@... by Tuesday, August 22

---

Dial-in information:

EdgeX Working Group 2 is inviting you to a scheduled Zoom meeting.

Join from PC, Mac, Linux, iOS or Android: https://zoom.us/j/149670643

Or iPhone one-tap (US Toll): +16465588656,,149670643# or +16468769923,,149670643#

Or Telephone:
Dial: +1 646 558 8656 (US Toll) or +1 646 876 9923 (US Toll)
+1 877 369 0926 (US Toll Free)
+1 877 853 5247 (US Toll Free)
Meeting ID: 149 670 643
International numbers available: https://zoom.us/zoomconference?m=jO01DqEGq35hMoUYoos-UgD2jb9se5Bi

-----

Agenda (will be kept up to date on https://wiki.edgexfoundry.org/display/FA/29+and+30+August+2017%3A+Palo+Alto%2C+CA)

Tuesday Aug 29
•Noon (PDT): Arrival and Check-in. Lunch is available in the VMWare cafeteria in the building
•1:00 PM (PDT): Meeting Start
•3:00 PM (PDT: Coffee/Dessert break
•5:00 PM (PDT): Meeting End
•6:30 PM (PDT): Security Team Dinner (location TBD)

Wednesday Aug 30
•8:00 AM (PDT): Arrival with Breakfast and Coffee
•8:30 AM (PDT): Meeting Start
•Noon (PDT): Lunch at the VMWare cafeteria
•3:00 PM (PDT): Coffee/Dessert break
•5:00 PM (PDT): Meeting End
•6:30 PM (PDT): Optional Security Team Dinner (location TBD)

Going?   Yes - Maybe - No    more options »

Invitation from Google Calendar

You are receiving this courtesy email at the account edgex-tsc-security@... because you are an attendee of this event.

To stop receiving future updates for this event, decline this event. Alternatively you can sign up for a Google account at https://www.google.com/calendar/ and control your notification settings for your entire calendar.

Forwarding this invitation could allow any recipient to modify your RSVP response. Learn More.


Re: EdgeX: Security WG - Weekly call

Brett Preston
 

+ extending scope of call to the Systems Mgmt Working Group as well

*** A reminder, if anyone is not showing the call on their calendars (starting at 8am PDT today), just send me a direct email and I can add your email address directly to the meeting invitation series.

Thank you,


Brett

On Thu, Aug 10, 2017 at 3:57 PM, Brett Preston <bpreston@...> wrote:
Members of the EdgeX Security WG mail list,

Weekly call has been scheduled and meeting invite sent to the mail list.

If you are unable to easily add to your calendar client, please send me a direct email and I can add you individually to the recurring meeting series.

Thank you,


Brett

--
Brett Preston
The Linux Foundation

Skype: bprestoncf



--
Brett Preston
The Linux Foundation
+1 (971) 303-9030
bpreston@...

Google Talk: bpreston@...
Skype: bprestoncf


Updated Invitation: EdgeX: Security + Systems Mgmt Working Group - Weekly Call @ Weekly from 8am to 9am on Wednesday from Wed Aug 16 to Wed Dec 27 (PDT) (edgex-tsc-security@lists.edgexfoundry.org)

Brett Preston
 

This event has been changed.

Changed: EdgeX: Security + Systems Mgmt Working Group - Weekly Call

When
Weekly from 8am to 9am on Wednesday from Wed Aug 16 to Wed Dec 27 Pacific Time
Where
https://zoom.us/j/576218946 (map)
Calendar
edgex-tsc-security@...
Who
(Guest list has been hidden at organizer's request)
Hi there,

EdgeX Working Group 2 is inviting you to a scheduled Zoom meeting.

Join from PC, Mac, Linux, iOS or Android: https://zoom.us/j/576218946

Or iPhone one-tap (US Toll): +14086380968,,576218946# or +16465588656,,576218946#

Or Telephone:
Dial: +1 408 638 0968 (US Toll) or +1 646 558 8656 (US Toll)
+1 855 880 1246 (US Toll Free)
+1 877 369 0926 (US Toll Free)
Meeting ID: 576 218 946
International numbers available: https://zoom.us/zoomconference?m=t6UX5OTIE0SFrIk-9MMnBPbFjE3dZ_xx

Going?   All events in this series:   Yes - Maybe - No    more options »

Invitation from Google Calendar

You are receiving this courtesy email at the account edgex-tsc-security@... because you are an attendee of this event.

To stop receiving future updates for this event, decline this event. Alternatively you can sign up for a Google account at https://www.google.com/calendar/ and control your notification settings for your entire calendar.

Forwarding this invitation could allow any recipient to modify your RSVP response. Learn More.


EdgeX: Security WG - Weekly call

Brett Preston
 

Members of the EdgeX Security WG mail list,

Weekly call has been scheduled and meeting invite sent to the mail list.

If you are unable to easily add to your calendar client, please send me a direct email and I can add you individually to the recurring meeting series.

Thank you,


Brett

--
Brett Preston
The Linux Foundation
+1 (971) 303-9030
bpreston@...

Google Talk: bpreston@...
Skype: bprestoncf


Invitation: EdgeX: Security Working Group - Weekly Call @ Weekly from 8am to 9am on Wednesday from Wed Aug 16 to Wed Dec 27 (PDT) (edgex-tsc-security@lists.edgexfoundry.org)

Brett Preston
 

EdgeX: Security Working Group - Weekly Call

When
Weekly from 8am to 9am on Wednesday from Wed Aug 16 to Wed Dec 27 Pacific Time
Where
https://zoom.us/j/576218946 (map)
Calendar
edgex-tsc-security@...
Who
(Guest list has been hidden at organizer's request)
Hi there,

EdgeX Working Group 2 is inviting you to a scheduled Zoom meeting.

Join from PC, Mac, Linux, iOS or Android: https://zoom.us/j/576218946

Or iPhone one-tap (US Toll): +14086380968,,576218946# or +16465588656,,576218946#

Or Telephone:
Dial: +1 408 638 0968 (US Toll) or +1 646 558 8656 (US Toll)
+1 855 880 1246 (US Toll Free)
+1 877 369 0926 (US Toll Free)
Meeting ID: 576 218 946
International numbers available: https://zoom.us/zoomconference?m=t6UX5OTIE0SFrIk-9MMnBPbFjE3dZ_xx

Going?   All events in this series:   Yes - Maybe - No    more options »

Invitation from Google Calendar

You are receiving this courtesy email at the account edgex-tsc-security@... because you are an attendee of this event.

To stop receiving future updates for this event, decline this event. Alternatively you can sign up for a Google account at https://www.google.com/calendar/ and control your notification settings for your entire calendar.

Forwarding this invitation could allow any recipient to modify your RSVP response. Learn More.


EdgeX Security WG Team: suggestions for next steps (California)

Alain Pulluelo
 

Hi All,

In the same effort to jumpstart progress on the several deliverables that the Security WG team will soon agree/define, you’ll find a PDF file attached to this email. This is a recap of suggestions and discussion starting points in order to formalize ideas, directions, areas of interest and mandatory topics for the next steps. This non exhaustive document should help us to define requirements, and execute subsequent approved tasks to deliver security features for the California release milestone. 

I understand some of you might not have time to review it before our scheduled call tomorrow, but this is food for thoughts for our next meetings (calls and F2F) and we’ll be happy David and me to eventually answer questions and comments to refine this document.

Thanks,
//Alain

-- 

Alain Pulluelo

VP Security & Mobile Innovation

ForgeRock Office of the CTO

email: alain.pulluelo@... || PGP Key ID: 0xA222597C



EdgeX Working Group 2's Zoom Meeting

Gardner, Doug
 

Hi there,
 
EdgeX Working Group 2 (Security Working Group)  is inviting you to a scheduled Zoom meeting.
 
Join from PC, Mac, Linux, iOS or Android: https://zoom.us/j/377792838
 
Or iPhone one-tap (US Toll):  +14086380968,,377792838# or +16465588656,,377792838#
 
Or Telephone:
    Dial: +1 408 638 0968 (US Toll) or +1 646 558 8656 (US Toll)
    +1 855 880 1246 (US Toll Free)
    +1 877 369 0926 (US Toll Free)
    Meeting ID: 377 792 838