I share Martin's concerns here...

There's fairly extensive evidence of security vulnerabilities in
vehicular systems that can lead to serious safety issues (see:
http://www.autosec.org/publications.html), so more than usual
attention needs to be paid to security in this context.

In fairness, a lot of these are implementation security issues:
i.e., how to properly firewall off any network access from the
CAN bus. You really need to ensure that there's no way
to influence the CAN bus, which probably means some kind of
very strong one-way communications guarantee. At some level
these are out of scope for this group, but it's predictable
that if this technology is built, people will also implement
it in insecure ways, so in that respect it's very much in-scope.

The commuications security story also seems to be not well
fleshed out. The examples shown all seem to have fixed hostnames
(wwwivi/localhost) which don't really seem like the basis for
strong identity. It's not just enough to say, as in S 6, that
the server has to have a certificate; what are the properties of
that certificate? What identity does it have?

This is particularly concerning:

    At this point, internet based clients and servers do not know the
    dynamic IP address that was assigned to a specific vehicle. So
    normally, a vehicle has to connect to a well known endpoint,
    generally using a URL to connect to a V2X Server. The vehicle and
    the internet server typically mutually authenticate and the
    vehicle 'registers' with the server over an encrypted channel
    passing it a unique identifier e.g. its Vehicle Identification
    Number (VIN). From that point on, the server has the IP address
    that is currently assigned to a vehicle with a particular VIN, and
    can share this information with other internet based clients and
    servers, which are then able to send messages to the vehicle.

How does the V2X server know that this is actually my VIN? Just because
I claim it over an encrypted channel.

In IETF we often ask at the WG-forming stage whether we feel that the
community has the expertise to take on this work. The current proposal
seems to call that into question and absent some evidence that that
expertise does in fact exist, I believe we shoud oppose formation.


On Mon, Oct 17, 2016 at 5:11 PM, Martin Thomson <m...@mozilla.com> wrote:

> This seems to be a more specific instance of WoT.  As such, the goals
> are much clearer here.  While some of the concerns with the WoT
> charter apply (security in particular!), here are a few additional
> observations:
> Exposing the level of information that they claim to want to expose
> needs more privacy treatment than just a casual mention of the PIG.
> Websockets?  Protocol?  Both of these are red flags.  Protocol
> development is an entirely different game to APIs and the choice of
> websockets makes me question the judgment of the people involved.  Of
> particular concern is how the group intends to manage interactions
> with SOP.  Do they intend to allow the web at large to connect to
> parts of the car?  The security architecture is worrying in its lack
> of detail.
> If this proceeds, the naming choice (wwwivi) will have to change.  It
> is not OK to register a new GTLD (see
> https://tools.ietf.org/html/rfc6761).  A similar mistake was made
> recently in the IETF, and it was ugly. For people interested in the
> gory details, I can provide more details offline.
> On Tue, Oct 18, 2016 at 6:32 AM, L. David Baron <dba...@dbaron.org> wrote:
> > The W3C is proposing a new charter for:
> >
> >   Automotive Working Group
> >   https://lists.w3.org/Archives/Public/public-new-work/2016Oct/0003.html
> >   https://www.w3.org/2014/automotive/charter-2016.html
> >
> > Mozilla has the opportunity to send comments or objections through
> > Monday, November 7.  However, I hope to be able to complete the
> > comments by Tuesday, October 25.
> >
> > Please reply to this thread if you think there's something we should
> > say as part of this charter review, or if you think we should
> > support or oppose it.
> >
> > Note that this is a new working group.  I don't know of anyone from
> > Mozilla being involved in the discussions that led to this charter.
> >
> > -David
> >
> > --
> > π„ž   L. David Baron                         http://dbaron.org/   𝄂
> > 𝄒   Mozilla                          https://www.mozilla.org/   𝄂
> >              Before I built a wall I'd ask to know
> >              What I was walling in or walling out,
> >              And to whom I was like to give offense.
> >                - Robert Frost, Mending Wall (1914)
> >
> > _______________________________________________
> > dev-platform mailing list
> > dev-platform@lists.mozilla.org
> > https://lists.mozilla.org/listinfo/dev-platform
> >
> _______________________________________________
> dev-platform mailing list
> dev-platform@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
dev-platform mailing list

Reply via email to