I guess the problem is that this document is NOT targeted to CPEs:
In principle these requirements apply to all hosts that connect to
the Internet, but this list of requirements is specifically
targeted at devices that are constrained in their capabilities,
more than general-purpose programmable hosts (PCs, servers,
laptops, tablets, etc.), routers, middleboxes, etc. While this is
a fuzzy boundary, it reflects the current understanding of IoT. A
more detailed treatment of some of the constraints of IoT devices
can be found in [RFC7228].
Not sure if we want a separate document, as it seems to me that the
requirements are very close or we may need to reword a bit the text above to
make it more clear, etc.
Also is BCP the way if we want authorities to mandate it?
Saludos,
Jordi
-----Mensaje original-----
De: homenet <[email protected]> en nombre de Tim Chown
<[email protected]>
Responder a: <[email protected]>
Fecha: viernes, 4 de noviembre de 2016, 12:43
Para: "[email protected]" <[email protected]>
CC: "[email protected]" <[email protected]>, Keith Moore
<[email protected]>, "[email protected]" <[email protected]>
Asunto: Re: [homenet] write up of time without clocks
Hi,
On 4 Nov 2016, at 08:34, JORDI PALET MARTINEZ <[email protected]>
wrote:
Exactly. Same as we have regulations like UL, FCC, EC, etc., the same
certifications must care about a minimum set of security, upgradeability, etc.,
features.
So the extra cost for the vendors is almost cero if we are talking about
the same certifications entities, just new test added to the actual sets.
If you don’t comply the certification, your products will not be accepted
in customs from a very high number of countries, so you will be somehow forced
to follow them.
The question here, is homenet the right venue for creating those minimum
requirements?
Perhaps contribute to draft-moore-iot-security-bcp-00?
See https://tools.ietf.org/html/draft-moore-iot-security-bcp-00
This was submitted at the Seoul deadline. Authors copied.
Tim
Regards,
Jordi
-----Mensaje original-----
De: homenet <[email protected]> en nombre de "STARK, BARBARA H"
<[email protected]>
Responder a: <[email protected]>
Fecha: jueves, 3 de noviembre de 2016, 21:19
Para: Markus Stenberg <[email protected]>, Brian E Carpenter
<[email protected]>
CC: Philip Homburg <[email protected]>, "[email protected]"
<[email protected]>, Juliusz Chroboczek
<[email protected]>
Asunto: Re: [homenet] write up of time without clocks
Yes, I agree it's possible to do better, but what's the incentive for
a bottom-feeding vendor of cheap devices to bother?
I hate to say this, but how about legal solutions?
My reading of the tea leaves: either the industry creates its own
certification plan, or the regulators will do it for us.
Here is a data point:
https://www.euractiv.com/section/innovation-industry/news/commission-plans-cybersecurity-rules-for-internet-connected-machines/
In the US, both the FCC and FTC are showing keen interest.
I'd rather the industry get there first.
And, BTW, it's also been suggested that devices list their "end of life"
date when they're sold. After which no updates may be provided. And
remotely-triggered "kill switch" may be used if a bad vulnerability is
discovered after that date.
Another recommendation is default passwords be unique per device, and
not easily determined from MAC address, firmware revision, etc., and be
changeable.
That is, it's not just about upgradability. It is also passwords,
encryption, and messaging/promises/guarantees that are made.
Just like cars now have seatbelts, front and side airbags, crumple
zones, and lemon laws.
There are a number of industry whitepapers coming out on this topic, and
conferences/meetings being held. It's all the rage right now.
Barbara
_______________________________________________
homenet mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/homenet
**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.consulintel.es
The IPv6 Company
This electronic message contains information which may be privileged or
confidential. The information is intended to be for the use of the
individual(s) named above. If you are not the intended recipient be aware that
any disclosure, copying, distribution or
use of the contents of this information, including attached files, is
prohibited.
_______________________________________________
homenet mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/homenet
_______________________________________________
homenet mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/homenet
**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.consulintel.es
The IPv6 Company
This electronic message contains information which may be privileged or
confidential. The information is intended to be for the use of the
individual(s) named above. If you are not the intended recipient be aware that
any disclosure, copying, distribution or use of the contents of this
information, including attached files, is prohibited.
_______________________________________________
homenet mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/homenet
