Totally agree, Julien. A bigger issue to me is the difficult of implementing granular access controls with OAuth. That makes is generally useless for any
but the most trivial applications in the M2M space.
From: m2m-iwg-bounces@xxxxxxxxxxx [mailto:m2m-iwg-bounces@xxxxxxxxxxx]
On Behalf Of Julien Vermillard
Sent: Tuesday, March 12, 2013 1:50 PM
To: m2m Industry Working Group
Subject: Re: [m2m-iwg] M3DA presentation - Security
Oauth is just an authorization/authentication scheme, it require a secured communication channel (means SSL/TLS here) so it's doing much for securing your communication (confidentiality, integrity). And it's very HTTP dependent, I think
it's not really something usable in the scope of a binary, low bandwidth, low complexity protocol.
On Tue, Mar 12, 2013 at 6:44 PM, Matteo Collina <matteo.collina@xxxxxxxxx> wrote:
Rick,
OAuth is also a mean for authorizing identified clients to communicate with a server.
Upon that identification, the client might want to access some User resources.
The key it that's optional and application-dependent, e.g. on twitter there is no need
I think that if there is the User involved, then OAuth is clearly the way to go for securing the communications.
2013/3/11 Rick Bullotta <rick.bullotta@xxxxxxxxxxxxx>
Oauth is primarily used as a permission proxy for an application accessing another application on behalf of a user. I think it is generally overly complex for many M2M device level scenarios.
Cuero/all,
Thanks for the information. I looked mainly at the security document for now. Having reviewed and commented other aspects earlier.
One question is, why the de facto standard OAuth 2 can't also be used for authentication here? It is a mechanism for API calls, not every call e.g. some of those infamous Twitter "bots" and similar services make are by a human actor either.
And yet they use the same auth protocols and mechanisms there.
In fact, the AirLink team and product families are mentioned together with OAuth and M2M a lot, too, so it's not like Sierra or AirLink would not use it.
Aside from that, in the documentation of the current approach, username/password is presented as the only option. At the current (transport, smart container) client we have numerous cases, where SSH keys are preferred over exchanging username/password,
even if those should be hashed or encrypted, there's always a risk of sniffing or tampering. At least the additional option of such keys should be offered.
Where devices allow, e.g. if they use a SIM card, Java Card or similar secure element, this Secure Element could also further improve security and Trust of M2M communications. When do you plan to add any of that?
On Wed, Mar 6, 2013 at 6:00 PM, <m2m-iwg-request@xxxxxxxxxxx> wrote:
Send m2m-iwg mailing list submissions to
m2m-iwg@xxxxxxxxxxx
To subscribe or unsubscribe via the World Wide Web, visit
http://dev.eclipse.org/mailman/listinfo/m2m-iwg
or, via email, send a message with subject or body 'help' to
m2m-iwg-request@xxxxxxxxxxx
You can reach the person managing the list at
m2m-iwg-owner@xxxxxxxxxxx
When replying, please edit your Subject line so it is more specific
than "Re: Contents of m2m-iwg digest..."
Today's Topics:
1. Re: M3DA presentation (Ian Skerrett)
2. Re: M3DA presentation (Cuero Bugot)
----------------------------------------------------------------------
Message: 1
Date: Wed, 6 Mar 2013 09:56:44 -0500
From: "Ian Skerrett" <ian.skerrett@xxxxxxxxxxx>
To: "'m2m Industry Working Group'" <m2m-iwg@xxxxxxxxxxx>
Subject: Re: [m2m-iwg] M3DA presentation
Message-ID: <01a801ce1a7a$d1dc2180$75946480$@eclipse.org>
Content-Type: text/plain; charset="iso-8859-1"
I think this would be a great idea. I have definitely interested. Do you
have a link to M3DA information?
From: m2m-iwg-bounces@xxxxxxxxxxx [mailto:m2m-iwg-bounces@xxxxxxxxxxx] On
Behalf Of Cuero Bugot
Sent: March-06-13 9:42 AM
To: m2m Industry Working Group (m2m-iwg@xxxxxxxxxxx)
Subject: [m2m-iwg] M3DA presentation
Hi All,
It has been discussed on this list a couple of weeks ago. We?d like to do a
quick presentation on the M3DA protocol that we are proposing in the Mihini
project context.
If you are interested we could add it to the next weekly call agenda.
This would be the occasion to cover M3DA basics, and have an open discussion
and comparison with other existing protocols, specifically the ones
available in this working group.
Regards,
Cuero
Cuero Bugot :: Embedded R&D Manager
SIERRA WIRELESS :: AirLink Business Unit
Main +33 (0)5 61 00 52 90 :: Direct +33 (0)5 61 00 06 53 :: Mobile +33
(0)7 61 79 01 45 :: Fax +33 (0)5 61 00 51 46
Lake Park - Zac de l'Hers - All?e du Lac - BP 87216 :: 31672 Lab?ge Cedex,
France
<mailto:cbugot@xxxxxxxxxxxxxxxxxx>
cbugot@xxxxxxxxxxxxxxxxxx ::
<http://www.sierrawireless.com/>
www.sierrawireless.com
__________________________________________________________________________
This message and any attachments (the "Message") are confidential and
intended solely
for the addressees. Any unauthorized modification, edition, use or
dissemination is prohibited.
Neither Sierra Wireless nor any of its subsidiaries shall be liable for the
Message if altered,
changed, falsified or edited, diffused without authorization.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://dev.eclipse.org/mailman/private/m2m-iwg/attachments/20130306/f2e40052/attachment.html>
------------------------------
Message: 2
Date: Wed, 6 Mar 2013 07:14:32 -0800
From: Cuero Bugot <cbugot@xxxxxxxxxxxxxxxxxx>
To: m2m Industry Working Group <m2m-iwg@xxxxxxxxxxx>
Subject: Re: [m2m-iwg] M3DA presentation
Message-ID:
<9287D1909D3EEA4E92505D48604887E95E23C2D251@carmd-exchmb01.sierrawireless.local>
Content-Type: text/plain; charset="iso-8859-1"
Sorry I did not mention that a presentation was attached. And more importantly here is the link to the actual specification:
http://wiki.eclipse.org/Mihini/M3DA_Specification
Thanks for catching this.
Cuero
De : m2m-iwg-bounces@xxxxxxxxxxx [mailto:m2m-iwg-bounces@xxxxxxxxxxx] De la part de Ian Skerrett
Envoy? : mercredi 6 mars 2013 15:57
? : 'm2m Industry Working Group'
Objet : Re: [m2m-iwg] M3DA presentation
I think this would be a great idea. I have definitely interested. Do you have a link to M3DA information?
From: m2m-iwg-bounces@xxxxxxxxxxx<mailto:m2m-iwg-bounces@xxxxxxxxxxx> [mailto:m2m-iwg-bounces@xxxxxxxxxxx]
On Behalf Of Cuero Bugot
Sent: March-06-13 9:42 AM
To: m2m Industry Working Group (m2m-iwg@xxxxxxxxxxx<mailto:m2m-iwg@xxxxxxxxxxx>)
Subject: [m2m-iwg] M3DA presentation
Hi All,
It has been discussed on this list a couple of weeks ago. We'd like to do a quick presentation on the M3DA protocol that we are proposing in the Mihini project context.
If you are interested we could add it to the next weekly call agenda.
This would be the occasion to cover M3DA basics, and have an open discussion and comparison with other existing protocols, specifically the ones available in this working group.
Regards,
Cuero
Cuero Bugot :: Embedded R&D Manager
SIERRA WIRELESS :: AirLink Business Unit
Main +33 (0)5 61 00 52 90 :: Direct +33 (0)5 61 00 06 53 :: Mobile +33
(0)7 61 79 01 45 :: Fax +33 (0)5 61 00 51 46
Lake Park - Zac de l'Hers - All?e du Lac - BP 87216 :: 31672 Lab?ge Cedex, France
cbugot@xxxxxxxxxxxxxxxxxx<mailto:cbugot@xxxxxxxxxxxxxxxxxx> ::
www.sierrawireless.com<http://www.sierrawireless.com/>
__________________________________________________________________________
This message and any attachments (the "Message") are confidential and intended solely
for the addressees. Any unauthorized modification, edition, use or dissemination is prohibited.
Neither Sierra Wireless nor any of its subsidiaries shall be liable for the Message if altered,
changed, falsified or edited, diffused without authorization.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://dev.eclipse.org/mailman/private/m2m-iwg/attachments/20130306/84106bf7/attachment.html>
------------------------------
_______________________________________________
m2m-iwg mailing list
m2m-iwg@xxxxxxxxxxx
http://dev.eclipse.org/mailman/listinfo/m2m-iwg
End of m2m-iwg Digest, Vol 17, Issue 5
**************************************
_______________________________________________
m2m-iwg mailing list
m2m-iwg@xxxxxxxxxxx
http://dev.eclipse.org/mailman/listinfo/m2m-iwg
_______________________________________________
m2m-iwg mailing list
m2m-iwg@xxxxxxxxxxx
http://dev.eclipse.org/mailman/listinfo/m2m-iwg
|
