The IETF #93 meeting is wrapping up and it was a great week

An very intensive Internet Engineering Task Force (IETF) week in Prague is just winding down. It’s been a great week in warm and welcoming Prague. IETF works on the specifications that together form the Internet and IETF attendees meets three times a year to try to make the internet, slowly but consistently, a better place. The gathering consists of quick presentations and long discussions in specialized work groups and the end result is internet standards that get adopted and implemented in our every day internet. We at neXus started out the week a bit early to be able to attend the, very well organised, IETF hackathon that was hosted the weekend before the IETF meeting. We have been working in the ACE working group that are building standards to do secure authentication and authorization to IoT devices. The specifications we have been working on under ACE use existing Identity and Access Management standards like OAuth2, UMA, JOSE,OpenID Connect and brings them down to very very small and constrained devices with intermittent network connectivity. We are committed to re-use all the work produced by the IETF and other standard bodies over the years that we use on the web and on unconstrained and connected devices when it comes to authenticationand authorization, and to reuse them those standards the constrained world. The important thing when it comes to IoT is the fact that it’s actually a continuum between the large and the small world and they all need to work together by using the same type of technologies so that we can connect all the billions devices that’s connecting in the upcoming years. We did the hackathon together with a couple of guys from ARM and we used our authentication and OAuth2 authorization engine in neXus Hybrid Access Gateway to issue signedtokens (JSON Web Tokens, JWT) to a phone app, the app then sent the JWT over Bluetooth Low Energy (BLE) down to a very constrained ARM mbed development board from Nordic Semiconductor called nRF51822 that uses an ARM Cortex-M4 processor. We manage to produce the Android application, a new bluetooth profile for sending OAuth2 bearer tokens over BLE and our friends from ARM where doing all the low level hacking and BLE connectivity on the constrained mbed device. It was a very joyful two days, and it all became even more so, when our hackathon work won the #IETF hackathon’s “Best of show”-award.

The winning team in the middle consisting of Hannes Tschofenig from ARM and Erik Wahlström from neXus surrounded by the jury. Photo: © Stonehouse Photographic / Internet Society

On Monday the IETF week started for real. The new proposed research group called Things-to-Things is a very existing initiative and a cookbook for constrained devices was proposed. We think that will be a very good addition to developers toolbox when building constrained devices. The widths of constraints and the mix of connectivity in the IoT world requires clear guidance, especially when it comes to authentication and authorization. It’s not a thing that you want to get wrong, and you want to build that from the start into your IoTdevices.

The SCIM work group, that works on standards for life cycle management of identities on the internet, had a informal meeting to work out the next steps for the work group. neXus have been one of the core contributors of the specification since the first versions. We have now produced the very important APIs and schemas for resource types like Users and Groups we set out to do almost 4 years ago now and the drafts are very close to become RFC's. They waiting patiently on the IETFs editors queue and will get the final write up very shortly. We developed SCIM 1.0 and 1.1 outside of IETF, and this new specifications, SCIM 2.0, are the first versions that will come out of IETF.

In the ACE work group meeting, we at neXus presented the OAuth2 and UMA for IoT draft document's that we have authored together with ARM and Forgerock. It propose just the concepts we showed in the hackathon. It’s about using our existing technologies on IoT devices. You can watch the video of the presentation here. We will continou to work on the problems that defined by the ACE work group with the end goal of securing the IoTworld.

The OAuth2 work group had a very intense meeting but the most important outcome would probably be the new drafts around Oauth2 for native apps that tries to bring a good user experience and single sign on down to mobile apps. The new drafts move all the authentication into the new, in app, browser views in iOS and Chrome that make the usability for end users much better and way much more secure.

A new BOF (birds of a feather) around the dreaded captive portals that show up every time you connect to a public wifi that forces you to login or accept terms of conditions where also held. This is something we have been waiting on for a long time. If it becomes a new work group at IETF it could produce some very welcomed new way to bring any authentication method down to the portals and it can be used together with out RADIUS server.

Certificate provisioning is always a topic at IETF. neXus Certificate Managers large support for different provision protocols is still up to par with the great standards support in Protocol Gateway, but some new work is now started to do automated certificate enrolment to web servers under the ACME work group. The current proposal is based on a REST based API's that would let new web servers authenticate and prove ownership of the domain in a much quicker and automated way then it works today. We also managed to catch up with the guys at SICS during the week that are very involved in building the open source IoT operative system Contiki OS We had very long and interesting discussions about bringing key material like certificates and other types of keys down to constrained devices. It’s a topic that’s usually out of scope for most documents due to the complexity of it but I think we can have a good stab at getting the very important initial keying of the devices working using neXus Certificate Manager.

The week also had some great presentations about the usage of SSL on the internet by Mozilla. It’s starting to become very clear, it’s time to disable SSL and only start exposing TLS 1.2 to the Internet from internet facing servers. The usage of the RSA crypto algorithm on the web is also decreasing rapidly in favour for elliptic curves. It’s the default setting on neXus Hybrid Access Gateway when protecting internal resources and the TLS handshake in the gateway takes care of that for you if you are using the reverse proxying functionality. Elliptic curves are also an algorithm that’s heavenly used by neXus Certificate Manager.

On the last evening of the IETF meeting, we where invited to attend the "Bit’s and Bytes" exhibitions at IETF where we got to show case our hackathon to the 1400 attendees at IETF. It was a very nice finish to the IETF week.

Next IETF meet-up is in Yokohama, Japan in the beginning of September. Until then, it’s time to resort to the normal, non face-to-face, discussions on the email lists.