...
Q&A Identity & Internet of Things
Version: 0.0406
Archives of this paper: http://kantarainitiative.org/confluence/display/IDoT/Concepts+of+Identity+within+the+Internet+of+Things
...
- draft 0.01 Ingo.Friese@telekom.de
- draft 0.02 Jeff Stollman
- draft 0.03 Scott Shorter
- draft 0.04 Ingo.Friese@telekom.de
- draft 0.05 Jeff Stollman
- draft 0.06 Ingo Friese
Abstract
The purpose of this paper page is to describe identity concepts in the Internet of Things. Identity mechanisms in the Internet of Things are different from those in the classic web.
Furthermore this paper page proposes a terminology for Identity management in the Internet of Things. This should help to facilitate discussions and work in this area without the need to define basic terms again.
Introduction
The “Internet of Things” (IoT) is beginning to evolve and early solutions are now being implemented. We can find implementations in areas like logistics, farming, industry, home automation and many others. But its restrictions become obvious as we try to connect solutions of different vendors, communities or standard groups. From a business point of view the IoT enables a plethora of new opportunities, use cases and scenarios. From a technical point of view the IoT consists of uncountable devices, sensors or actuators or simply objects connected to services in the Internet. Today, devices and sensors speak a lot of different protocols, but most of them are not HTTP. That is why application development in the IoT is hard to be implemented. There is a lack of decent application integration layers. The next logical step is to use common Web technologies for the IoT. Identity management is one of the most important common technologies. Apart from adapting communication protocols an overarching identity framework is crucial for a growing IoT. Today we have many separated solutions and niche standards. As a consequence, there is no overall framework for how to recognize and manage identities across different solutions. That is why we decided to found a discussion group called “IDentities of Things” within Kantara Initiative.
After five years work in the Identity of Things discussion group, the analyses of various standards, projects and activities we would like to summarize our thoughts here. Find below a collections of questions that came across during our work, meetings, conferences and discussions.
Do we need a special identitfier or is there already an “Identifier" for the Internet of Things”?
There are many standards, protocols and solutions in the area of IoT. There is and most likely will be no single kind of identifier. Identifier mapping and discovery become important services of larger IoT deployments. Let's give an example: A street lamp might have a field bus address consisting of 2 bytes. It is connected with a gateway. Within the gateway the lamp is mapped to "lamp 123". A lamp management system can switch on and off "lamp123". Via a REST interface the lamp management system exposes the lamp for example as oneM2M "application entity". So other management systems can switch the lamp by sending messages to a specific oneM2M URL. In this example a thing (lamp) is identified with different identifiers that are maped to each other.
Policy controled mapping
The mapping process consists of different steps. In every step can be controlled by access policies. This way its possible to control whether an identifier is visible or not or who can "see" a certain thing or not. In our example the policy check could be implemented in the lamp management system or with the REST API.
Mapping and discovery mechanisms and DNS
In most cases DNS (Domain Name Service) can't be used directly. DNS was designed to map between IP-addresses and human readable domain names. DNS is not able to handle identifier from various IoT protocols. It is also not possible to propagate changes in a very short time.But DNS has a outstanding governance process that ensures unique identifiers. So DNS is at least part of most mapping processes. In our example DNS might be used to find the company domain of the lamp management or the address of the REST API.
What is special about identites in the Internet of Things? (a loose collection of special topics in IdM in IoT....)
Addresses are not Identifier
There is a fundamental difference between addresses and identifier of devices. Addresses determine the communication endpoint within a certain system. For example in the Internet Protocol an IP address is needed to establish a socket, a connection between devices. While an address is unique at a given point in time, addresses need not be permanent. A device can have its address changed. A new device can take on the address of a previous device. And a device can have more than one IP address.
...
There are several advantages in separating addresses and identifiers. Incorporating identifiers as a layer of indirection between the address and those seeking to access the address has several benefits. First, it may be easier to remember the identifier www.telekom.com than a lengthy address. Second, this layer of indirection allows the address of the device to be changed without losing the the ability to access it. The DNS mapping merely needs to be updated to reflect this change. in this way, a user seeking to access www.telekom.com just needs to remember the identifier and the DNS mapping will automatically reroute the user to the proper address. to the appropriate address. This becomes particularly important if the location is accessed from within a program, because it obviates the need to update the software every time the address changes. Additionally, this layer of indirection enables many-to-one configurations where several different identifiers point to a single address. The address is only resolved when a certain condition is fulfilled. The preceding statement needs further clarification.
A thing is composed of other things
A simple webcam designed to feed video over the internet is clearly an IoT device. Essentially is it a sensor without intelligence and does not respond to commands.
...
For purposes of address-ability, it likely has only a single IP address. But from the perspective of its functionality, each separate capability can be accessed and used separately. E.g., I could leave a smartphone at home and access it remotely as a webcam to watch a baby in a crib, as a microphone to listen to the sounds in my house, as a speaker to give a direction to the babysitter, etc.
Relationships and Identities
Ingo/Sal
Processes & identity
Frank/Ingo
Blockchain and Trust
tbd Matteo / Ingo
Proof of knowledge
tbd Matteo/Ingo
Lifecycle
In user identity management (Classic IdM) we have rather long living lifecycles of an identity. In day to day service like e-mail, online shopping etc. a user account exists for months, years or even a lifetime. In the Internet of Things objects have very different lifetimes. This might range from years or decades down to days or minutes.
...
In the IoT the last two proofs are not applicable to objects anymore.
How to find/address Things in the IoT? (DNS is not enough)
Various protocols
In the Internet of Things objects will be connected with different technologies and protocols. Many of the protocols are non-HTTP (Web)-based and some are even not IP-based. As a consequence not all objects in the Internet of Things have an IP-address. Different protocols use different kind of identifiers.
...
The weather forecast service in our example has a dedicated domain identifier according to the IETF RFC 1738 called universal resource identifier (URI). Many devices in the IoT don’t have such an identifier others do not have an IP-address. That’s why the classic domain name service (DNS) is not sufficient for the Internet of Tings.
Object Identifiers in the IoT
Object Identifiers are names assigned to things. The things that are named can include logical or physical objects, and names can be given either to types of things or to the things themselves. We can call the first a class identifier, since it refers to a class (or type, or category) of things; the latter an instance identifier. These terms come from computer programming, there may be other terms from ontology or elsewhere that are more suitable. In the case of an automobile, the VIN is the instance identifier, while the make and model would be class identifiers.
...
In addition to physical things, the area of identification of logical objects deserves consideration. Logical objects include software, services, data and databases, documents and other digital objects, and more. Identification of software is an area of considerable interest to a number of organizations, and approaches include Software ID Tags and the Common Platform Enumeration. ITU-T OIDs can be used to refer to a number of logical objects, including (TBD pull from OID flyer). Web services can be identified by the URL used to access them. The Digital Object Identifier (DOI) standard is standardized as ISO 26324:2012, and provides a way of directly referencing digital objects as opposed to using a URL to identify how to access the document, which may not remain valid over time.
Governance of object data
Objects in the "Internet of Things" produce data. These data might lead to personally identifiable information (PII). A car for example is able to track GPS positions and to provide a complete movement profile of a certain person.
Transparency
Although these data are mainly used for maintenance or additional services in automotive user information and consent should be mandatory.
Data minimization / data collection (in advance
Complex machines e.g. combine harvesters have hundreds of sensors that are able to produce tons of data. Data should not be collected if they are not used for a specific use-case.
TBD….Anchor _GoBack _GoBack
Issues
...