Gergana and all, [ Feeling a bit ranty. Must be the coming Easter holidays? ] At 2017-04-13 12:57:02 +0200 Gergana Petrova <gpetrova@ripe.net> wrote:

...

On 13 January the European Commission organised and hosted a workshop in Brussels, the main purpose of which was ‘to discuss minimum baseline security and privacy requirements along the entire networked architecture and value chain similar in various sectors.’

It took them a while for them to publish a report, but it’s an interesting read for this group nonetheless, I imagine.

‘Participants were asked to come with, reflect and comment on concrete minimum IoT privacy and security principles to create a trusted IoT environment’

The results of the workshop can be found at https://ec.europa.eu/digital-single-market/en/news/internet-things-privacy-s...

(Was anyone on the list there btw?) Yes, I was there. The report you linked is a very good summary. Impression in the room was that the main goal (and challenge) is to create trust in the IoT market, which is lacking at the moment. However,

On 13/04/17 12:10, Bastiaan Goslings wrote: trust takes time, while it takes only one incident to bring the IoT market back to square one.

Thanks for your in-person observations! I had a quick look at the PDF (all the way through page 10 of 9). ;) While understandable, the goal of creating trust does point to slightly misplaced motivations. Surely we want products that are worthy of trust, rather than products that are trusted. (Consider how many people believe that homeopathic remedies have any value; these products are not worthy of trust, but marketing has made people trust them.) For an example in the IoT space, one could establish a non-transparent system where industry deals with security incidents. This could result in more trust, because people might never find out about vulnerabilities. However, it would possibly also be less secure than a system relying on full disclosure. To put it yet another way... for industry the problem is how to get people to buy their gear, and making it high-quality is only one possible way of achieving that end. :)

There was also a lot of talk about data ownership, not just control. Concerns were voiced that consumers might lose ownership of data they are generating. And also concerns that manifacturers don't provide consumers with enough choice, for example taking out the location tracking device in some car models is a hassle and for someone buying second hand - even more difficult.

This is great to hear! The model of throwing all data into the cloud and hoping for the best will probably have to be challenged because of this. :) It does seem like a pity that nothing was mentioned as far as open source or standards-based platforms (if we had something like EFI to boot up WiFi routers then we might have a lot more 3rd party operating systems and applications, which might have helped avoid a number of vulnerabilities). Oh well, thanks again for your personal observations. :) Cheers, -- Shane

Dear Gordon, That is indeed correct, RIPE NCC is a member of the AIOTI. While originally set up by the European Commission it was decided to continue the AIOTI as an independent organisation, in 2016 it was established as a Belgian association. This transition is now in its final stages, with, as you may have noticed, a new website and full separation of the administrative tasks that until recently were supported by Commission staff. Meanwhile work continued in a number of areas, mostly in the field of high level architecture and gap analysis for industrial applications. There is also a small task force which focusses on “identifiers”, who are currently busy processing the results of their survey, to which the members of the RIPE community were also invited to provide input. As for future activities and priorities for AIOTI and its working groups, there will be a bigger strategy meeting later this week. Given our own workload, a week prior to the RIPE meeting, and the high level nature of these discussions, we decided not to participate directly in this meeting. We will of course continue to follow the work of the AIOTI and the outcomes of this strategy meeting for areas of interest to the RIPE NCC or RIPE community. As for your request to report back to the community, I will try and incorporate some of this in my already scheduled presentation in the Cooperation Working Group, which will mostly focus on the activities of ITU-T Study Group 20 and their recent meeting in Dubai. Regards, Marco Hogewoning -- External Relations - RIPE NCC

On 30 Apr 2017, at 21:19, Gordon Lennox <gordon.lennox.13@gmail.com> wrote:

As I think Marco informed everyone NCC signed up for AIOTI.

You can get more information on AIOTI here;

https://www.aioti.eu

I presume AIOTI got, or at least will be well-placed to get, funding from the Commission. But given the membership I would guess that going forward external funding from the Commission and other governments should not that important. More important is perceived political backing and whether they become the “voice of the IoT”.

I think though what AIOTI is doing is interesting and indeed important and so I am personally pleased that NCC is involved.

But I also think it would be good if there was time in Budapest for NCC to explain what is now expected in this context and for the communty in turn to make it clear what messages they wish to be taken into AIOTI.

NCC have tended to be good at telling the community about things like this - outreach, liaisons, MoUs. Maybe though it is becoming even more important that the RIPE community steps up and plays their part in the necessary on-going dialogue. Where should this conversation take place though? The Cooperation WG? A new WG? Does this means the bof should consider an IOT WG?

Gordon