170 likes | 295 Views
ICTSB – an outline of recent RFID discussions. Kirit Lathia Chairman of the ICT Standards Board kiritkumar.lathia@nsn.com www.ictsb.org. What is the ICT Standards Board?. Created in 1995 - Reaction to convergence of IT, telecoms, broadcasting and entertainment industries
E N D
ICTSB – an outline of recent RFID discussions Kirit Lathia Chairman of the ICT Standards Board kiritkumar.lathia@nsn.com www.ictsb.org
What is the ICT Standards Board? • Created in 1995 - Reaction to convergence of IT, telecoms, broadcasting and entertainment industries • Co-ordination in ICT domain • Involving ESOs and consortia • Provide European focal point for discussion of current issues
ANEC CEN CENELEC DVB EBU Ecma International EFTA Secretariat EICTA ETSI European Commission ISOC (IETF) Liberty Alliance NORMAPME OASIS OMA RosettaNet The Open Group TMF W3C ICTSB Members
What does ICTSB do? • analyses requirements received from any competent source based on concrete market needs • translates these requirements into coherent standards work programmes • allocates work items to members and reviews progress against objectives ICTSB (and its WGs) do not produce standards
ICTSB and RFID • Open meeting held Brussels, 24 October • 30+ participants • Objective - more common understanding on “who is doing what” on RFID standardization issues • Initial addresses by Commission (Heads of Unit responsible in DG INFSO and DG ENTR) • Presentations by main standards bodies, ANEC (consumer perspective)
High-level conclusions • Standardization bodies should understand the business process before writing standards; • Consumers should be included in the business process if needed; • Distinction between tags, air interfaces and back offices should be made; • The need for standards was confirmed but the type of standards needed should be further discussed; • Inter-organization communication should be enhanced; • “Who does what” needs to be agreed at an early stage; • Bearing privacy in mind, the collected amount of data should be kept to the minimum. NB Article 3.3 of the R&TTE Directive (99/05) should also be used to address fraud and privacy issues
Future developments • (International) Standards needed in future for open RFID systems • Standards gaps and “internet of things” • Future standards/research collaboration should be improved (project cluster) • GRIFS – Global RFID Interoperability Forum (GS1, ETSI, CEN – watch this space…)
Business model issues • RFID should be taken in an overall context with other data capture technologies, the issues are similar (RFID is one of many such…) • The business model concerning registration etc may evolve and become more competitive. This will reduce suspicion and encourage uptake • Business model/process needs to include user/consumer requirements • There needs to be a specific assessment of the security and privacy risks prior to deployment of RFID. Classic standards approach to security looks at business model first. In RFID privacy scare issue though we are forgetting the business model! Go back to first principles: what are we trying to protect, for whom etc? • Security/privacy are important, but we also need to ensure prevention of fraud
RFID and privacy • Privacy standards issues are mostly horizontal, rather than specific to RFID • RFID is a data carrier, not the data itself • Legislation on privacy issues is needed first before standardization • There is some talk about a possible standards mandate • Collection of personal data for security purposes is one thing, commercial misuse another • Data can be mined in some cases (eg US) when EU forbids – this is a societal issue • Companies already have major consumer data, RFID only adds some extra information • IT incontrovertibly allows more manipulation of data, whatever is the societal approach to data privacy • User consent is a key principle (opt-in)
RFID and security (1) • Who is responsible for RFID security standardization? • NB German national RFID security publication activity • NIST RFID Guidelines contain general security requirements already (INFSO) – NB US-EU dialogue • Security and privacy are usually bracketed together (but perhaps wrongly) but also are more general than RFID • A one-size-fits-all strategy does not work across the range of possible applications
RFID and security (2) • Basic security requirements: • Prevent unauthorised access • Differentiated access • Unique communication per transaction • RFIDs must not be cloneable
RFID and security (3) Three aspects (or “subsets”) to consider: • (1) RFID subsystem consisting of transponder (tag) and interrogator (reader); • (2) Enterprise subsystem comprising the local environment of the readers, the middleware that pre-processes the read tag data and the backend systems that process the information in order to conduct the business process; • (3) Inter-enterprise subsystem consisting of the networked infrastructure that provides additional services for cross-organisational communication.
RFID and registration • ISO/IEC JTC1/SC31 dealing with “item management” • Registration authorities – eg NEN – should be used • NB also for mobile telecommunications a unique identifier system exists
Definitional issues • Definitions – eg active/passive/”semi-”, battery powered, etc. needed • Vocabulary in JTC1 but also (for sensors) in IEEE • TC225/WG has developed some additional definitions to be submitted to Commission Expert Group and published on CEN web site (link to ICTSB) and input to SC31
Other issues • Question of how much of the relevant data is in fact on databases in back offices, ie to which the RFID chip is an access • Inter-organizational requirements are not being addressed fully (c/f general eBusiness transaction problems) • Encryption – should the data be encrypted or should the tag be? Depends on use to which data is to be put, how it is to be stored/used etc.
Extra resources • New CEN list of definitions (comments welcome) • ICTSB overview of RFID standards activities (living document) • ICTSB will continue to monitor this issue, may hold further meetings (to avoid too many, maybe with GRIFS events…)
Thanks John Ketchell on behalf of Kirit Lathia