►
From YouTube: ROS 2 Security Working Group (09 Mar 2021)
Description
Regular meeting of the ROS 2 Security Working Group. Meeting minutes can be found at https://github.com/ros-security/community.
A
Okay,
so
this
meeting
is
being
recorded,
everybody
should
have
a
link
to
the
agenda.
If
you
got
any
questions,
let
me
know
so.
First
of
all
any
comments
on
the
meetings
minutes
from
our
last
meeting
that
was
23rd
of
february
they're
in
a
poll
request
upon
the
community
page
for
github.
B
A
No
comments
we'll
go
ahead
and
approve
those
move.
Those
in
one
thing
just
to
think
about
we'll
come
back
to
this.
I
think,
before
the
end
of
the
meeting
is
whether
or
not
we
should
move
to
monthly.
It
seems
like
there's
just
not
a
lot
going
on
right
now
and
yeah.
It's
just
wondering
if
we're
ready
to
shift
back
to
monthly
meetings
as
opposed
to
bi-weekly
or
we
should
stay
here,
but
that's
it.
A
I'm
going
to
shift
it
over
to
ruffin
right
now,
and
there
was
an
issue
that
you
posted
about
the
robot
3
demo.
If
you
want
to
go
into
that
a
little
bit
more.
C
Sure
so
before
I
filed
the
error
on
the
the
security
regression
and
the
default
rmw,
I
was
revisiting
updating
the
security
working
group
demo
for
the
turbo
just
to
have
the
entire
stack
running
with
the
navigation
slam
toolbox,
gazebo
all
that
jazz
and
having
something
a
little
more
substantial
running
with
the
s
ross
security
and
the
navigation,
binaries
and
turtlebot
binaries
all
got
released
finally
into
into
foxy.
So
I
decided
to
kind
of
revisit
the
the
update.
C
My
pr
that
I
had,
and
I
noticed
that
oops
I
can't
run
security
on
anything
because
the
release
binaries
are
not
built
with
the
security
option.
So
after
filing
that
and
then
getting
that
resolved.
C
I
went
back
and
repeated
the
demo,
but
I
relaxed
the
security
permissions
just
to
like
get
a
base
level
that
I
can
at
least
have
dds
with
the
cryptography
plug-in
working,
and
that
was
not
working
so
like
we
before
we've
had
some
issues
with
the
the
size
of
the
permission
policies
exceeding
the
payload
for
the
handshake.
C
But
I
that
was
sidelined
because
I
had
commented
out
the
entirety
of
the
enclave,
except
for
the
permissive
rule
for
the
asterisk
or
star
permission,
just
like
glob
everything
that
wasn't
working
on
cyclone
or
fast
rtps,
and
I
knew
that
rmw
connects
cpp
had
some
scalability
issues
like
it.
Wasn't
that
that
rmw
wasn't
working
even
without
security,
but
rti
released
their.
C
You
know,
version
six
and
then
they've
been
trying
to
get
their
rmw
connects
dds
implementation
out,
and
so
I
wouldn't
modify
the
the
environment
to
build
and
use
that
rmw
instead
and
it
is
working
with
and
without
security
for
the
rmw.
So
with
access
control,
disabled,
which
was
a
reasonable
baseline.
And
then,
when
I
was
able
to
add
access
control,
I
was
able
to
get
a
list
of
the
insufficient
permissions
which
allows
us
to
triage
the
minimal
span
and
policy.
C
So,
in
the
sense
that
it's
it's
kind
of
a
regression
that
the
default
rmw
is
no
longer
working
with
access
control,
even
if
we've
it
is
the
default
rmw
is
not
even
working
without
access
control.
Sorry!
So
that's
a
bit
weird!
C
C
I
could
use
more
helping
eyes
with
if
you
spot
anything
or
tried
out
the
demo.
C
With
its
encryption
is
working
with
rmw
connects
dds,
the
the
latest.
You
know,
we've
had
that
sros
pr
for
removing
rmw
connects,
cpp
or
deprecating
that
that
didn't
work
with
the
demo.
You
know
with
or
without
encryption,
but
at
least
the
new
rmw
from
connects
does
and
that's
what
I've
been
using
to
triage
the
access
control
to
get
the
minimum
spanning
policy.
C
But
it's
it's
weird
that,
like
the
default,
rmw
is
not
working
with
encryption
and
access
control.
Disabled,
like
that,
was
something
we
had
before.
C
I
can
show
you
guys
if
you
wanted
to,
but
the
demo
and
the
readme
is
self-explanatory.
If
you
need
to
launch
it
yourself.
A
Yeah,
okay
and
that's
all
so
do
we
have
have
you
reached
out
to
any
of
the
middleware
any
middleware
vendors
about
that
or.
C
I
haven't,
I
was
gonna
make
a
similar
ticket
like
I
did
with
connects
to
the
fast
dds
rmw
repo.
I
I
don't
know
which,
which
repo
you
suppose
is
the
best
one,
maybe
just
rmw
fast
tp,
fast
dds
cpp,
maybe
that's
the
best
repo
to
do
that.
I
was
gonna,
make
the
sort
of
the
same
template
of
like
this
minimal
reproducible
example
and.
C
The
the
toy
example
demos
all
work:
okay
with
security
and
access
control,
it's
the
it's
the
getting
up
to
scale
so
there's
something
about
you
know
if
you
run
a
real
world
raw
stack,
you
know
like
a
robot
with
hundreds
of
nodes,
and
you
know
a
thousand
topics
or
something
that's
where
something
bogs
down
and
it's
no
longer
working.
C
So
we
maybe
we
could
investigate
how
we
could
get
this
use,
something
like
the
navigations
ci
stack
where
they
run
the
entire
turtle
bot
kind
of
simulation
world
gazebo
with
mapping
and
navigation,
and
augment
that,
where,
like
it's
using
dds
security
and
not
using
these
or
using
access
control
that
might
be
kind
of
cool.
A
A
I
haven't
seen
it.
I
haven't
seen
mikko
mika
lately.
No,
I
know
he
changed
jobs
not
too
long
ago
and
unfortunately,
kyle's
last
day
with
canonical
is
actually
this
friday
as
well
yeah.
So
he
is
gonna.
We
were
talking
about
the
astronauts.
Two
repo
he's
actually
gonna
stay
on
as
a
maintainer
of
that
he
probably
won't
be
in
the
working
group
meetings,
and
you
won't
see
him
a
lot,
but
you'll
be
able
to
ping
him.
A
You
know
and
github
or
on
the
ross
discourse.
You
know
he'll
still
be
around
so.
A
A
So,
but
yeah
as
far
as
epoxy
regression,
that's
I
appreciate
you
finding
that,
and
you
know
that
actually
got
fixed
up
about
too
much
without
to
taking
too
long.
A
B
But
at
the
same
time
I
think
that
worrying
about
that
particular
instance
coming
up
and
being
paralyzed
to
not
implement
better
tests
is
also
not
the
way
forward.
There
are
just
some
things:
you'll
never
be
able
to
plan
for
and
having
a
contingency
in
place,
for
those
is
probably
the
best
thing
to
do,
but
yes,
testing
to
make
sure
that
we
minimize
this
sort
of
thing
in
the
future
is
probably
good.
Yeah.
A
Okay,
I
gotta
do
is
find
someone
with
cycles
to
actually
start
working
on
some
of
this,
but
let's
get
it
on
the
roadmap.
A
I
wanna
share
with
you,
move
it
on
the
to
the
last
topic,
some
work.
I
was
doing
with
move
it
use
case.
If
you
remember,
we
had
them
demo,
they
showed
us
the
the
arm
and
so
on.
So
I've
been
working
with
that
a
bit.
It's
actually
really
easy
to
use,
move
it.
A
They
have
a
lxd
container,
so
you
can
just
pull
down
the
lxd
container
and
launch
it
and
you're
good
to
go
so
this
was
able
to
real
quickly
set
that
up
to
create
two
different
containers
and
one
container,
that's
the
one
that
I
call
the
robot,
which
you
can
imagine
that
one
actually
controlling
a
robot.
A
So
you
launch
that
and
everything
kind
of
runs
there
and
that's
the
one
that's
intended
to
be
self-contained
and
then
launch
a
second
container
where
you
just
have
arviz
up
and
running,
and
you
can
see
the
robot
movement.
You
know
it
subscribes
to
the
joint
states
and
all
that
and
and
so
they're
all
in
their
own
ecosystem.
A
So
it
creates
a
nice
thing
for
us
where
we
wanted
to
set
it
up
so
that
you
have
the
robot
running
inside
its
container
and
then
the
monitor
is
able
to
watch
it
watch
the
robot
through
arviz,
but
not
actually
control
the
robot,
so
pretty
straightforward.
I
think
permissions
use
case,
so
I
was
able
to
get
that
up
and
running
using
their
container,
which
that's
actually
running
foxy
and
I
did
not
have
any
problems
with
the
default
security.
I
actually
didn't
do
too
much
special
other
than
set
the
environment
variable
flags.
A
And
I
say
I
got
up
running,
I
know
everything's
working
they're
talking
back
and
forth,
they're
all
on
the
same
flat
network.
You
know
same
actually
host
machine
just
connected
through
the
you
know
the
lextee
networking
instance.
So,
but
as
far
as
I
can
tell,
I
definitely
see
you
know
encrypted
traffic
going
back
and
forth.
I
haven't
dug
deeply
to
make
sure
it's,
but
as
far
as
I
could
tell
like,
yeah
yeah
security's
enabled
in
there.
A
Yeah
yeah,
so
very
so
I
didn't.
Actually,
I
didn't
implement
implement
any
of
the
access
controls.
Yet
I
just
used
the
generic,
allow
everything
and
encrypt
everything,
except
for
the
broad
I
think
the
broadcast
traffic's
not
encrypted.
B
C
Yeah,
I'm
just
curious
and
maybe
how
many
of
how
much
ephemeral
topic
topics
are
instantiated
during
the
spin
up.
A
A
A
Yes,
do
they
have
some
transform
topics
that
are
dynamically
created?
I
got
four
of
them,
they
all
have
the
same
preface
you
know,
so
I
think
I
can
just
wild
card
them.
A
I
didn't
see
a
lot.
Actually
it
looks
all
pretty
predictable.
A
Then
I
actually
have
a
call
back
to
henning
to
say:
hey,
you
know
what
what
is
the
things
that
you
want
to
lock
down
and
prevent
for
the
real
money?
How
do
you
want
to
shape
that?
So
I
don't
have
an
answer
back,
but
what
I
did
on
this
is
actually,
even
though
it
created
some
template
policy
files.
A
I
used
an
off-board
certificate
authority
to
create
this
with
the
idea
of
documenting
how
to
have
the
key
materials,
particularly
the
ca.
The
root
ca,
keep
materials
separate
from
the
robot
itself
and
how
to
create,
you
know,
have
a
ca
and
then
you
know
be
able
to
distribute
artifacts
to
different
hosts
or
different
places
throughout
the
whole
ecosystem.
If
you
all
and
that
actually
went
pretty
well,
so
I
have
a
document
about
how
to
create
a
raw
ca
and
distribute
the
certificates
back
out.
A
It's
kind
of
like
one
step
ahead
of
the
next
step
beyond
the
toy
use
case
the
hello
world
use
case.
A
So
I
want
to
run
a
few
questions
by
you.
While
we
have,
I
actually
have
some
notes
here.
Let
me
dig
them
up,
because
these
are
very
scratch,
notes,
so
understand
that
they
will
disappear
at
some
point
in
time.
B
A
A
A
Again,
these
are
just
my
scratch
notes
that
eventually,
I
want
to
turn
these
into
a
tutorial.
A
Then
this
goes
so
far
as
to
actually
create
the
and
sign
a
permissions
plot.
So
some
questions
I
have
for
you.
I
don't
know
how
how
many
of
these
will
get
through,
but
first
of
all
the
idea
of
having
an
offboard
certificate
of
authority,
particularly
one
that's
done
using
openssl.
Do
you
feel
that's
a
good
use
case
for
a
ros
tutorial.
C
C
What
what
I
would
like
to
do.
Eventually,
though,
is
here.
You
mentioned
on
the
agendas
dealing
with
external
cas
or
multiple
cas,
and
you
know,
particularly
with
x
509
certificates.
You
can
have
like
cross
signatures.
You
know
the
certificate
can
be
signed
by
multiple
cas
or
a
chain
of
cas
and
then
how
you
would
use
that
with
ross,
particularly
and
making
sure
that
whatever
certificate
authority,
pem
file
that
you're
pointing
sros
to
includes
the
entire.
A
Yeah,
so
I
was
actually
you
know
thinking
about
that.
I
want
to
get
the
simple
use
case
now,
which
is
just
simply
creating
your
own,
creating
a
certificate
structure,
that's
not
on
the
robot
right
offline
or
external
something,
and
then
you
move
the
security
artifacts
onto
the
robot
and
then
I
think
after
I
get
this
down,
then
we
can
go
to
both
certificate
revocation
lists.
I
know
marco
is
very
interested
in
that,
as
well
as
certificate
hierarchies
and
so
on.
So.
A
A
One
thing
too
in
this
document,
even
though
this
is
just
the
beginning,
this
I
tweaked
a
lot
of
settings.
I
usually
don't
like
to
tweak
settings
in
your
hello
world
example,
but
in
here,
particularly
with
certificate
authority,
I
did
because
I
really
tried
hard
to
shrink
the
certificates
as
much
as
possible
by
default.
If
you
don't
change
the
options,
you'll
get
rs
and
rsa
certificates,
which
are
two
to
three
times
as
large
as
the
elliptic
curve
certificates.
A
You
get
comments
in
them
and
all
that
stuff
ends
up
on
the
wire,
which
I
don't
think
we
want
any
of
that.
It's
nice
for
a
real
certificate
authority,
but
I
don't
think
we
want
it
on
the
robot
ecosystem.
A
So
do
you
agree
that,
like
our
whole
goal
here
should
be
to
keep
this
really
tight.
C
Yeah,
the
I
think
the
default
esros
is
to
use.
A
Yeah,
I
actually
mirrored
the
default
on
there
just
doing
this
by
hand
outside
of
you
know
the
existing
tool
set
so,
and
there
was
a
part
of
it
part
of
the
problem.
Just
beside
that
interesting
part
of
the
problem
is
because
the
api
change
never
landed,
so
I
would
have
to
go
deep
into
the
python
codes
in
order
to
like
rip
out
the
you
know:
python
script
for
signing
a
permission
authority
and
so
on
and
we'll
get
there.
I.
A
Want
to
do
that
yet
so,
but
yeah
I
actually
mirror
what
we
what
is
generated
through
the
existing
python
esros
api.
A
I
also
do
you
agree
that,
like
our
initial
use
case
doesn't
doesn't
do
anything
with
crls,
I
think
we
can
backfill
the
crl
use
case
later
on.
I
think
there's
probably
some
things
in
this
certificate
authority
configuration.
We
might
have
to
tweak
to
do
that.
Then
you're
gonna
have
to
set
up
a
crl
site
and
all
that
way
to
distribute
them.
But
if
you're,
okay
with
that,
I
just
I
want
to
table
that
for
now.
A
Okay,
so
let's
take
it,
if
you,
if
you
haven't,
had
the
document
open,
just
a
quick
run
through
or
a
quick
comment
on
some
of
the
root
ca
policies.
A
The
way
that
I
set
this
up
is
the
I
actually
took
the
default
that
certificates
for
your
this
would
be
your
enclave
certificates
default
to
a
one-year
life.
Is
that
long
enough?
C
A
Yeah,
so
that
way
you
would
have
to
re-key
your
robot
every
year,
which
is
kind
of
interesting.
That
may
be
a
licensing
thing.
You
know
all
right
so
I'll.
Just
note
that
with
the
documentation
for
now
that
yeah
that
can
be
changed
and
also
the
root
certificate
by
default
is
expires
after
10
years.
A
Yeah,
in
keeping
with
the
size
trying
to
keep
the
size
down,
I
ripped
out
all
of
the
attributes,
except
for
the
common
name.
So
there's
no
comments,
no
pki
extensions.
None
of
that
stuff.
The
only
thing
that's
required
is
the
common
name,
which
should
be
the
enclave
name
right.
C
Yeah,
but
sometimes
those
extensions
are
useful
like
if
you
want
to
limit
how
recursive
the
ca
can
do.
So,
if
you
have
a
chain
of
cas,
you
can
have
the
parent
cast
that
I'm
only
gonna
sign
the
sub
ca
for
level
two
and
then
the
next
one
can
only
do
it
for
level
one.
A
Yeah,
I
think,
there's
there
was
one
that
I
left
in
there.
That
said,
this
certificate
is
useful
for
like
the
certificate
purpose,
so
that
the
root
ca
has
the
root,
ca
purpose
and
then
the
other
any
other
things
that
are
signed
by
the
root
ca
by
default,
get
the
identity
and
encryption
permissions
on
them.
A
So
I'll
keep
I'll
stick
with
that
and
and
then
you
know
when
the
documents
come
through
yeah.
If
there's
a
tweak
on
that,
we
can
do
that.
A
Do
you
think
it's
necessary
so
this
in
this
case
you
know,
I
recommend
using
a
standalone
ca.
That's
a
tongue
container
I
was
debating
on
whether
or
not
to
remove
all
the
other
certificate
authorities
from
that
container.
I
honestly,
I
don't
even
know
what
the
best
practice
is.
It
just
seems
like
there's.
No
reason
that
container
should
trust
anyone
else.
A
And
it's
yeah,
so
we
create
a
container
and
the
container
has
the
has.
You
know
all
the
noises,
the
ca
bundle.
I
forget
exactly
what
the
package
is,
but
the
trusts
you
know
all
the
bear,
sign
and
trust,
and
you
know
digit
whatever
else
all
those
root
cas
are
in
the
trusted
ca
store,
and
so
when
you
create
your
ca,
then
that
ca
goes
in
there
as
well,
and
I
was
actually
just
debating
about
removing
all
of
those
so
that
this
the
container
actually
trusts
no
external
certificate
authorities.
A
C
On
on
the
the
deal
of
certificate
extensions,
I'm
gonna
paste
a
link.
This
is
way
back
with
sros
one
for
config
and
I
had
comments
on
all
the
fields
I'd
set
and
then
why
I'd
set
them
so
I'll
paste
that,
in
the
chat
here,
okay,
cool.
C
C
C
Whether
the
certificate
field
was
was
critical,
and
this
was
the
case
where
the
certificate
of
policies
were
being
where
the
extensions
were
being
used
to
house
the
access
control
as
well.
So
this
is
in
srs1
the
credentials
and
the
identification
or
the
permissions
and
the
identification
credentials
were
sort
of
one
in
the
same
document,
yeah
encoded
in
the
pin
certificate,
but
in
srs2
they're
only
linked
by
the
common
name.
C
B
A
Question
for
you
is
that
it's
easy
to
use
the
same
root
certificate
authority
for
both
identity
and
permissions
ca.
If
we
don't
do
that,
then
we
have
to
actually
you.
B
A
Do
this
twice
create
two
separate
cas
or
build
out
actually
a
hierarchy
where
you
have
a
root
ca
and
then
to
support
this
one
for
identity?
One
for
permissions.
You
think,
for
our
initial
use
case
that
it's
sufficient
to
use
and
document
and
explain
that
we're
going
to
use
the
same
certificate
authority
for
post-identity,
both
identity
and
permissioning.
C
Yeah,
I
I
think
that
the
use
case
where
you
have
two
to
two
different
certificates
for
identity
and
permission
is
pretty
rare,
even
in
the
dts
field,
but
they
thought
it
was
warranted
enough
to
include
in
the
spec.
The
only
thing
that
I
think
the
sros
2
is
doing
is
it's
just
making
assembling
for
the
permissions
and
identity
certificate
to
point
to
the
same
root
ca
file
on
the
on
disk,
so
yeah,
okay,
great.
A
A
Okay,
yeah
and
I
think,
with
kyle's
departure.
I
honestly
don't
know
how
much
of
time
I'll
be
able
to
get
back
into
it,
but
as
I
can
I'll
try
to
turn
this
into,
you
know
at
least
a
work
in
progress,
pull
request,
probably
against
the.
A
If
you
guys
all
agree
against
the
actual
raws
tutorials,
and
then
we
can
continue
growing
it
out
from
there.
Okay
particularly
get
your
feedback
on
anything
that
should
be
updated
and
changed.
D
I'm
a
little
curious
if
how
well
you
this
sort
of
maps
to
the
decentralized
identity
foundation,
work.
D
The
the
what
framework
distributed
identity
foundation
with
so
they're
doing
basically
distributed
distributed,
ids
with
verified
credentials
and
it's
like
it's
an
alternative
model,
a
success
remodel
to
the
ca
vc.
D
C
Evolutionary
school,
so
so
one
of
the
things
that
if
we
ever
want
to
get
deeper
into
it
is
you
can
the
security,
plugins
and
dds
are
all
plugins,
and
so
the
vendors
have
the
respective
api
for
changing
and
how
you
want
to
interpret
the
documents
that
are
shared
or
what
method
you
go
about.
Authenticating
participants
on
the
network
so
having
something,
that's
even
alternative
to
traditional
x5m9
certificates.
C
That
might
be
kind
of
interesting
kind
of.
Maybe
it
would
be
an
alternative
to
your
conventional.
You
know
monolithics
certificate,
revocation
list
or
having
a
monolithic,
centralized
certificate
authority
it'd,
be.
D
Kind
of
cool,
I
also
think
it
it
starts
to
put
you
towards
the
idea
of
eventually
having
the
components
within
ross,
be
able
to
authenticate
each
other
in
and
say.
Yes,
I
trust
the
subsystem
to
give
me
information.
D
You
know,
I
trust
the
information
from
the
subsystem
or
I
trust
the
orders
from
that
subsystem
and,
as
as
the
robots
become
increasingly
complex
in
their
architecture,
distrusting
the
other
components
in
the
system
starts
to
make
some
sense,
considering
they
might
be
made
by
different
parties
or
have
different
roles
and
responsibilities,
and
you
want
to
limit
you
know
who
does
what,
within
your
robot.
A
It's
actually
marco's
big
use
case.
That's
I
know
one
thing
that
he's
really
interested
in
because
he's
doing
a
lot
with
fleets
and
they're
one
of
their
use.
Cases
is
what
do
we
do
when
we
lose
control
of
one
of
our
robots
in
the
fleet,
so
yeah?
That
is
interesting.
D
I
was
talking
to
somebody
about
commercial
medical
robots,
and
one
of
their
concerns
is
that
you
have
somebody
can
walk
into
a
room
and
physically
alter
one
of
the
components
in
a
surgical,
robot
and
unless
you've
got
some
ways
to
verify
that
the
systems
are
trustworthy.
D
You
know
that
the
the
they're
running
the
right
software
and
all
that
kind
of
stuff
you
don't
want
to
let
them
be
used
in
the
next
medical
procedure
and
so
there's
sort
of
a
need
for
something
along
those
lines.
That's
what
and
it's
like
exciting
to
see
the
I
like
the
write-up
and
and
the
direction
of
it.
So
it's
this.
I
thought
this
might
be
an
if
you,
if
you're
interested
in
continuing
down
this
path.
That's
like
a
there's
a
way
to
do
it.
There's
a
community
around
it.
C
I
think,
a
few
months
ago,
with
the
estras
working
group
on
tamper
use
it
on
designing
tamper,
everton
evident
hardware
and
firmware
for
robotic
systems,
particularly
some
researchers
from
india
doing
presenting
their
work
on
how
to
secure
drones
and
how
to
verify
the
restrictions
in
airspace
control
for
these
platforms.
B
A
A
So
going
back
to
what
I
opened
up
with
any
comments
or
thoughts
about
whether
or
not
we
should
move
to
monthly
or
do
you
want
me
to
throw
that
out
and
chat
and
decide
at
our
next
meeting.
B
A
B
A
All
right,
so
you
guys
all
in
favor
of
moving
to
once
a
month,
45
minutes,
meaning
any
complaints
about
that
so
I'll
go
ahead
and
propose
that
that
update,
meeting
invite
and
try
that
out
on
discourse.
So
the
only
thing
I'm
wondering
is
about
time
zones
and
alternating
them,
but
I'll
figure
that
out
probably
still
alternate
them
early
and
late.
A
So,
okay,
all
right,
yeah,
great
discussions,
just
a
reminder:
we
still
have
the
sros
2
quality
items.