 Hello everybody. Welcome back to the Think Tech Hawaii studio for another crazy episode of Security Matters. Today we're going to be in the weeds a little bit with a couple of guys that you're very familiar with. I have Rodney Thayer and Sal D'Agostino with me today and they're going to try to educate me and you on what it took to get to this new protocol OSDP that we have in our industry. Guys, thanks for joining me again. I know you guys are both really busy, so I appreciate you taking the time out to jump on the show real quick. Oh, hi Andrew. Thanks. Good to be with you again. Hey, thanks man. Hey, so you guys have done your background before on this show. So let's take us through sort of the, a lot of stuff people may not know about your work in policy and protocols and this sort of development. Give us sort of that your histories and those aspects of your professional careers. Rodney, let's start with you man. Okay, so I've been interacting with protocol standards since 1976. The X25 standard, I have a copy of that. I've been doing since I do communications protocol development a lot. I learned a long time ago that following the standard is a way, way easier way to sort of interact and interoperate with other people. And I've worked with CC ITT standards and ITF standards and IEEE standards and ISO and also electro IEC things. So there's many standards organizations and you end up having folks who participate in the standards process who go to the committee meetings and, you know, occasionally do outrageous things like I do like actually try to code it and make sure the standard works. And so anyway, and in the case of OSDP, I made the eternal mistake of I was in a committee meeting and I said where's the open source version and everybody looked at me and said tag you're it. Wow. That's how you get a little extra sad job. Never volunteer. Yes. Anyway, hey, Sal. I know you're Rodney called you a policy div. I don't know if you do a lot of policy work as well but take us through your, your history of this type of development work. Yeah, Andrew. Yeah, the standard stuff is something that I've been involved with a lot of it like Rodney comes out of the CCTV world. Early on, as a company called computer recognition systems we were developing, you know, various kinds of machine vision systems and there are a bunch of different standards that we were using there. You know, a lot of them varied in different parts of the world so you had a television standard which is called NTSC for the US but if you're using a European camera you had pal. There were hardware standards that we were using. So, and the way that you may, you were able to have hardware and software interoperability was usually related to some kind of standards. There were bus standards that we use when we were building hardware boards, VME bus, ISA bus. So, so, yeah, I've been involved with it for a long time and then sort of come forward. As I got involved around some of the identity stuff I began to become more involved from, you know, leaving a little bit of the hardware, you know, hands on to be more of the policy divas Rodney coined the term. He hasn't coined the term but he's christened me with it. You know, a lot of that a lot of that was around identity. A lot of that was around digital certificates and X 509 that's where Rodney and I actually crossed paths and somehow haven't been able to get off the same road for what seems like, you know, it's probably almost 15 probably pushing 20 years now. And then, and then been involved with actually working a lot with NIST around the tips to a one standard been involved internationally with IKO. More recently in some of the work at what my other company open consent been involved in developing standards around privacy notices and consent receipts. Obviously with C helping around around the OSD protocol so you've been involved with a whole different kinds of sets of standards committee helped actually write standards work in standards development organization so very active today. Wow, so I think most of the world doesn't know how difficult this this is and how much time it takes. So, talk about the Genesis what what what started the OSDP initiative and then how did you guys both get involved with it and so we'll just start with you. Oh, actually Rodney Rodney sort of his grandfather didn't slightly before me I mean I know I know the Genesis story but I'll defer Rodney why don't you want to you want the OSDP origin story. Okay, exactly. Three vendors Linnell Mercury and HIV got together and came up with a way of having readers and panels interoperate with other many with each other many years ago. And they actually went off and implemented some of that the three vendors together, and then they realized that they wanted to have it be more widely adopted things so they took this the the specification they had at that point. And they on purpose gave it to see a to sort of see a kind of adopted it as a as a standard and then on purpose put it on the process put start invoke the process to put it on track to become an international standard. See a participation started around 2000 10 years ago or something 2008 2009 somewhere in there. It was, you know, it's started the process going and then it was it was moving on I mean committees are hard you know a committee, you know, a camel is a horse built by committee. It's hard to get a bunch of people together and actually work on these things and so it's been going on for a while and, and we've, we finally got to get the things set up as a on track to be an international technical commission standard so that process activated about five years ago and then and then we know we've got to where we are today. Wow. And so the, so before we, you know, actually everybody's fighting with wagon and we're looking at how how wagons insecure, but was the initial push with this protocol was it a recognition that that problem existed for the industry or was it just that the whole world was moving to more encrypted more secure types of communications. So I mean I think I mean I think it was a combination of stuff right so there's the security piece but you know the thing about we can it's one way right so you really if you want to have functionality all the way out to the edge of a system and and be a centralized control in managing remote control points, you need a bidirectional protocol and if you're going to have a bidirectional protocol it should be secure so I mean I think it really Rodney right as a combination of those two things security and bidirectional communications, and then having a common set so that you know, if you're a controller manufacturer you can have a common set of commands that'll work with a different you know all the different readers so interoperability, can interoperability security and bidirectional communications I think are the three things that drive the standard and they also drive the benefits of it. Yeah, so we can isn't really a protocol it's more of a message format, you know you get to send the number of bits or pop probably up to 50. And it goes from the reader to the panel. That's it no, as you said there's no not bidirectional. There's also no way to really express subtleties so the difference between a card read a keypad read a biometrics device telling you the address finger, the reader going into tamper, all these things they had to figure out how to put into strange looking weekend messages and it was because we didn't have actually have a the concept of a message with a header and a control field and things like that so that's why that was kind of the driver and that doing it more sophisticated, a more advanced way and then getting the security and control benefits out of it. Awesome. And I know it's evolved and we have, we have like OSDP now and then we have also OSDP secure. Can you talk a little bit about the differences there. So, OSDP that the these terms like OSDP secure what's going on is that we're trying to take the standard and make sure that we've got a description of these various capabilities that are done, that are talked about in a way that we can we can use in the industry and we want to make sure specifiers can specify what they want if they wanted secure communications we want to be able to do that so that's OSDP secure. Also of course we want to make sure everybody in the pictures is on the same page and what we're doing you know what the customers are trying to ask for, and what the vendors are going to go off and deliver OSDP there's OSDP secure. There's also three or four other kind of variations biometrics and some other things. And, and, and so one point along those lines people have been talking a little bit about OSDP one and OSDP two. So really at this point there is just the the international standard which is actually 1.7 and as soon as it's sort of cleaned up 2.7 sorry, and becomes 2.2. In 2.2 there are different profiles and the profiles in 2.2 are primarily a basic profile and a secure profile and then as Rodney said there's a biometric and a smart card extensions other profiles, and that's true for the the reader which is known as the PD and the controller which is the ACU and PDs don't have to be just readers they can be other things too but so peripheral device and access control unit, basic profile, secure profile, all of those things. Now, no one should be talking about anything except whether or not you conform to 2.2 and you know and and I mean that's really the way to go so I mean the earlier versions that people talked about a lot of them didn't have a secure capability so a lot of people think that the difference between 1 and 2 is security, but it's a little bit more nuanced than that and that's you know that's one of the things we're trying to educate people about. That's awesome is the are all these various features of the protocol that you discussed. Is that where the IEC weighs in or is these are just things that we saw a need to develop as we as the protocol got built. Or do you have to have various things for it to be like an international protocol, or you know international standard. The IEC basically for the most part just just took the things that the working group put into the document so that so see a formed a working group which is multiple parties vendors and end users and other kinds of practitioners and folks and so you can have an open you know open group doing it to make sure we have good group consensus. The IEC process was mostly around formatting the document and pulling it into their framework so these numbers actually have a meaning so 60839 is a specific group and then the dash 11 it's 60839 dash 11-5 that's the standard we have. Of course is really good for sales people to give you a swoopy looking number. The 60839 is apparently a committee label. The dash 11 means that's the access control area within the IEC. So there's a dash 11-1 which is a general description of access control systems and other things are in the same area so some of the on the standards are in this is IEC 60839-11-31-32 and 33. So the so using their numbering scheme we're in the access control tent on planet IEC and so the front of the tent says 60839-11 and we happen to be group five. Wow. Yeah we're group five. Right. And so does it go, did it go, because I know there's ANSI I heard them mentioned before so does it go to ANSI and then to an international because ANSI is what American National Standard Institute. It goes to a standards development organization which sponsors it being done which in this case was CIA, the Security Industry Association and then they go through the standards, the international standards organization hierarchy. So in the United States, CIA is a standards development organization that's accredited by the National Body for the United States which is the American National Standards Institute. Okay. And then the National Body for the United States is accredited with the international body. So like in in the UK they have the British Standards Institute and in Germany they have an organization whose name I won't try to pronounce it has an acronym to that kind of thing. And so each country will have their own, most countries have their own standards. And some and some of them create their own standards which are not so so we had as an example. So it's a lot of the National Institute of standard standards are standards which then reference other international standards so like going back to the tips to a one stop and some of the special publications. So then reference some of the pre existing standards around smart cards or 7816 Rodney right as a as a set of stuff which you then so you build stuff on top of other stuff. Sometimes an international group will create a standard. This is built for the US government. That's their charter. So their stuff doesn't immediately wash over as international stuff so it may seem to strange to think you've got a National Institute of standards and you got American National Standards Institute, but there's a little bit of a rationale behind why you've got those two standards. This doesn't a credit standards development organizations they sort of stand on their own as one ANSI is the body that accredits STOs and the security industry association as Rodney just said is an accredited STO. There's there's plenty of Arcana around the standards organizations came out of when we needed physical standards so this used to be the National Bureau standards and you know their job was to keep the official copy of the yardstick. There was a stick that was a yard long and they kept it in the vault somewhere and the thing he's showing you is what what we in the industry I learned to call this an IEC connector thing that sales waving around that looks episode shape that funny if I go when it is permissible of course if I go visit Andrew if I go visit you for a business meeting in Hawaii and I forget the cable from my laptop it may well have that IEC connector in the end and because of standards I'd be able to go to a shop and buy one right IEC connector in Alamoana. Yeah so all a lot of work goes into these standards gang we are just past our break so we're going to take one minute we're going to pay some bills I'm going to come back and get into the sort of some of the feature sets of this OSDP that people should be paying attention to we write back. Aloha I'm Kili Akina the host of Hawaii together on the think tech Hawaii broadcast network. Hawaii together deals with the problems we face in paradise and looks for solutions whether it's with the economy the government or society. We're streamed live on think tech biweekly at 2pm on Mondays. I want to thank you so much for watching we look forward to seeing you again I'm Kili Akina Aloha. And we're back with Rodney Sayer and Rodney Sayer and Saudi Agostino. We're talking about OSDP today and OSDP has achieved its IEC or it's been approved by the IEC I guess that standard of some date will be set when it's officially announced so the world can now start to use OSDP and use it in according to this standard right. So it's it's it's happened it was in the end of May that it actually passed so it's officially an IEC standard at this point. Okay and we're and with the world should be looking at the 2.2 version of that standard. So right now you can any minute now we're here in July you'll be able to go to the IEC bookstore online and buy a copy of the IEC version which is the 60839-11-5. The CIA version of that is going to be 2.2 which they're going to publish immediately after that. And the reason we have two different standards is two different versions of it is because the IEC process, it's an international standard that takes a long time to get things moving through it. So there's some things that CIA will probably probably want to add is enhancements. And so they'll do it in their version first they'll probably a 221 and then I'll get rolled over into through the standards process and do an IEC update. There's also there's also some economic advantage the the IEC and ISO. They're pretty good at collecting Swiss francs and C is a little kinder towards the patrons of the standard. That's good to know. There is an expectation that people who are somebody you know like if you deal with a vendor who's using the OSTP, somebody somewhere in the organization should have bought a copy of the standard. Yes, they actually would have to go and get money to buy it and and I don't think it's exactly a dollar a page but it's a you know it's an 80, 90 page document is probably going to be around $100. Wow. From from from from the IEC, I think you'll find it's a quarter or so from CIA at least that's my that's my understanding right this that the CIA written Cia maintains the right to publish it as part of this process which was a pretty cool thing that they actually accomplished. So, so let's talk about the built world right I'm an integrator my customer says hey I found out about this OSTP I want to get rid of my wagon stuff I want to get the secure protocol going. Are the manufacturers by and large built out in your guys estimation. Do we need to be careful with, you know, can their hardware handle version 2.2 for example or are these questions that integrators and and architects and you know the rest of us out here on the the front end of those requests do we need to be asking those questions or proofing those in our labs or whatever before we roll them out to customers. Yes, there is a certain amount of using a standard it I mean it's nice to have a document that finds it and it's nice when the implement the vendors implement it the implementers implement it. So, for example, you can buy readers from HID that do OSTP and if the other vendors, you can buy access control systems, Johnson control software, I mean, when now a bunch of other people support it. Just because it's in the system, you've got to go and use it. So the the integrators have to be updated on how to go deploy this stuff. The, the simple example is when we have seen this, you know, really solid integrator really solid team member, nobody told them it wasn't weekend they get out to the job site they wire. Whoops, whoops. So and that and I am not talking about the awesome team member with the screwdriver in the hand I'm talking about the paperwork we forgot to give them. So we have things like that. We'll also get things now that it's a protocol. We have some of the same problems you have in the IoT world where, you know, everything's a device, you know, you have to do firmware updates to your Nike shoes your Tesla cars and your light bulbs Cisco controls right. Yeah, you have to worry about things like firmware updates, you know, nobody ever had to do a firmware update and a two by four. So it's a change in process for the vendor supply chain. And for the customers to understand that we need to do that too. Yeah, there's a cost there. Okay. Right. And then there's customer processes that they're going to want to do an OSTP would help it. So if you're an environment where you're following the security policies these good policies that's why I use the term policy diva that's a hand that it's a good thing. The if you have policies that say you have to have very strict inventory descriptions of all your equipment. You have to then the the end user operating the system has to know enough to push the button to pull a report telling what version of firmware they have and all their readers. And they need to push the button, the electronic access control system needs to facilitate them doing that and all the equipment down the line has to support it so we all have to together as a team actually support the end user using some of these things. Yes, which which then at the end of the day uses a command and OSTP, which which ask for the idea of the device and you, well, and behold, you get all that back right so it's not, you know, so the capabilities are built in but you need to be able to use them. I think the more that you understand that those capability exists and then you could effectively get the as the current state of your as built equipment that's out in the field. You know that's that you know that's that's a real useful thing, you know, and the fact that now you have access control systems that can communicate all the way to the edge. You can get information all the way from the edge so understanding that you can do that and building that into not only to your operational policy, because operational policies should be leveraging the Cape technological capabilities and mapping to whatever your corporate requirements are, you can now do those sorts of things. And the me and the other thing the other you know just you know plug here for some some of the other work that we're involved with is that, you know, OSTP verified is now a thing so the security industry association has put together conformance program, so that so where there's actually testing of these devices to see if they conform to these different profiles. So, again, the tricky thing would be, oh, oh, it's you know we implement OSTP, but maybe you don't implement secure channel. Right. So, or maybe you don't implement the firmware update, which is a kind of a critical capability, which is part of the file transfer capability of the protocol so so your ability to remotely update firmware is a result of using the standard as a result of having the file transfer capability functional. Now you can do OSTP you can you can have secure channel and not have an ability to update firmware. So you're taking some advantage of the protocol but not necessarily full advantage of it. So, so as it shows an integrator as an end user, you know those are things to keep an eye on. And that's why certification programs are are useful and you know full disclosure you know, I'm testing some of the first OSTP devices to to receive an OSTP verified certification. The first devices went through certification last week so and you know the next ones are sitting right over there. And see it will have an announcement about those devices I think probably end of next week or something when I finish the second device because we'll announce the first two that go through the program and that'll be one device that's certified for secure PD and secure ACU and the other device which will be certified as a secure PD. And one of the things and to go on we've been very careful in constructing that program so that it's not so that it's it's flexible and doesn't put too heavy a load on manufacturers both in terms of time, or in terms of cost. So, as an example, if you've got a firmware set that works across a number of readers, you don't have to test every reader so you could, if your firm works like works across a number of different devices, you can you can be certified as a PD for all those issues for a device that uses that firmware. So, you know, so we've done a number of things to make it easy to get to get certified and to motivate people to get certified and, you know, we're looking forward to then being able to go to a see a web page, look up a device, see that it's certified and so then for you Andrew as an integrator someone who's a customer, or the A&E community, when they're recommending that OSTP be included as part of the specification, they could also include as part of that requirement that year, it's a sort of OSTP verified device, you know, it'll take a little while for it to get to the point where that's practical but you know that's some that's a relatively short term goal that we we're pretty hopeful that you even now we've come so far from I remember I remember the first time Rodney during I think interop right when he finally got to demonstrate some bi-directional comms I mean this is just this is just from its sort of maturity stage it's finally I guess maybe to your vision this all happened at the same time but someone like me who's been able to check in with the periodically check in with you guys periodically you know as a as an industry that can now look at this and say wow we've got OSTP verified services coming out where we can check and see people that are planning to implement this stuff can start to really do it with a little more confidence you know it's kind of been a to your to your point earlier Rodney you guys still wired stuff up wagon when it's supposed to be deployed OSTP right but there's been a bit of a disconnect there and it's just sounds it seems to me like it's really in its sort of final phases of maturity as an industry protocol. Yeah. There's no reason not to as well I mean the there's there's almost no difference in the cost of the devices. You know it's four wires opposed to six typically for weekend. Yeah the there's no difference in the cost of the controllers. You know the life cycle operational costs are significantly ones that you're implementing the full protocol. You know you're getting better security. So there's there's really very little rationale other than the fact that you know it's people tend to do what they've done in the past but we're actually beginning to see people realize now that you see it's done a good job. You know there's there seems to be quite a different companies are companies are actually running their own webcast and talking about OSTP which is an amazing thing right so so there's and Rodney you've got a list that you put together. Right. Yeah. You know I run a randomly on the side not an official thing I run a site called OSTP got equipment, which is just a list of OSTP vendors that we've identified that you know visible in public. There's 75 entries on it now, at least half of them are readers, lots of panel vendors, biometrics vendors, other kinds of things. So it's definitely it's not just one or two vendors doing it is definitely there's an OSTP marketplace now with multiple vendors and and because it's interoperable you have choices. All right gang. We are out of time today but gentlemen I really appreciate you sharing your wisdom and your experience with this protocol with this thanks for keeping that website. I want to I want to give a shout out to Joe Gittins. Who's the Joe Gittins. Yeah, thanks. Who's the chair of this work group and it's also been there from the beginning has done tremendous amount of work and his work's not done. Thank you. Thank you. Thank you Joe. Thank you Joe and thank you. Thank you Don Erickson as well. It's been great working with him really look forward to continuing to do so. All right, thanks guys we'll see you again next week. I love everybody take care.