[network service discovery] resolving DAP ISSUE-131, search by device from Frederick.Hirsch@nokia.com on 2013-11-14 (public-device-apis@w3.org from November 2013)

From: <Frederick.Hirsch@nokia.com>
Date: Thu, 14 Nov 2013 15:01:05 +0000
To: <public-device-apis@w3.org>, <richt@opera.com>
CC: <Frederick.Hirsch@nokia.com>
Message-ID: <6B10F3EA-B6E5-47CF-938C-1A82BB4B1105@nokia.com>

Rich and all

I think we've made progress on the DAP list related to ISSUE-131, maybe are close to resolving it?

(ISSUE-131: Support UPnP device discovery by Device Type? ; on [Network Service Discovery] http://www.w3.org/2009/dap/track/issues/131 )

Some thread items that might help:

http://lists.w3.org/Archives/Public/public-device-apis/2013Oct/0159.html (and following thread)

[[

I don't understand why we should complicate things when at least with UPnP
you already have a concept of device, so you could (as I proposed in some
other email, that I think didn't get a reply) do something much simpler: a
search by device could simply return the list of services associated to
that type of device.

Can you expand on why my proposal would be complex/would not work while
adding this kind of query mechanism is easier to support?

]]

and http://lists.w3.org/Archives/Public/public-device-apis/2013Oct/0101.html

[[

> (2) Access control should be per UPnP device.

+1
Presenting devices is more meaningful from a user point of view than presenting individual services.
Maybe that guideline could be stated in the spec.

Also, disclosing one UPnP service to a web app means also disclosing all UPnP services of the UPnP device.
The web app can learn the control URLs of all services on the same device from the config field.
We could filter properly this field, but a smart attacker would probably be able to guess the URLs anyway.
]]

I think we are creating some difficulty by trying to abstract underlying mechanisms since UPnP has concept of devices but other discovery mechanisms might not, but could resolve this by making virtual devices in the other approaches where needed?

I think we are close to resolving this issue.

Rich, do you agree or have comment on how to resolve this issue?

It might make sense to update the specification and publish an updated WD that incorporates this change and the other minor updates,
so we have a fresh publication to share with WebAppSec for an issue discussion as well as to give PING early access before a January call.

This would simplify review by not making confusion about this issue part of the review discussion.

What do you think? If we are not close to resolving, what do we need to do to get there?

Thanks

regards, Frederick

Frederick Hirsch, Nokia
Chair, W3C DAP Working Group

Received on Thursday, 14 November 2013 15:10:03 UTC