W3C home > Mailing lists > Public > public-device-apis@w3.org > October 2013

[discovery] improving the acceptability of the NSD API

From: Jean-Claude Dufourd <jean-claude.dufourd@telecom-paristech.fr>
Date: Mon, 07 Oct 2013 19:10:55 +0200
Message-ID: <5252EB1F.7030500@telecom-paristech.fr>
To: Device APIs Working Group <public-device-apis@w3.org>
Dear all,

Re-reading the security issues brought to this list by Youenn,
I wonder if we should drastically tighten up the security of the NSD API.
Can we not just _remove_ the fields url and config from the 
NetworkService interface ?
This way, the discovering web app would have no direct route to the 
services: it would have only a handle that is useless for fingerprinting 
or hacking.
One additional field would be a blob for the service description, if any.

Then, to allow communication between the discovering web app and the 
service, the NSD implementation would offer an _indirect_ communication 
One possibility for the indirect communication channel could be 
Ajax-like, another
could be WebSocket-like, another could be using UPnP messaging 
What I mean is the API offered by NSD would replace, in the original 
API, any URL or IP
with the handle, and if necessary remove any address from returned 
I have already implemented the last (UPnP-style messaging), have created 
examples and never needed to provide to the web apps any direct link to 
the services.

It would be quite a powerful argument against NSD detractors that the url
or IP of the service is never shared with the web app, and that all 
passes through/can be checked by the NSD implementation.
Best regards
TÚlÚcom ParisTech <http://www.telecom-paristech.fr> 	*Jean-Claude 
DUFOURD <http://jcdufourd.wp.mines-telecom.fr>*
Directeur d'Útudes
TÚl. : +33 1 45 81 77 33 	37-39 rue Dareau
75014 Paris, France

Site web <http://www.telecom-paristech.fr>Twitter 
Received on Monday, 7 October 2013 17:11:31 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:01 UTC