W3C home > Mailing lists > Public > public-wot-ig@w3.org > December 2015

RE: WebIDL for Thing API

From: Nilsson, Claes1 <Claes1.Nilsson@sonymobile.com>
Date: Fri, 18 Dec 2015 10:16:16 +0100
To: "'Bassbouss, Louay'" <louay.bassbouss@fokus.fraunhofer.de>
CC: "public-wot-ig@w3.org" <public-wot-ig@w3.org>
Message-ID: <6DFA1B20D858A14488A66D6EEDF26AA303F1EB5F0B86@seldmbx03.corpusers.net>
Thanks Louay,

Yes, a Security/Privacy analysis needs to be done. As far as I understand the W3C Presentation API is based on user consent for a web app from any domain to access a presentation display. However, for the general Thing API the security model may need to be stricter as the potential damage of attacks could be worse. For example consider controlling actuators or getting access to medical data.

BR
  Claes

From: Bassbouss, Louay [mailto:louay.bassbouss@fokus.fraunhofer.de]
Sent: den 16 december 2015 17:05
To: Nilsson, Claes1
Cc: public-wot-ig@w3.org
Subject: Re: WebIDL for Thing API

Thx Claes for the feedback,  Please find my comments inline.

Thx
Louay
On 16 Dec 2015, at 14:57, Nilsson, Claes1 <Claes1.Nilsson@sonymobile.com<mailto:Claes1.Nilsson@sonymobile.com>> wrote:

Hi Louay,

Thanks for this API. My comments follow below:



·        dictionary ThingFilter {

    attribute DOMString? type;

    attribute ThingProximity? proximity;

    attribute DOMString? id;

    attribute DOMString? server;

};

So this is the address, URL, of a server containing a directory of "things", e.g. an IETF CoRE Resource Directory?
Yes server is the address of the directory where to search for things. We may need additional information to the end-point url like you mentioned below regarding security/privacy. If you have any recommendation please let me know.




·        Looking at security/privacy and access authorization aspects of this API is the assumption that the web application or server application (e.g. node.js) already has been authorized to access the “thing”. If not, is it assumed that, after a thing has been discovered, that an authorization session with e.g. OAuth will be executed before the web app is allowed to access the thing?
Security/Privacy is not considered yet in the current API. We need input/feedback from the Security/Privacy Task force.




Best regards

  Claes


From: Bassbouss, Louay [mailto:louay.bassbouss@fokus.fraunhofer.de]
Sent: den 14 december 2015 13:27
To: public-wot-ig@w3.org<mailto:public-wot-ig@w3.org>
Subject: WebIDL for Thing API

Dear group members,

I just submitted the initial WebIDL draft of the Thing API [1] I demonstrated @TPAC in sapporo. It considers also feedback I received from some of you. It is just a draft to start with. Can we put an Agenda item to discuss it in the next phone call.

Regards,
Louay

[1]: https://github.com/w3c/wot/blob/master/TF-AP/thing-api/thing-api-webidl.md


Received on Friday, 18 December 2015 09:17:20 UTC

This archive was generated by hypermail 2.3.1 : Friday, 18 December 2015 09:17:20 UTC