Re: Notes on W3C WoT Security Use Cases from Benjamin Francis on 2017-07-19 (public-wot-ig@w3.org from July 2017)

From: Benjamin Francis <bfrancis@mozilla.com>
Date: Wed, 19 Jul 2017 12:33:36 +0100
To: "Mccool, Michael" <michael.mccool@intel.com>
Cc: Dave Raggett <dsr@w3.org>, Soumya Kanti Datta <Soumya-Kanti.Datta@eurecom.fr>, "Reshetova, Elena" <elena.reshetova@intel.com>, "public-wot-wg@w3.org" <public-wot-wg@w3.org>, "public-wot-ig@w3.org" <public-wot-ig@w3.org>
Message-ID: <CAKQmVV8eO2Oz_QSFT6+PQS_awY47vnCbvk_ETY0JTxMv9b7+9Q@mail.gmail.com>

On 15 July 2017 at 08:02, Mccool, Michael <michael.mccool@intel.com> wrote:

> I was meaning to bring this up as well.  Michael Koster and I were talking
> about some related issues yesterday (mDNS, resource directories, etc) and
> the issue has been brought up by customers who were struggling with keeping
> devices available when "offline".
>
> I think in the short term mDNS combined with a local resource directory
> will work, the trouble is, who runs the directory?  OCF will include such a
> service but it is meant for OCF devices.   We do have a Thing Description
> registry in our architecture but can't guarantee one will be running in a
> specific local environment.  Ideally every router would have a local
> registry/resource directory.   In the shorter term IoT "hubs" may have to
> provide it (and we may have to deal with multiple registries showing
> up...).   This could also be part of Edge/Fog computing stacks.
>

Again, the problem with mDNS is that it can only be used with plain HTTP or
a self-signed SSL certificate. This is fine if you trust all the devices on
your local network, but in many applications that may not be acceptable. In
which case you need some way to resolve public domain names inside the
local network in order to use HTTPS, or use plain HTTP and use some other
encryption mechanism at the message level (e.g. using a shared secret which
is initially shared over an HTTPS connection when it's available).

I agree that IoT hubs/gateways will have a role in this and that the ideal
solution is for routers to handle the local DNS resolution somehow.

>
> I'm at IETF this week and there is a workshop on Monday on Distributed
> Internet, and I'm sure distributed DNS is going to be discussed.   In the
> long term I think these discussions will result in a standard.  What to do
> in the meantime is the question...
>

This does seem like something which needs solving at the network protocol
level, it's a bit of a shortcoming of DNS and TLS which may have been a
small issue in the past with intranets, but will become much more of a
problem with billions of IoT devices on local networks. If everyone comes
up with their own encryption mechanism on top of existing protocols then
interoperability is going to be really hard!

Received on Wednesday, 19 July 2017 11:34:04 UTC