W3C home > Mailing lists > Public > public-wot-ig@w3.org > July 2017

Re: Notes on W3C WoT Security Use Cases

From: Benjamin Francis <bfrancis@mozilla.com>
Date: Fri, 21 Jul 2017 14:33:59 +0100
Message-ID: <CAKQmVV_59KBSVGQRpUko9WxhcH6rUquWxxNUcbFOi-iYbiefyA@mail.gmail.com>
To: "Mccool, Michael" <michael.mccool@intel.com>
Cc: Dave Raggett <dsr@w3.org>, "daisuke.ajitomi@toshiba.co.jp" <daisuke.ajitomi@toshiba.co.jp>, Soumya Kanti Datta <Soumya-Kanti.Datta@eurecom.fr>, "Reshetova, Elena" <elena.reshetova@intel.com>, public-wot-ig <public-wot-ig@w3.org>, "public-wot-wg@w3.org" <public-wot-wg@w3.org>
On 20 July 2017 at 10:47, Mccool, Michael <michael.mccool@intel.com> wrote:

> Browsers may complain about unknown certs though, which may scare some
> users, so the question is: is direct access to the devices by a standard
> browser by an ordinary user (as opposed to a developer, which could just
> install the private certs) a nice-to-have, or essential?   It may be
> necessary to install a custom app (which can provision certs using a custom
> onboarding mechanism) rather than use an ordinary browser to talk to
> devices.
>

This is what we're trying to avoid. It's possible that in the short term a
compromise might be that our gateway is accessible over HTTPS remotely, but
secure local access requires a native app which can do some non-standard
encryption when the Internet connection drops. We'd then count on a long
term solution being baked into new versions of HTTP, DNS etc.

But experience tells me that temporary hacks like this have a habit of
sticking around so we'd rather find a solution that works in the browser
too if we can.

A colleague (James Hobin) has been experimenting
<https://github.com/mozilla-iot/gateway/issues/171#issuecomment-316798791>
with Service Workers to try to fall back to a local connection when the
Internet goes down, but so far this still causes browser exceptions due to
mixed content warnings. James also came across Forge
<https://github.com/digitalbazaar/forge>, which implements TLS in
JavaScript and could possibly be used for some kind of HTTPS over HTTP, but
that sounds like a pretty ugly hack.

Ben
Received on Friday, 21 July 2017 13:34:25 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 July 2017 13:34:26 UTC