W3C home > Mailing lists > Public > public-automotive@w3.org > June 2016

Re: Draft Specification for Service Based Approach Using WebSockets

From: Junichi Hashimoto <xju-hashimoto@kddi.com>
Date: Wed, 8 Jun 2016 09:53:35 +0900
To: Song Li <ls@newskysecurity.com>
Cc: "Gavigan, Kevin" <kgavigan@jaguarlandrover.com>, Paul Boyes <Paul.Boyes@inrix.com>, Peter Winzell <Peter.Winzell@melcogot.com>, "Crofts, Adam" <acrofts1@jaguarlandrover.com>, public-automotive <public-automotive@w3.org>, Peter Virk <pvirk1@jaguarlandrover.com>, Lovene Bhatia <lbhatia@jaguarlandrover.com>
Message-ID: <988abd5d-92a6-582d-4807-ca0aead1454d@kddi.com>
Hi Song,

I think certificate type is a different topic but if your example solves 
my concern, please share the idea.

In the draft[1], we see the following sample code:
   var vehicle  = new WebSocket(“wss://localhost:4343”);

To implement this, the local server has to keep a certificate which 
common name is 'localhost' and also keep the corresponding private key.

Because this key is a part of the local server 'app', it is very hard to 
prevent attackers retrieving this key. This cause issues. e.g.,

- Falsification of data
- Man-in-the-middle between apps and the local server

Additionally, the certificate and the key are valid on anywhere, 
anydevice. I don't think major providers allow such use.

[1] 
https://www.w3.org/auto/wg/wiki/Vehicle_Information_Service_Specification#Security_and_Privacy_Considerations

Regards,
Junichi


On 2016/06/08 8:57, Song Li wrote:
> Allow me to jump in for these questions.
>
> There are two types of ssl certificates: wild card and multi-domain. If
> example.com <http://example.com> is going to have a wild card
> certificate, it will cover all example.com <http://example.com>
> subdomains, such as www.example.com <http://www.example.com>
> api.example.com <http://api.example.com>, etc. If admin of example.com
> <http://example.com> choose to use multi-domain certificates, the
> certificates will cover a limited number of domains of example.com
> <http://example.com>. Multiple domains can share the same certificate in
> both cases, they do not have to have different certificates, but they can.
>
> Certificates are deployed to servers and they should not be shared with
> people who are not admins of the domains. Certificates are deployed on
> the servers hosting the domain(s), and only public key portion of the
> certificates will be sent over the wire. Things get more complicated if
> CDN is used to speed up content distribution, but can be solved using
> multi-domain certificates. Clients, such as browsers / java code,
> verifies the certificates before communicating with server for secured
> content.
>
> Let me know if you need examples / implementation details. Our company's
> using a wild card certificated for our https://www.newskysecurity.com
> domains.
>
> Regards
>
> Song Li
>
> Co-founder and CTO
> NewSky Security <https://newskysecurity.com>
>
> On Tue, Jun 7, 2016 at 4:23 PM, Junichi Hashimoto
> <xju-hashimoto@kddi.com <mailto:xju-hashimoto@kddi.com>> wrote:
>
>     Hi Kevin,
>
>     Implementers would like to know how to manage the certificates for
>     https/wss connection in the server. For example, they would like to
>     know whether each server should have different certificates or not,
>     how the certificates should be kept securely, etc.
>
>     Junichi
>
>     On 2016/06/08 0:36, Gavigan, Kevin wrote:
>
>         Hi,
>
>         I've updated the Security section to include some general points
>         that
>         apply to both WebSockets and RESTful web services:
>
>         https://www.w3.org/auto/wg/wiki/Vehicle_Information_Service_Specification#Security_and_Privacy_Considerations
>
>         Kind regards,
>
>         Kevin
>
>         /Kevin Gavigan BSc, MSc, PhD, MCP, MCTS/
>         /Software Architect/
>         /Connected Infotainment/
>         /Electrical, Electronic and Software Engineering (EESE)//
>         /
>         Jaguar Land Rover
>         /
>         /
>         /Mobile: 07990 084866
>         /
>         /Email:/ kgavigan@jaguarlandrover.com
>         <mailto:kgavigan@jaguarlandrover.com>
>         <mailto:kgavigan@jaguarlandrover.com
>         <mailto:kgavigan@jaguarlandrover.com>>
>
>         /Office address:/
>         GO03/057 • Building 523, Gaydon • Maildrop: (G03)/
>         /Jaguar Land Rover • Banbury Road • Gaydon • Warwick • CV35 0RR
>
>         On 7 June 2016 at 14:18, Paul Boyes <Paul.Boyes@inrix.com
>         <mailto:Paul.Boyes@inrix.com>
>         <mailto:Paul.Boyes@inrix.com <mailto:Paul.Boyes@inrix.com>>> wrote:
>
>             Excellent indeed.  I will look at this in detail later today.
>
>             *Paul J. Boyes* | INRIX | Director of Telematics and Standards -
>             OpenCar  |  206-276-9675 <tel:206-276-9675> |
>         paul.boyes@inrix.com <mailto:paul.boyes@inrix.com>
>             <mailto:bryan@inrix.com <mailto:bryan@inrix.com>> |
>         www.inrix.com <http://www.inrix.com>
>
>         <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.inrix.com_&d=BQMFAg&c=QbuapHRvbn0JdC8vTVkPHg&r=PRAN7lum5Ra662QLho8LU3bhFjBvLXn3bBkFbW0Amjo&m=V5l0WXfOEJwhcE0JsN06mQ5SQhpXL-DuAuK3YcnTZoc&s=OqQVi_DcS5rv8or8hZdFvY0re6YF0Wl-_8okxrxOF0w&e=>
>
>                 On Jun 7, 2016, at 3:56 AM, Peter Winzell
>                 <Peter.Winzell@melcogot.com
>             <mailto:Peter.Winzell@melcogot.com>
>             <mailto:Peter.Winzell@melcogot.com
>             <mailto:Peter.Winzell@melcogot.com>>>
>                 wrote:
>
>                 Excellent !____
>                 I have just browsed through – Thank you for your hard
>             work!!____
>                 /pw____
>                 __ __
>                 *From:* Crofts, Adam
>             [mailto:acrofts1@jaguarlandrover.com
>             <mailto:acrofts1@jaguarlandrover.com>]
>                 *Sent:* Monday, June 6, 2016 12:58 PM
>                 *To:* public-automotive
>                 *Cc:* Kevin Gavigan; Peter Virk; Lovene Bhatia
>                 *Subject:* Draft Specification for Service Based
>             Approach Using
>                 WebSockets____
>                 __ __
>                 Hi All, ____
>                 __ __
>                 Kevin and I have drafted a specification for the service
>             based
>                 approach using WebSockets, as discussed in Issue 81
>                 <https://github.com/w3c/automotive/issues/81>. The draft
>             can be
>                 found in the working group wiki here
>
>             <https://www.w3.org/auto/wg/wiki/Vehicle_Information_Service_Specification#WebSocket_2>.____
>                 __ __
>                 The specification builds upon the approach raised by Powell
>                 Kinney, using a single WebSocket to send JSON data
>             structures to
>                 the server. The JSON structure specifies the desired vehicle
>                 signal specification (VSS) path, an action parameter to
>             specify
>                 get, set, subscribe or unsubscribe as well as a number
>             of optional
>                 parameters.____
>                 __ __
>                 This specification allows:____
>
>                   * Use of the VSS, including wildcards and indexing____
>                   * GET/SET over WebSocket____
>                   * SUBSCRIBE to receive change notifications, allowing
>             settable
>                     change thresholds and upper/lower bounds____
>                   * SUBSCRIBE to receive notifications at a given time
>             interval.____
>                   * UNSUBSCRIBE via a subscription handle____
>                   * UNSUBSCRIBE from all notifications____
>                   * Security tokens to be passed from the client to the
>             server,
>                     such as OAuth 2.0____
>
>                 We'll go through this on the call on Tuesday night and look
>                 forward to hearing your thoughts.____
>                 __ __
>                 Kind regards, ____
>                 __ __
>                 Adam____
>                 __ __
>                 -- ____
>                 *Adam C**rofts MEng (Hons) MIET*____
>                 Connected Infotainment____
>                 Vehicle Engineering____
>                 Tel: +44 (0) 1926 921607
>             <tel:%2B44%20%280%29%201926%20921607> | 87311607____
>                 Mob: +44 (0) 7790 094350
>             <tel:%2B44%20%280%29%207790%20094350>
>                 Desk: G03/054, Building 523, Gaydon____
>                 Mail Drop: G/26/3, Building 523, Gaydon____
>                 __ __
>                 ____
>                 __ __
>                 Jaguar Land Rover Limited____
>                 Registered Office: Abbey Road, Whitley, Coventry CV3 4LF
>             ____
>                 Registered in England No: 1672070____
>                 __ __
>                 This e-mail and any attachments contain confidential
>             information
>                 for a specific individual and purpose.  The information
>             is private
>                 and privileged and intended solely for the use of the
>             individual
>                 to whom it is addressed.  If you are not the intended
>             recipient,
>                 please e-mail us immediately.  We apologise for any
>             inconvenience
>                 caused but you are hereby notified that any disclosure,
>             copying or
>                 distribution or the taking of any action in reliance on the
>                 information contained herein is strictly prohibited.
>
>
>
>
>
>     --
>     <>------------------------------------------------<>
>              au x HAKUTO  MOON CHALLENGE
>                http://au-hakuto.jp/
>        KDDI/au competing in the Google Lunar XPRIZE
>        Providing communication technology support for
>        the Japanese team - HAKUTO
>     <>------------------------------------------------<>
>
>


-- 
<>------------------------------------------------<>
          au x HAKUTO  MOON CHALLENGE
            http://au-hakuto.jp/
    KDDI/au competing in the Google Lunar XPRIZE
    Providing communication technology support for
    the Japanese team - HAKUTO
<>------------------------------------------------<>
Received on Wednesday, 8 June 2016 01:04:12 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 24 October 2017 18:52:50 UTC