Re: Why aren't most devices virtual web services?

Hi Mark,

On Jan 8, 2010, at 03:47 , Mark S. Miller wrote:
> For most devices, why not treat each device as a virtual web service, exposing its API as a RESTful API in terms of GETs and POSTs. This would reduce the present security problems to a previously unsolved problem, of how one web site becomes authorized to use web services provided by another site. 

I like the idea and in fact I've previously worked with a system that functioned very much in this way (albeit with the big difference that no specific security was required in that context). My primary concern however is that this could be one of those ideas that, if pursued, could turn out to actually be more complex and more riddled with corner cases than one might at first expect.

In order to investigate whether this would be a good option or not, how about we looked into exposing the Geolocation API in this manner? I think that it has the right sort of problems without being too complex: requests with parameters, notifications, privacy requirements. If we agree that it's a good example, I'll be happy to take a stab at this.

One issue that spring to mind is the fact that XHR (and presumably any newer derivates) supports synchronous access. If user consent is obtained through an infobar (as in Geo) that means freezing until the infobar is accepted or clicked — essentially turning it into a modal infobar. I'd like folks to think about the potential security implications here.

Beyond that, a (secondary) worry is the maturity of paraphernalia such as JSON Schema and JSONpath that we could want to use here. But that's a bridge we can cross any number of ways.

--
Robin Berjon
  robineko — hired gun, higher standards
  http://robineko.com/

Received on Wednesday, 13 January 2010 14:17:17 UTC