Re: [httpslocal/usecases] Clarify requirements (#4) from Tatsuya Igarashi on 2017-10-12 (public-httpslocal@w3.org from October 2017)

From: Tatsuya Igarashi <notifications@github.com>
Date: Thu, 12 Oct 2017 01:34:14 -0700
To: httpslocal/usecases <usecases@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <httpslocal/usecases/issues/4/336059829@github.com>

I have some comments on the requirements on Device Discovery.

REQ-01: Device Discovery

- The UA (the web browser mentioned in the use cases above) shall be able to securely discover the presence of HTTPS/WSS server capable devices (hereinafter just called 'device') that are connected to the local network.

The "securely discover" should be clarified. I think of it as follows.
(1) Authentication: UA should be able to discover only devices which are trusted by someone.
(2) Confidentiality: The data in discovery message should be only visible between the UA and the Device.
(3) Integrity: I think that the data in discovery message should not be modified by others.

I do not have any issues on (2) and (3), but (1). Is it done by public authorities, private authority, or a user? Does UA should be authenticated as well as devices?

- A secure context loaded from the internet to the UA (hereinafter just called 'secure context') should also be able to discover target device capabilities that are actively (e.g., turned on) connected to the local network (e.g., device type, identity of a set of Web APIs, and so on).

It is unclear to me if UA needs to know target device capabilities. If such information is just presented to a user, any arbitrary description about device may be sufficient.

- A secure context shall be able to get access to the locally discovered device based on the user consent.

I agree on this.

- If there are multiple devices in local network, the UA shall be able to provide the user with a way to select one device at a time which she intends to use on the secure context.

I suggest to remove "if there are multiple devices in local network" or change to "when ...".

- The list of devices in local network must not be exposed directly to web applications. The UA must provide web applicatons with only information or interface related to the device selected by a user.

I suggest to rephrase as follows.
UA shall not expose any information or interface on devices to a web application without a user convent..

- etc.

--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/httpslocal/usecases/issues/4#issuecomment-336059829

Received on Thursday, 12 October 2017 08:34:43 UTC