Re: WebIDL for Thing API from Dave Raggett on 2015-12-18 (public-wot-ig@w3.org from December 2015)

From: Dave Raggett <dsr@w3.org>
Date: Fri, 18 Dec 2015 11:12:10 +0000
To: "Nilsson, Claes1" <Claes1.Nilsson@sonymobile.com>
Cc: "Bassbouss, Louay" <louay.bassbouss@fokus.fraunhofer.de>, "public-wot-ig@w3.org" <public-wot-ig@w3.org>
Message-Id: <3E69EFAB-75F7-4971-A812-3C61FBD9C4FB@w3.org>

A related point is the desire to discover things that are compatible with the software you want to use. In principle, devices could expose different versions of things for use with legacy software. This becomes important as we scale up to a world wide market of devices and services.

> On 18 Dec 2015, at 09:16, Nilsson, Claes1 <Claes1.Nilsson@sonymobile.com> wrote:
> 
> Thanks Louay,
>  
> Yes, a Security/Privacy analysis needs to be done. As far as I understand the W3C Presentation API is based on user consent for a web app from any domain to access a presentation display. However, for the general Thing API the security model may need to be stricter as the potential damage of attacks could be worse. For example consider controlling actuators or getting access to medical data. 
>  
> BR
>   Claes
>  
> From: Bassbouss, Louay [mailto:louay.bassbouss@fokus.fraunhofer.de] 
> Sent: den 16 december 2015 17:05
> To: Nilsson, Claes1
> Cc: public-wot-ig@w3.org
> Subject: Re: WebIDL for Thing API 
>  
> Thx Claes for the feedback,  Please find my comments inline. 
>  
> Thx
> Louay
> On 16 Dec 2015, at 14:57, Nilsson, Claes1 <Claes1.Nilsson@sonymobile.com <mailto:Claes1.Nilsson@sonymobile.com>> wrote:
>  
> Hi Louay,
>  
> Thanks for this API. My comments follow below:
>  
> ·        dictionary ThingFilter {
>     attribute DOMString? type;
>     attribute ThingProximity? proximity;
>     attribute DOMString? id;
>     attribute DOMString? server; 
> };
> 
> So this is the address, URL, of a server containing a directory of "things", e.g. an IETF CoRE Resource Directory?
> Yes server is the address of the directory where to search for things. We may need additional information to the end-point url like you mentioned below regarding security/privacy. If you have any recommendation please let me know.
> 
> 
> 
> ·        Looking at security/privacy and access authorization aspects of this API is the assumption that the web application or server application (e.g. node.js) already has been authorized to access the “thing”. If not, is it assumed that, after a thing has been discovered, that an authorization session with e.g. OAuth will be executed before the web app is allowed to access the thing?
> Security/Privacy is not considered yet in the current API. We need input/feedback from the Security/Privacy Task force. 
> 
>  
> Best regards
>   Claes
>  
>  
> From: Bassbouss, Louay [mailto:louay.bassbouss@fokus.fraunhofer.de <mailto:louay.bassbouss@fokus.fraunhofer.de>] 
> Sent: den 14 december 2015 13:27
> To: public-wot-ig@w3.org <mailto:public-wot-ig@w3.org>
> Subject: WebIDL for Thing API 
>  
> Dear group members, 
>  
> I just submitted the initial WebIDL draft of the Thing API [1] I demonstrated @TPAC in sapporo. It considers also feedback I received from some of you. It is just a draft to start with. Can we put an Agenda item to discuss it in the next phone call.
>  
> Regards,
> Louay
>  
> [1]: https://github.com/w3c/wot/blob/master/TF-AP/thing-api/thing-api-webidl.md <https://github.com/w3c/wot/blob/master/TF-AP/thing-api/thing-api-webidl.md>
—
   Dave Raggett <dsr@w3.org <mailto:dsr@w3.org>>

Received on Friday, 18 December 2015 11:12:26 UTC