Re: Notes on W3C WoT Security Use Cases

On 20 July 2017 at 10:47, Mccool, Michael <michael.mccool@intel.com> wrote:

> Browsers may complain about unknown certs though, which may scare some
> users, so the question is: is direct access to the devices by a standard
> browser by an ordinary user (as opposed to a developer, which could just
> install the private certs) a nice-to-have, or essential?   It may be
> necessary to install a custom app (which can provision certs using a custom
> onboarding mechanism) rather than use an ordinary browser to talk to
> devices.
>

This is what we're trying to avoid. It's possible that in the short term a
compromise might be that our gateway is accessible over HTTPS remotely, but
secure local access requires a native app which can do some non-standard
encryption when the Internet connection drops. We'd then count on a long
term solution being baked into new versions of HTTP, DNS etc.

But experience tells me that temporary hacks like this have a habit of
sticking around so we'd rather find a solution that works in the browser
too if we can.

A colleague (James Hobin) has been experimenting
<https://github.com/mozilla-iot/gateway/issues/171#issuecomment-316798791>
with Service Workers to try to fall back to a local connection when the
Internet goes down, but so far this still causes browser exceptions due to
mixed content warnings. James also came across Forge
<https://github.com/digitalbazaar/forge>, which implements TLS in
JavaScript and could possibly be used for some kind of HTTPS over HTTP, but
that sounds like a pretty ugly hack.

Ben

Received on Friday, 21 July 2017 13:34:25 UTC