-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Profile needs a simple self descriptive mechanism without huge implementation demands #263
Comments
My proposal in w3c/wot-profile#112 for which I have a PR at w3c/wot-profile#121 is that all Things conforming to the Core (HTTP+JSON) Profile must as a minimum have their Thing Description retrievable from an HTTP URL. This would allow for direct discovery (e.g. copy & pasting a URL or using a QR code or Bluetooth beacon). There was also a suggestion that the Core Profile should make the Well-Known URI introduction mechanism mandatory, but there are issues with that, discussed in w3c/wot-profile#121. There was also a suggestion that the Core Profile should make support for the Directory Service API mandatory for conformant Consumers, but that would significantly increase implementation complexity. |
Let me discuss this with the Security and Discovery TF today and see if we can come up with a set of recommendations. At this point I'm thinking that if we want secure self-description, we'll need some kind of on-boarding process described as part of the Profile. Unfortunately (it should be a separate and more general specification). |
Recommendations:
In both cases the self-description process itself would be as given above: .well-known + self-description (GET a TD from the given URL). Will look at extending this to multiple TDs in parallel. Some of the above, e.g. using PSK on LANs, should also go into the Security Considerations section of Discovery. |
@mmccool wrote:
Surely the simplest introduction mechanism is actually Direct, which could literally just be copying & pasting the URL
It does handle the use case of multiple Things on one server in that a well-known URI can return a Directory Description, but this also means that making the well-known URI introduction mechanism mandatory for Core Profile has the side effect of making support for the Directory Service API mandatory for all conformant Consumers. Please see w3c/wot-profile#121 (comment) for a further explanation.
Isn't this exactly what the listing feature of the Directory Service API does? Why create a separate mechanism which does the same thing?
I suggest the more salient security problem with discovery is how a Consumer knows how to authenticate to access a protected Thing Description. Please see #135 for a proposed solution to that problem, which hasn't yet been added to the WoT Discovery specification. How to provide transport encryption for Things on a local network is certainly a problem, but it seems largely orthogonal to discovery.
This sounds like a very complicated mechanism to make a mandatory part of the Core Profile. We explored an approach like this for WebThings Gateway and ultimately it didn't really help because of the self-signed certificates issue. If the hub acts as the router for the local network and controls the DNS configuration of all clients using DHCP then it's technically possible to use a certificate for a public domain on a local network, but in practice that doesn't really work either because web browsers often have their own DNS configuration.
Please don't do this. We have discussed many times why making TLS mandatory doesn't help, and just creates more problems.
I suggest the only on-boarding process that's missing is security bootstrapping, which can be solved with an already standardised
I am very sceptical this will work in web browsers, but as a minimum it requires further incubation and testing. Let's please try to keep this issue to discussion about requirements for the WoT Discovery specification and discuss discovery requirements for the WoT Profile specification in the existing issue w3c/wot-profile#112. Regarding requirements for the WoT Discovery specification, it would be very useful if the security bootstrapping issue was solved, by explaining what a Consumer should do if it gets the Regarding the discovery requirements of the Core Profile, I have added my updated recommendation here w3c/wot-profile#112 (comment) |
OK, let me think about it some more. In the meantime, we did discuss the problem of multiple-TDs-on-one-device and noted that TD Links could be used to solve this. Basically this means the GET at the .well-known URL would return a single TD, but that TD would include links to other TDs at other URLs. This would not require a normative change to the Discovery specification, but perhaps a clarifying statement in section 6.1 would be helpful. We probably should also mandate that consumers following the profile should support this format for fetching multiple TDs upon self-discovery. |
Looking at the discussion under w3c/wot-profile#121 (comment), it seems we should fix the Discovery spec instead to allow TD Links to point to TDs directly rather than just directories. We could also add the constraint that self-discovery could ONLY return links to Things that are NOT directories (e.g. only letting directories link to other directories, which was the INTENDED function). |
@mmccool Thing Link isn't intended for just directories. Please see the three defined scenarios under https://w3c.github.io/wot-discovery/#example-td-link-type Apart from adding a clarifying statement to section 6.1, we also need to modify the assertion to allow defining more than just one link in the Thing Link TD. Currently the assertion is as follows:
Moreover, we may need to recommend a new link relation type, instead of We discussed the idea at: |
I think we've dealt with this now by (a) making the required features for Directories more lightweight (b) more clearly defining what a Discoverer needs to implement. If this is resolved now, I'd like to close this issue. |
Let's give this one more week for comments. If there aren't any, I'm going to assume this issue has been resolved and will close it. |
Am I right in thinking that based on the new requirements set out in section 5, a Discoverer MUST understand the difference between a Thing Description, a Thing Link and a Thing Description Directory [Description] by parsing the If so, it's possible that for the HTTP Baseline Profile we could simply require that:
In other words they must support the Direct introduction mechanism and Self-description exploration mechanism using HTTP, but don't necessarily have to implement the Directory Service API or Thing Links. If that's all OK, then yes I think this is resolved. If not, then what else could be the minimum requirements for a Discoverer using HTTP? What does a Discoverer need to be able to do with a TDD or Thing Link? |
Does a simple thing have to implement a directory service / implement a discovery API?
The text was updated successfully, but these errors were encountered: