Signing and encrypting body of actual responses of interaction pattern endpoints #118
Comments
|
You're right, right now we only authentication (per-link if necessary) and protocol-level encryption (https, coaps, etc). What we don't support yet are object security schemes. An example would be COSE, an object security scheme for CoAP. Supporting these is definitely on my list of things to do. I think they can be supported by extending the "security scheme" to support them. So security schemes don't have to just be about authentication, they can also indicate encryption schemes. I'd like to better understand your scheme and also maybe propose a strawman based on security schemes. For example, if there was a "jwe" scheme that indicated object encryption with JWS/JWE, would that be sufficient? Would any additional parameters be needed? I imagine that there would have to be a key server, so the scheme might have a URL pointing to that. Then, yes, we really need to go and do the same thing for COSE. |
|
The use of "contentType" rather than "mediaType" now allows parameters for object security to be specified (eg JOSE, COSE). So that is how that should be done, rather than as a security scheme. |
Hi guys,
i am working on implementing of signing and encrypting of payload of device endpoints specified by thing descriptions in our project VICINITY which tries adopt the WoT standard ideas.
I am using JWS and JWE standard to sign and then encrypt actual payloads. This is simple to implement.
However, how i can define specify in Thing description that content of this endpoint is signed and encrypted?
The examples provided in wot-security is about more less the authentication. However we would like to go deep event to encrypting the payload exchanged.
Thanks!
The text was updated successfully, but these errors were encountered: