On 13 October 2016 at 01:51, Martin Thomson <m...@mozilla.com> wrote:
> I agree with this sentiment, but I don't think that we need to insist
> that a new W3C group solve these issues. I'm very much concerned with
> the question of how a new "thing" might be authenticated, even how
> clients of the thing are authenticated, those are definitely well
> within their remit and it should be an important consideration.
> We shouldn't hold the group responsible for the failings of the
> industry at large though, no matter how egregious those failings.
Yes, and let's not be so quick to criticise without an alternative to
*Building the Web of Things* has a chapter on "Securing and sharing web
Things" which covers encryption (TLS, HTTPS, WSS), authentication (OAuth),
authorization and access control (API tokens and ACLs). EVRYTHNG have a white
on this topic which also touches on other areas like network layer
encryption, firmware vulnerabilities, ISO 27001, SOC 1/2/3, PCI DSS and
addresses the "OWASP Internet of Things Top Ten vulnerabilities". That
seems like a good foundation to build on.
I mention this because EVRYTHNG is one of the members of the Interest Group
so I think the expertise is there, it's just a bit buried at the moment in
all the noise. Maybe that's something we can help with.
This is probably OK. I would start with this though:
> * insufficiently precise statement of goals; needs more research and
> incubation time
I hope we can come up with something a bit more constructive than
"insufficiently precise statement of goals".
I suggest moving this discussion to dev-iot
dev-platform is now only really about the back end of Firefox which isn't
very relevant here. WoT mainly concerns the server side of the web stack.
dev-platform mailing list