AllJoyn decides to use security when the BusObject (AllJoyn?s equivalent to IoTivity?s resource) is registered with the BusAttachment
BusAttachment.RegisterBusObject(myObj, securityFlag) If the security flag is false no authentication is needed to access the object. No ACLs are needed for the BusObject. The developer does not need to know anything about security or ACLs to use the BusOject they just need to understand AllJoyns RPC framework. There is no expectation of privacy. With something like Wireshark you could figure out everything about the messages passed between peers. When AllJoyn is using security there are two ways it can be used. 1. Encryption is used but ACLs are not used. If peers can negotiate a secure connection they can talk with each other. This is a result that when AllJoyn security was first created ACLs were not yet done. The security is full end to end security not just the physical connection. 2. Encryption and ACLs are used. If any peer in the uses an ACL then all peers must use ACLs. There are some helper functions to get permissive ACLs that makes the BusObject give full access to the BusObject as long as a secure connection can be negotiated. When security is enabled an application like Wireshark might be able to find out information like who the sender and recipient of a message are but the could not read the content of the message. Last time I looked there was some work being done to prevent an outside program like Wireshark from even being able to read to/from header information but I don?t know what the result of that work was. The level of difficulty for developers learning each gets harder the more you enable: - Using no security easy - Using encryption without ACLs hard but someone that already understands basic security should not find it hard. - Using encryption with ACLs really hard must understand basic security and how to setup and use ACLs. Hope this helps George From: iotivity-dev-bounces at lists.iotivity.org [mailto:iotivity-dev-boun...@lists.iotivity.org] On Behalf Of ???(Uze Choi) Sent: Wednesday, September 21, 2016 7:04 PM To: Heldt-Sheller, Nathan <nathan.heldt-sheller at intel.com>; 'Gregg Reynolds' <dev at mobileink.com>; 'Dave Thaler' <dthaler at microsoft.com> Cc: iotivity-dev at lists.iotivity.org Subject: Re: [dev] SECURE build flag setting as default configuration Hi, Nathan,
