Re: Proposed W3C Charter: Web of Things Working Group

[Benjamin Francis]

Hi,

I'd like to provide Mozilla IoT  team feedback on
this charter, the content of which has already been modified slightly based
on our earlier feedback  to the
Working Group during the drafting stages.

We are happy overall with the contents of the charter and recommend
approving it (with comment), but the Working Group are aware that we still
have reservations in some areas, which we would like to note.

We would like to join the WoT Working Group under its new charter (we are
already members of the Interest Group, but made a formal objection
 to the
previous charter for the Working Group in 2016). Our comments on the new
charter are as follows.

We welcome the "interoperability profiles" and "discovery" work items which
we hope may improve interoperability by defining a common cross-domain
default protocol binding, and we note the progress which has been made with
regard to privacy and security considerations.

We still have some areas of concern around the scope of the charter,
specifically:

   1. The work item to continue to define protocol bindings for non-web
   protocols makes the scope unreasonably large and makes ad-hoc
   interoperability very challenging
   2. Thing Description Templates are an unnecessary complication and
   overlap in use cases with interoperability profiles and capability schemas
   defined through semantic annotations
   3. We think that the WoT Architecture specification should really be a
   non-normative note in order to reduce the number of normative
   specifications needed for implementers
   4. Non-normative deliverables for WoT Scripting, Management and
   Packaging also have the potential to unnecessarily increase scope further
   in future and could benefit from further incubation in the WoT Interest
   Group rather than being Working Group deliverables

However, we have found the core Thing Description specification produced by
the Working Group to be very useful and have implemented a (modified
version of) this specification in Mozilla's IoT platform
 which has now been in production for two years.
We have gradually been converging our implementation with the Working
Group's specification over time. We would therefore like to support the
continued work of this Working Group to further improve that specification.

On Tue, 3 Dec 2019 at 14:59, L. David Baron  wrote:

> The W3C is proposing a revised charter for:
>
>   Web of Things Working Group
>   https://www.w3.org/2019/11/proposed-wot-wg-charter-2019.html
>   https://lists.w3.org/Archives/Public/public-new-work/2019Nov/0005.html
>
> The differences from the previous charter are:
>
> https://services.w3.org/htmldiff?doc1=https%3A%2F%2Fwww.w3.org%2F2016%2F12%2Fwot-wg-2016.html=https%3A%2F%2Fwww.w3.org%2F2019%2F11%2Fproposed-wot-wg-charter-2019.html
>
> Mozilla has the opportunity to send comments or objections through
> Tuesday, December 17.
>
> Please reply to this thread if you think there's something we should
> say as part of this charter review, or if you think we should
> support or oppose it.
>
> -David
>
> --
> 턞   L. David Baron http://dbaron.org/   턂
> 턢   Mozilla  https://www.mozilla.org/   턂
>  Before I built a wall I'd ask to know
>  What I was walling in or walling out,
>  And to whom I was like to give offense.
>- Robert Frost, Mending Wall (1914)
> ___
> dev-platform mailing list
> dev-platform@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
>
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Proposed W3C Charter: Web of Things Working Group

[L. David Baron]

On Friday 2016-12-09 18:12 -1000, L. David Baron wrote:
> The W3C is proposing a new charter for:

Please ignore this thread, sorry.  I resent the SVG charter with a
correct subject line.

-David

-- 
턞   L. David Baron http://dbaron.org/   턂
턢   Mozilla  https://www.mozilla.org/   턂
 Before I built a wall I'd ask to know
 What I was walling in or walling out,
 And to whom I was like to give offense.
   - Robert Frost, Mending Wall (1914)


signature.asc
Description: PGP signature
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Proposed W3C Charter: Web of Things Working Group

[Sandip Kamat]

Hi all,

This is a great discussion and (inevitably) security is in fact one of the
key focus areas for the proposed IOT platform/framework that we are working
to create in the Connected devices team. Tantek raises some good points -
We are painfully aware of those. This is going to take much more than just
building our own piece of software and hoping for the best. We are listing
those ideas and create a plan around them.

I am proposing we get together in the Hawaii Work week to discuss some of
the challenges here and what/how Mozilla can do about those. I and Nicole
would try to find a slot in this (crazy) week. Please ping us if you would
like to be part of this.

-Sandip

On Thu, Dec 1, 2016 at 9:41 AM, Benjamin Francis 
wrote:

> Hi Tantek,
>
> On the very serious issues of security and privacy on the Internet of
> Things, I agree with you.
>
> On your proposed solution to those problems of somehow trying to slow down
> the worldwide deployment of IoT devices (currently forecast to reach tens
> of billions by 2020) and prevent any efforts towards standardisation and
> the defining of best practices, I couldn't disagree with you more.
>
> We have a whole department at Mozilla dedicated to exploring this space
> and it is an organisational goal to attempt to influence standards in this
> area in order to embody Mozilla's values into the design and architecture
> of IoT.
>
> Let's try to make our feedback to the W3C a little more constructive, if
> we can.
>
> Ben
>
> On 29 November 2016 at 19:38, Tantek Çelik  wrote:
>
>> To add to this thread, I think there are still fundamental security
>> issues, which have only gotten worse, that the charter does not
>> address, nor has the incubation to date come even close to
>> understanding, much less prototyping / stress-testing.
>>
>>
>> 1. The rapid deployment of WoT/IoT devices poses an existential threat
>> to the open internet (something we, Mozilla, are particularly focused
>> on protecting more than other orgs are) due to their fundamentally
>> worse security.
>>
>> Since the DDoS attack on krebsonsecurity which motivated our initial
>> formal objection based on lack of security considerations in the
>> charter and incubation, there was the subsequent DYN DDoS attack which
>> took down major sites (Twitter, Github, Reddit, etc.), and that's only
>> with the current deployment of insecure IoT devices, by rogue groups
>> using open source malware. Basically it proved the security point of
>> our formal objection.
>>
>> WoT/IoT devices are both known to already have worse security, and
>> expected to in the future, both in initial design / development, and
>> with the lack of incentive to do security software updates due to such
>> devices being so low margin, often built by small companies that have
>> low life expectancy themselves, then whitelabel bundled into larger
>> devices, with no way of updating the embedded software, e.g. the IoT
>> cameras used in the DDoS attacks.
>>
>> The proposed charter (nor anyone's incubation efforts) does/do not
>> address these low cost, low margin, low life expectancy company,
>> whitelabel embedding issues. All of which have been shown to be real
>> problems.
>>
>> This threat is so bad, that it's not clear that any increased
>> deployment of WoT/IoT is "good" for the open internet.
>>
>> That regardless of tech stack, it is in the interest of maintaining an
>> open internet to do what we can to actually *slow down* the deployment
>> of of anything WoT/IoT, up to and including opposing standardization
>> efforts which seek to *accelerate* the deployment of such devices.
>> This is not an "absolute" situation, where we might as well give up
>> because it's going to happen anyway like somewhere other than W3C, but
>> rather a set of race conditions, where slowing things down anywhere at
>> all may still be incrementally helpful (make the internet as a whole
>> less vulnerable - it's a spectrum).
>>
>>
>> 2. Increased invasive surveillance.
>>
>> The above IoT security threat scenarios that we've experienced were
>> from small groups or individuals using malware they didn't even write.
>> There is an even worse potential threat from insecure WoT/IoT devices,
>> and that is state-level actors using those very same existing and
>> expected security flaws to turn WoT/IoT devices into the largest mass
>> surveillance and data gathering effort in history.
>>
>> Every sensor on every such device a user puts in their home becomes a
>> potential surveillance data gathering node. Note that most the
>> above-noted insecure devices used in the attacks were IoT *cameras*.
>>
>> Nothing from the proposed WoT charter, nor experiments/incubations
>> shows any semblance of any of the participants taking this threat
>> scenario seriously, nor did any of them raise or document any concerns
>> like what happened to Krebs.
>>
>> (The only person in the W3C context who did provide warnings of 

Re: Proposed W3C Charter: Web of Things Working Group

[Benjamin Francis]

Hi Tantek,

On the very serious issues of security and privacy on the Internet of
Things, I agree with you.

On your proposed solution to those problems of somehow trying to slow down
the worldwide deployment of IoT devices (currently forecast to reach tens
of billions by 2020) and prevent any efforts towards standardisation and
the defining of best practices, I couldn't disagree with you more.

We have a whole department at Mozilla dedicated to exploring this space and
it is an organisational goal to attempt to influence standards in this area
in order to embody Mozilla's values into the design and architecture of IoT.

Let's try to make our feedback to the W3C a little more constructive, if we
can.

Ben

On 29 November 2016 at 19:38, Tantek Çelik  wrote:

> To add to this thread, I think there are still fundamental security
> issues, which have only gotten worse, that the charter does not
> address, nor has the incubation to date come even close to
> understanding, much less prototyping / stress-testing.
>
>
> 1. The rapid deployment of WoT/IoT devices poses an existential threat
> to the open internet (something we, Mozilla, are particularly focused
> on protecting more than other orgs are) due to their fundamentally
> worse security.
>
> Since the DDoS attack on krebsonsecurity which motivated our initial
> formal objection based on lack of security considerations in the
> charter and incubation, there was the subsequent DYN DDoS attack which
> took down major sites (Twitter, Github, Reddit, etc.), and that's only
> with the current deployment of insecure IoT devices, by rogue groups
> using open source malware. Basically it proved the security point of
> our formal objection.
>
> WoT/IoT devices are both known to already have worse security, and
> expected to in the future, both in initial design / development, and
> with the lack of incentive to do security software updates due to such
> devices being so low margin, often built by small companies that have
> low life expectancy themselves, then whitelabel bundled into larger
> devices, with no way of updating the embedded software, e.g. the IoT
> cameras used in the DDoS attacks.
>
> The proposed charter (nor anyone's incubation efforts) does/do not
> address these low cost, low margin, low life expectancy company,
> whitelabel embedding issues. All of which have been shown to be real
> problems.
>
> This threat is so bad, that it's not clear that any increased
> deployment of WoT/IoT is "good" for the open internet.
>
> That regardless of tech stack, it is in the interest of maintaining an
> open internet to do what we can to actually *slow down* the deployment
> of of anything WoT/IoT, up to and including opposing standardization
> efforts which seek to *accelerate* the deployment of such devices.
> This is not an "absolute" situation, where we might as well give up
> because it's going to happen anyway like somewhere other than W3C, but
> rather a set of race conditions, where slowing things down anywhere at
> all may still be incrementally helpful (make the internet as a whole
> less vulnerable - it's a spectrum).
>
>
> 2. Increased invasive surveillance.
>
> The above IoT security threat scenarios that we've experienced were
> from small groups or individuals using malware they didn't even write.
> There is an even worse potential threat from insecure WoT/IoT devices,
> and that is state-level actors using those very same existing and
> expected security flaws to turn WoT/IoT devices into the largest mass
> surveillance and data gathering effort in history.
>
> Every sensor on every such device a user puts in their home becomes a
> potential surveillance data gathering node. Note that most the
> above-noted insecure devices used in the attacks were IoT *cameras*.
>
> Nothing from the proposed WoT charter, nor experiments/incubations
> shows any semblance of any of the participants taking this threat
> scenario seriously, nor did any of them raise or document any concerns
> like what happened to Krebs.
>
> (The only person in the W3C context who did provide warnings of the
> kinds of attacks occuring that eventually did happen was Bruce
> Schneier during his talk at the May W3C AC meeting at MIT. But he's
> not involved in W3C WoT/IoT efforts himself.).
>
>
> I don't see any evidence to show that W3C should pursue
> standardization of anything WoT/IoT, and quite the opposite, that
> we're at a point of WoT/IoT industry immaturity where product
> development and deployment is both hurting the internet, and
> presenting a potentially even larger threat to users of such products
> being transparently, illegally*, invasively surveilled by their
> governments hacking the devices in their own homes (*but recently
> approved in the UK[1]), and thus should be opposed.
>
>
> If anything, we (Mozilla) should be reaching out to EFF and any other
> W3C Members who value an open internet and respecting users privacy
> more than profit 

Re: Proposed W3C Charter: Web of Things Working Group

[Tantek Çelik]

To add to this thread, I think there are still fundamental security
issues, which have only gotten worse, that the charter does not
address, nor has the incubation to date come even close to
understanding, much less prototyping / stress-testing.


1. The rapid deployment of WoT/IoT devices poses an existential threat
to the open internet (something we, Mozilla, are particularly focused
on protecting more than other orgs are) due to their fundamentally
worse security.

Since the DDoS attack on krebsonsecurity which motivated our initial
formal objection based on lack of security considerations in the
charter and incubation, there was the subsequent DYN DDoS attack which
took down major sites (Twitter, Github, Reddit, etc.), and that's only
with the current deployment of insecure IoT devices, by rogue groups
using open source malware. Basically it proved the security point of
our formal objection.

WoT/IoT devices are both known to already have worse security, and
expected to in the future, both in initial design / development, and
with the lack of incentive to do security software updates due to such
devices being so low margin, often built by small companies that have
low life expectancy themselves, then whitelabel bundled into larger
devices, with no way of updating the embedded software, e.g. the IoT
cameras used in the DDoS attacks.

The proposed charter (nor anyone's incubation efforts) does/do not
address these low cost, low margin, low life expectancy company,
whitelabel embedding issues. All of which have been shown to be real
problems.

This threat is so bad, that it's not clear that any increased
deployment of WoT/IoT is "good" for the open internet.

That regardless of tech stack, it is in the interest of maintaining an
open internet to do what we can to actually *slow down* the deployment
of of anything WoT/IoT, up to and including opposing standardization
efforts which seek to *accelerate* the deployment of such devices.
This is not an "absolute" situation, where we might as well give up
because it's going to happen anyway like somewhere other than W3C, but
rather a set of race conditions, where slowing things down anywhere at
all may still be incrementally helpful (make the internet as a whole
less vulnerable - it's a spectrum).


2. Increased invasive surveillance.

The above IoT security threat scenarios that we've experienced were
from small groups or individuals using malware they didn't even write.
There is an even worse potential threat from insecure WoT/IoT devices,
and that is state-level actors using those very same existing and
expected security flaws to turn WoT/IoT devices into the largest mass
surveillance and data gathering effort in history.

Every sensor on every such device a user puts in their home becomes a
potential surveillance data gathering node. Note that most the
above-noted insecure devices used in the attacks were IoT *cameras*.

Nothing from the proposed WoT charter, nor experiments/incubations
shows any semblance of any of the participants taking this threat
scenario seriously, nor did any of them raise or document any concerns
like what happened to Krebs.

(The only person in the W3C context who did provide warnings of the
kinds of attacks occuring that eventually did happen was Bruce
Schneier during his talk at the May W3C AC meeting at MIT. But he's
not involved in W3C WoT/IoT efforts himself.).


I don't see any evidence to show that W3C should pursue
standardization of anything WoT/IoT, and quite the opposite, that
we're at a point of WoT/IoT industry immaturity where product
development and deployment is both hurting the internet, and
presenting a potentially even larger threat to users of such products
being transparently, illegally*, invasively surveilled by their
governments hacking the devices in their own homes (*but recently
approved in the UK[1]), and thus should be opposed.


If anything, we (Mozilla) should be reaching out to EFF and any other
W3C Members who value an open internet and respecting users privacy
more than profit (perhaps university members of W3C) and asking them
to join our formal objection to anything WoT/IoT at W3C.


Tantek

[1] http://www.wired.co.uk/article/ip-bill-law-details-passed


On Tue, Nov 29, 2016 at 7:23 AM, Benjamin Francis  wrote:
> Hi David,
>
> Have you had any more correspondence with the W3C on Mozilla's behalf
> regarding this charter?
>
> From the Web of Things Interest Group mailing list
>  it appears that the
> group is happy to remove the dependency on RDF as suggested in our feedback
> (although they claim this wasn't intended as a dependency in the first
> place). Instead I understand they would like to include an extension point
> in the Thing Description such that semantic annotations could be added
> externally to the Thing Description specification if desired. This seems
> reasonable to me.
>
> On the point of the charter being 

Re: Proposed W3C Charter: Web of Things Working Group

[Benjamin Francis]

Hi David,

Have you had any more correspondence with the W3C on Mozilla's behalf
regarding this charter?

From the Web of Things Interest Group mailing list
 it appears that the
group is happy to remove the dependency on RDF as suggested in our feedback
(although they claim this wasn't intended as a dependency in the first
place). Instead I understand they would like to include an extension point
in the Thing Description such that semantic annotations could be added
externally to the Thing Description specification if desired. This seems
reasonable to me.

On the point of the charter being too broad I don't think much has been
done to address this. The group still seems intent on including a
language-agnostic "scripting API" in the charter, despite Google's feedback
that the Thing Description should be the central focus of the charter and
that the scripting API should be moved to a supporting research themed
status.

I'd like to share a recommendation from the IoT platform team in Connected
Devices that the charter should include only a *Web Thing Description* with
a default JSON encoding and a *Web Thing API* which is a REST API that can
be implemented using HTTP (or HTTP/2 or CoAP). We have started to draft a
potential member submission  to illustrate
this proposal (this is just a skeleton at the moment, contributions welcome
on GitHub ).

With this reduced scope no scripting API should be necessary (most
programming languages already have the capability to call a REST API via
HTTP and anyone can create a helper library to call the WoT REST API). It
should also simplify the security and privacy requirements considerably
given this is a well established and well understood technology stack on
the web.

This kind of RESTful approach is already becoming a de-facto standard in
IoT (e.g. Google Weave, Apple HomeKit, Samsung SmartThings, EVRYTHNG, AWS
IoT, Azure IoT, IoTivity, AllJoyn). What's missing is a standard data model
and common API using this pattern. This is also the direction the Open
Connectivity Foundation  is taking with CoAP
and their OIC specification, and the direction we expect the Mozilla IoT
Framework to take.

We'd very much like to collaborate on this specification via the W3C but
currently the charter still seems too broad and I would argue not in line
with the direction of the wider industry.

Ben



On 17 October 2016 at 19:15, L. David Baron  wrote:

> The comments I submitted on the WoT charter are archived at:
> https://lists.w3.org/Archives/Public/www-archive/2016Oct/0004.html
>
> -David
>
> On Friday 2016-10-14 15:03 +0100, Benjamin Francis wrote:
> > Hi David,
> >
> > We collected some feedback in a document
> >  R5E3OxPduFSiVsmOYGSWw66VVLij9FyA/edit?usp=sharing>
> > and I'm going to try to summarise it here. Please let me know if you feel
> > this feedback is appropriate and feel free to edit it before sending. I
> > also welcome further feedback from this list if it can be provided in
> time.
> >
> >
> >
> > There were some concerns expressed around the clarity of the goals set
> out
> > in the charter and whether there has been sufficient research and
> > incubation in order to proceed with the drafting of specifications via a
> > Working Group.
> >
> > We propose the charter could benefit from a reduced scope, a more
> > lightweight approach and a simplified set of deliverables. This might
> > include a simpler initial data model with a reduced set of metadata and a
> > default encoding without a dependency on RDF (e.g. plain JSON), the
> > specification of a single REST/WebSockets API and a reduced scope around
> > methods for device discovery. We propose that the deliverables could be
> > reduced down to a single specification describing a Web of Things
> > architecture, data model and API and separate notes documenting bindings
> to
> > non-web protocols and a set of test cases.
> >
> > It is suggested that the WoT Current Practices
> >  and WoT
> > Architecture  html>
> > documents referenced in the charter are not currently a good basis on
> which
> > to build a specification and that the member submission
> >  from EVRYTHNG and the Barcelona
> > Supercomputing Center could provide a better starting point.
> >
> > Mozilla welcomes the activity in this area but the charter as currently
> > proposed may need some work.
> >
> >
> >
> >
> > Let me know what you think
> >
> > Ben
> >
> > On 11 October 2016 at 02:52, L. David Baron  wrote:
> >
> > > The W3C is proposing a new charter for:
> > >
> > >   Web of Things Working Group
> > >   https://lists.w3.org/Archives/Public/public-new-work/

Re: Proposed W3C Charter: Web of Things Working Group

[L. David Baron]

The comments I submitted on the WoT charter are archived at:
https://lists.w3.org/Archives/Public/www-archive/2016Oct/0004.html

-David

On Friday 2016-10-14 15:03 +0100, Benjamin Francis wrote:
> Hi David,
> 
> We collected some feedback in a document
> 
> and I'm going to try to summarise it here. Please let me know if you feel
> this feedback is appropriate and feel free to edit it before sending. I
> also welcome further feedback from this list if it can be provided in time.
> 
> 
> 
> There were some concerns expressed around the clarity of the goals set out
> in the charter and whether there has been sufficient research and
> incubation in order to proceed with the drafting of specifications via a
> Working Group.
> 
> We propose the charter could benefit from a reduced scope, a more
> lightweight approach and a simplified set of deliverables. This might
> include a simpler initial data model with a reduced set of metadata and a
> default encoding without a dependency on RDF (e.g. plain JSON), the
> specification of a single REST/WebSockets API and a reduced scope around
> methods for device discovery. We propose that the deliverables could be
> reduced down to a single specification describing a Web of Things
> architecture, data model and API and separate notes documenting bindings to
> non-web protocols and a set of test cases.
> 
> It is suggested that the WoT Current Practices
>  and WoT
> Architecture 
> documents referenced in the charter are not currently a good basis on which
> to build a specification and that the member submission
>  from EVRYTHNG and the Barcelona
> Supercomputing Center could provide a better starting point.
> 
> Mozilla welcomes the activity in this area but the charter as currently
> proposed may need some work.
> 
> 
> 
> 
> Let me know what you think
> 
> Ben
> 
> On 11 October 2016 at 02:52, L. David Baron  wrote:
> 
> > The W3C is proposing a new charter for:
> >
> >   Web of Things Working Group
> >   https://lists.w3.org/Archives/Public/public-new-work/2016Sep/0005.html
> >   https://www.w3.org/2016/09/wot-wg-charter.html
> >
> > Mozilla has the opportunity to send comments or objections through
> > this Friday, October 14.
> >
> > Please reply to this thread if you think there's something we should
> > say as part of this charter review, or if you think we should
> > support or oppose it.
> >
> > My initial reaction would be to worry about whether there's
> > properly-incubated material here that's appropriate to charter a
> > working group for, or whether this is more of a (set of?) research
> > projects.  W3C has an existing Interest Group (not a Working Group,
> > so not designed to write Recommendation-track specifications) in
> > this area: https://www.w3.org/WoT/IG/ .
> >
> > -David
> >
> > --
> > 턞   L. David Baron http://dbaron.org/   턂
> > 턢   Mozilla  https://www.mozilla.org/   턂
> >  Before I built a wall I'd ask to know
> >  What I was walling in or walling out,
> >  And to whom I was like to give offense.
> >- Robert Frost, Mending Wall (1914)
> >
> > ___
> > dev-platform mailing list
> > dev-platform@lists.mozilla.org
> > https://lists.mozilla.org/listinfo/dev-platform
> >
> >

-- 
턞   L. David Baron http://dbaron.org/   턂
턢   Mozilla  https://www.mozilla.org/   턂
 Before I built a wall I'd ask to know
 What I was walling in or walling out,
 And to whom I was like to give offense.
   - Robert Frost, Mending Wall (1914)


signature.asc
Description: PGP signature
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Proposed W3C Charter: Web of Things Working Group

[Benjamin Francis]

Hi David,

We collected some feedback in a document

and I'm going to try to summarise it here. Please let me know if you feel
this feedback is appropriate and feel free to edit it before sending. I
also welcome further feedback from this list if it can be provided in time.



There were some concerns expressed around the clarity of the goals set out
in the charter and whether there has been sufficient research and
incubation in order to proceed with the drafting of specifications via a
Working Group.

We propose the charter could benefit from a reduced scope, a more
lightweight approach and a simplified set of deliverables. This might
include a simpler initial data model with a reduced set of metadata and a
default encoding without a dependency on RDF (e.g. plain JSON), the
specification of a single REST/WebSockets API and a reduced scope around
methods for device discovery. We propose that the deliverables could be
reduced down to a single specification describing a Web of Things
architecture, data model and API and separate notes documenting bindings to
non-web protocols and a set of test cases.

It is suggested that the WoT Current Practices
 and WoT
Architecture 
documents referenced in the charter are not currently a good basis on which
to build a specification and that the member submission
 from EVRYTHNG and the Barcelona
Supercomputing Center could provide a better starting point.

Mozilla welcomes the activity in this area but the charter as currently
proposed may need some work.




Let me know what you think

Ben

On 11 October 2016 at 02:52, L. David Baron  wrote:

> The W3C is proposing a new charter for:
>
>   Web of Things Working Group
>   https://lists.w3.org/Archives/Public/public-new-work/2016Sep/0005.html
>   https://www.w3.org/2016/09/wot-wg-charter.html
>
> Mozilla has the opportunity to send comments or objections through
> this Friday, October 14.
>
> Please reply to this thread if you think there's something we should
> say as part of this charter review, or if you think we should
> support or oppose it.
>
> My initial reaction would be to worry about whether there's
> properly-incubated material here that's appropriate to charter a
> working group for, or whether this is more of a (set of?) research
> projects.  W3C has an existing Interest Group (not a Working Group,
> so not designed to write Recommendation-track specifications) in
> this area: https://www.w3.org/WoT/IG/ .
>
> -David
>
> --
> 턞   L. David Baron http://dbaron.org/   턂
> 턢   Mozilla  https://www.mozilla.org/   턂
>  Before I built a wall I'd ask to know
>  What I was walling in or walling out,
>  And to whom I was like to give offense.
>- Robert Frost, Mending Wall (1914)
>
> ___
> dev-platform mailing list
> dev-platform@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
>
>
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Proposed W3C Charter: Web of Things Working Group

[Joseph Lorenzo Hall]

+1 on keeping w3c charter discussions here (or at least letting those
of us organizational friends of Moz know where we go for that part of
our Moz fix)

On Thu, Oct 13, 2016 at 6:11 AM, Anne van Kesteren  wrote:
> On Thu, Oct 13, 2016 at 1:18 PM, Benjamin Francis  
> wrote:
>> dev-platform is now only really about the back end of Firefox which isn't
>> very relevant here. WoT mainly concerns the server side of the web stack.
>
> I don't really agree with this. 1) We can't really consider Firefox
> frontend and backend as isolated entities. What happens in platform
> affects the UX and vice versa. This is more and more true as we get
> closer to the metal. 2) The browser could play a very interesting role
> in the UX side of discovering new devices and getting them set up
> (rather than letting that run through proprietary app stores). 3)
> Discussion of W3C groups and their publications has always taken place
> here.
>
>
> --
> https://annevankesteren.nl/
> ___
> dev-platform mailing list
> dev-platform@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform



-- 
Joseph Lorenzo Hall
Chief Technologist, Center for Democracy & Technology [https://www.cdt.org]
1401 K ST NW STE 200, Washington DC 20005-3497
e: j...@cdt.org, p: 202.407.8825, pgp: https://josephhall.org/gpg-key
Fingerprint: 3CA2 8D7B 9F6D DBD3 4B10  1607 5F86 6987 40A9 A871

Tech Prom, CDT's Annual Dinner, is April 20, 2017! https://cdt.org/annual-dinner
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Proposed W3C Charter: Web of Things Working Group

[Anne van Kesteren]

On Thu, Oct 13, 2016 at 1:18 PM, Benjamin Francis  wrote:
> dev-platform is now only really about the back end of Firefox which isn't
> very relevant here. WoT mainly concerns the server side of the web stack.

I don't really agree with this. 1) We can't really consider Firefox
frontend and backend as isolated entities. What happens in platform
affects the UX and vice versa. This is more and more true as we get
closer to the metal. 2) The browser could play a very interesting role
in the UX side of discovering new devices and getting them set up
(rather than letting that run through proprietary app stores). 3)
Discussion of W3C groups and their publications has always taken place
here.


-- 
https://annevankesteren.nl/
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Proposed W3C Charter: Web of Things Working Group

[Benjamin Francis]

On 13 October 2016 at 01:51, Martin Thomson  wrote:

> I agree with this sentiment, but I don't think that we need to insist
> that a new W3C group solve these issues.  I'm very much concerned with
> the question of how a new "thing" might be authenticated, even how
> clients of the thing are authenticated, those are definitely well
> within their remit and it should be an important consideration.
>
> We shouldn't hold the group responsible for the failings of the
> industry at large though, no matter how egregious those failings.
>

Yes, and let's not be so quick to criticise without an alternative to
propose.

*Building the Web of Things* has a chapter on "Securing and sharing web
Things" which covers encryption (TLS, HTTPS, WSS), authentication (OAuth),
authorization and access control (API tokens and ACLs). EVRYTHNG have a white
paper

on this topic which also touches on other areas like network layer
encryption, firmware vulnerabilities, ISO 27001, SOC 1/2/3, PCI DSS and
addresses the "OWASP Internet of Things Top Ten vulnerabilities". That
seems like a good foundation to build on.

I mention this because EVRYTHNG is one of the members of the Interest Group
so I think the expertise is there, it's just a bit buried at the moment in
all the noise. Maybe that's something we can help with.

This is probably OK.  I would start with this though:
> * insufficiently precise statement of goals; needs more research and
> incubation time
>

I hope we can come up with something a bit more constructive than
"insufficiently precise statement of goals".

I suggest moving this discussion to dev-iot
.
dev-platform is now only really about the back end of Firefox which isn't
very relevant here. WoT mainly concerns the server side of the web stack.

Ben
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Proposed W3C Charter: Web of Things Working Group

[Martin Thomson]

On Thu, Oct 13, 2016 at 11:26 AM, Tantek Çelik  wrote:
> Security is the number one problem for anything "ot" (iot, wot,
> wotever),

I agree with this sentiment, but I don't think that we need to insist
that a new W3C group solve these issues.  I'm very much concerned with
the question of how a new "thing" might be authenticated, even how
clients of the thing are authenticated, those are definitely well
within their remit and it should be an important consideration.

We shouldn't hold the group responsible for the failings of the
industry at large though, no matter how egregious those failings.

> All that being said, I think we should non-formally object to the
> Proposed W3C Charter: Web of Things Working Group with reasons of:
> * insufficient incubation of security aspects
> * overall risk (greatly increased vulnerability) to the web/internet as a 
> whole
> being the reasons (with above citations).

This is probably OK.  I would start with this though:
* insufficiently precise statement of goals; needs more research and
incubation time
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Proposed W3C Charter: Web of Things Working Group

[Tantek Çelik]

On Wed, Oct 12, 2016 at 4:46 PM, Martin Thomson  wrote:
> On Thu, Oct 13, 2016 at 6:21 AM, Benjamin Francis  
> wrote:
>> Much more compelling is the member submission from EVRYTHNG which also forms
>> the basis of the book, Building the Web of Things.
>
> Yes, that is a much clearer articulation of a vision.  It starts going
> off the rails in a few places as it gets into specifics (MUST support
> all the basic HTTP verbs, WTF), but it is *much* more concrete.  I
> still don't know how to bridge the gap completely, particularly when
> it comes to things like identification and - dare I say it -
> discovery, but you can see a potential way forward at least.

Off the rails in a few places is being generous I think, but it's not
worth picking it apart with more specifics.

The one thing I will point out is the only mentions of "security" in
that member submission is some hand-waving about "just use HTTPS" and
then "may use other mechanisms" (paraphrasings).


Security is the number one problem for anything "ot" (iot, wot,
wotever), not just to the devices themselves, but frankly, to the web
and internet as a whole due to their potential deployment in numbers
that dwarf the number of existing devices. To not have that addressed
front and center IMO means they don't know what they're doing.


If you haven't been keeping up with KrebsOnSecurity in the past month,
I'll just reference these two for why:

https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/
https://krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack/


This entire industry area is fraught, and borderline being
irresponsibly developed, marketed, and deployed.

If you find anyone who claims to be successfully developing and
deploying secure IoT/WoT "devices" or "solutions", I'll leave you with
this (so far unanswered AFAIK) challenge:
http://tantek.com/2015/252/t1/wot-iot-security-expert-post-ip-appliances


All that being said, I think we should non-formally object to the
Proposed W3C Charter: Web of Things Working Group with reasons of:
* insufficient incubation of security aspects
* overall risk (greatly increased vulnerability) to the web/internet as a whole
being the reasons (with above citations).


Tantek
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Proposed W3C Charter: Web of Things Working Group

[Martin Thomson]

On Thu, Oct 13, 2016 at 6:21 AM, Benjamin Francis  wrote:
> Much more compelling is the member submission from EVRYTHNG which also forms
> the basis of the book, Building the Web of Things.

Yes, that is a much clearer articulation of a vision.  It starts going
off the rails in a few places as it gets into specifics (MUST support
all the basic HTTP verbs, WTF), but it is *much* more concrete.  I
still don't know how to bridge the gap completely, particularly when
it comes to things like identification and - dare I say it -
discovery, but you can see a potential way forward at least.
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Proposed W3C Charter: Web of Things Working Group

[Benjamin Francis]

On 12 October 2016 at 02:00, Martin Thomson  wrote:

> Does anyone at Mozilla intend to join this working group? I see no
> Mozilla members in the IG.
>

Yes, in Connected Devices we have recently started looking at this area in
some detail and I think we should seriously consider joining the Working
Group. I previously applied to join the Interest Group but at that point we
decided we weren't far enough along with our thinking in this space to make
that commitment, I think things have changed now.

Firstly, I agree the documents produced by the Interest Group are a a mess.
In fact almost incomprehensible.

Much more compelling is the member submission 
from EVRYTHNG which also forms the basis of the book, Building the Web of
Things . This is
a well thought out blueprint for the Web of Things which I think could
serve as a better starting point. In fact we are planning our own
implementation of something along these lines for Mozilla's IoT platform
which could serve as a reference implementation. We've just started to
draft a white paper on this topic.

I'm going to try and find time for a more detailed review of the proposed
charter this week. They keep giving short notice for the review deadline
and then extending the deadline.

Thanks David for flagging this up, I'm interested to hear others' views on
the charter specifically.

Ben
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Proposed W3C Charter: Web of Things Working Group

[Martin Thomson]

On Tue, Oct 11, 2016 at 12:52 PM, L. David Baron  wrote:
> My initial reaction would be to worry about whether there's
> properly-incubated material here that's appropriate to charter a
> working group for, or whether this is more of a (set of?) research
> projects.  W3C has an existing Interest Group (not a Working Group,
> so not designed to write Recommendation-track specifications) in
> this area: https://www.w3.org/WoT/IG/ .


I share your concerns.  Looking at the work that the WoT IG has
produced, including the charter, these are highly nebulous.  It's hard
to see how the world that is imagined in their documents intersects
with the web we know (I'm actually having trouble seeing the overlap
with reality, but that could be a consequence of a lack of understand
on my part...).  That suggests need for more research, not
engineering.

Does anyone at Mozilla intend to join this working group? I see no
Mozilla members in the IG.
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform