[Requirements] separate and refine requirements

[tomoyukilabs]

This PR separates Requirements.md from UseCases.md, and refines the requirements in detail. Also, this addresses several comments in https://github.com/httpslocal/usecases/issues/4.

@dajiaji Could you please review this PR? @igarashi50 Any comments and suggestions are welcome.

[igarashi50]

I think that the "Device Authentication" should be spited in two cases. One is before a certificate grant and issuance is done, the other is after then. The former case depends on the "Certificate Grant and Issuance". I suggest that "Device Authentication" states the following requirements on the latter case.

• The UA shall authenticate one of the discovered device selected by the user.
• The UA shall only expose the interface to the authenticated device to web applications.

I suggest that the following requirements about the former case will be be clarified the based on the "Certificate Grant and Issuance". I also think the user grant for "Device Delegate" is optional.

• The UA shall authenticate one of the devices registered in the device delegate selected on the web application.
• The UA shall ask the user to input information such as PIN code or passphrase when the device requests to do so, and notify the device of the information, so that the UA and the device or the device delegate can properly authenticate with each other.
• The UA shall initiate certificate grant and issuance procedure when the device or the device delegate is authenticated successfully.
• The UA shall be able to authenticate the device or the device delegate automatically without the user’s grant when it has been authenticated once and its certificate has not been expired or revoked yet.

I also suggest including the following requirement in to "Device Discovery" assuming that the "Device Discovery" states the requirements after "Certificate Grand and Issuance" is done.

• The UA shall expose a user the information of discovered devices by indicating the endpoint URL obtained by the devices.

[igarashi50]

• UA shall expose a user the information of discovered devices by indicating the endpoint URL obtained by the devices.

Alternatively, the following requirement is better for a user on device selection. Any comment?

• UA shall expose a user the information of discovered devices by indicating they have certificates for the endpoint URL obtained by.

[tomoyukilabs]

@igarashi50 As you mentioned, this PR only includes "authenticate before grant/issue a certificate" rationale. Although I considered the similar idea at first, I have left this PR as it is now for the following reasons:

• "authenticate after grant/issue a certificate" might cause unwanted or unintended certificate grant or issuance by aborting the consequent authentication step.
• The user might be asked two times by the UA, 1) to grant/issue a certificate, and 2) to authenticate. On the other hand, I suppose that the "before" case could combine these two steps of user interaction into a single one. (Note that this PR still mentions "granted by the user" even in the certificate grant and issuance section just in case, but we can discuss whether it can be safely dropped or not.)

I suggest that the following requirements about the former case will be be clarified the based on the "Certificate Grant and Issuance"

Do you mean that typing PIN code is required two times for both authentication and certificate grant/issuance?

I also think the user grant for "Device Delegate" is optional.

I can agree if the device behind the device delegate can request the UA to respond with PIN code via the delegate.

• UA shall expose a user the information of discovered devices by indicating they have certificates for the endpoint URL obtained by.

This PR intentionally omits this sort of idea since I currently assume that discovery about server-capable devices without a certificate, which could not be connected due to mixed content restriction, would be out of scope.

[tomoyukilabs]

@igarashi50 Excuse me, but I'd like to correct my comment related to device discovery.

• UA shall expose a user the information of discovered devices by indicating they have certificates for the endpoint URL obtained by.

A device that is not initialized could have no certificate yet. This is the reason why this PR mentions "which has its compliance with certificate grant and issuance and certificate management".

[igarashi50]

I assume that the "Device Authentication" state the requirements after "Grant and issuance and certification management" is done. The alternative requirement implies that the discovery information contains certification for the endpoint URL. I am OK to leave it out now.

[tomoyukilabs]

Now the draft has been revised overall. @dajiaji @igarashi50 Could you review this again?

[tomoyukilabs]

@dajiaji @igarashi50 Many thanks for discussion and reviewing!