search

w3c / wot-profile

Web of Things (WoT) Profile
http://w3c.github.io/wot-profile/
Other
16 stars 8 forks source link

How can clients verify that a device they're interacting with is compliant? #385

Open pes10k opened 1 year ago

pes10k commented 1 year ago

This issue is being filed as part of the requested PING review, and on behalf of @NalaGinrut who did the review (who i hope will correct me if I've misstated their concerns).

The spec currently states that

Whether or not a TD satisfies the requirements of a given profile should be verifiable with automated tools. We can use the existing TD JSDON Schema as a basis and reuse the existing tooling (TD-playground)

However, its not clear how a client could verify that a TD is compliant and honest in its claims. What methods can a client, for example, use to ensure a device they're interacting with isn't being deceptive or malicious? If thats not possible, we think its important to say so explicitly in the security and privacy considerations section (i.e., that the protections require honesty, and are not robust to malicious/dishonest devices/participants)

pes10k commented 1 year ago

again cc @NalaGinrut (though please let me know if i can help with discussion or handling this issue)