Should security metadata be protocol-specific or generic?
For example, should we have http + basic for basic HTTP authentication, or a generic scheme "basic" defined as "plain-text username and password, intended to be wrapped in an encrypted context" that can be used with multiple protocols?
Discussion: "generic" is more in the spirit of the TD and WoT but there will be many exceptions, since many protocols do have their own security mechanisms (MQTT, OCF, etc). If a generic approach is chosen, how do we manage the namespace of protocol-specific options... additional protocol vocabulary? What metadata can be given generic names (as, alg, etc)? How do we limit a generic security configuration to a particular protocol?
Elena: ok to collapse into one level as long as not ambiguous: combination of protocol and scheme should give unambigiuous
Elena: would be good if ALL combinations are supported; McCool: may not be practical; like media negotation. Elena: ok, but carries risks we should look at, for instance, downgrading to weaker mechanism; negotiation needs to be carefully approached; CONCLUSION: create an issue to discuss that further
Elena: good to look at other standards (McCool: have looked at OpenAPI and OCF, but not others that might be relevant, eg RAML).
=> Conclusion: use the "generic" approach rather than the protocol-specific approach.
Should security metadata be protocol-specific or generic? For example, should we have http + basic for basic HTTP authentication, or a generic scheme "basic" defined as "plain-text username and password, intended to be wrapped in an encrypted context" that can be used with multiple protocols? Discussion: "generic" is more in the spirit of the TD and WoT but there will be many exceptions, since many protocols do have their own security mechanisms (MQTT, OCF, etc). If a generic approach is chosen, how do we manage the namespace of protocol-specific options... additional protocol vocabulary? What metadata can be given generic names (as, alg, etc)? How do we limit a generic security configuration to a particular protocol?