mmccool
commented
6 years ago Feedback from meeting:
- Elena: ok to collapse into one level as long as not ambiguous: combination of protocol and scheme should give unambigiuous
- Elena: would be good if ALL combinations are supported; McCool: may not be practical; like media negotation. Elena: ok, but carries risks we should look at, for instance, downgrading to weaker mechanism; negotiation needs to be carefully approached; CONCLUSION: create an issue to discuss that further
- Elena: good to look at other standards (McCool: have looked at OpenAPI and OCF, but not others that might be relevant, eg RAML). => Conclusion: use the "generic" approach rather than the protocol-specific approach.
Should security metadata be protocol-specific or generic? For example, should we have http + basic for basic HTTP authentication, or a generic scheme "basic" defined as "plain-text username and password, intended to be wrapped in an encrypted context" that can be used with multiple protocols? Discussion: "generic" is more in the spirit of the TD and WoT but there will be many exceptions, since many protocols do have their own security mechanisms (MQTT, OCF, etc). If a generic approach is chosen, how do we manage the namespace of protocol-specific options... additional protocol vocabulary? What metadata can be given generic names (as, alg, etc)? How do we limit a generic security configuration to a particular protocol?