Thing end of life signaling

[zolkis]

Tracking security connotations of Scripting issue 114.

[mmccool]

Discussed:

• If the events are "open" (not protected) then a malicious attacker could spoof a destroy notification. Can be mitigated by protecting these events (since they are "system" events, that means whatever hidden mechanism is used needs to be protected)
• Given the use of "observe" as suggested by Matthias in 114, authentication for observing the TD controls who gets these messages, the protection depends on the authentication of the original TD fetch mechanism and the corresponding observe.
• These issues are common to all other observe mechanisms. ==> Discovery, consumption, and observe of TDs should be protected by suitable security mechanism.

Ex: a burglar could fake a "broken camera" by spoofing a destroy message.

[mmccool]

In scripting issue, solution has been explained. However, we still need to review that proposed solution from a security point of view.

[mmccool]

Proposed solution in scripting is to use TD change notification to send an observe event of a certain type to other things that have registered to receive such events.

If this is done, then destroy notifications are as secure as TD change notifications themselves. So the real question is: how is security/authetication etc. handled for TD change notifications? Just like access to the TD in the first place, we want to be able to support appropriate security (authentication and authorization) mechanisms.

[mmccool]

Superceded by https://github.com/w3c/wot-security/issues/100