Design Review #733

#733: Web of Things (WoT) Discovery

Opened Apr 27, 2022

Ready for review, however WD update still pending. In the meantime the following branch should be used for review: review-pre-cr-wd.

Braw mornin' TAG!

I'm requesting a TAG review of Web of Things (WoT) Discovery

WIP: [One paragraph summary of idea, ideally copy-pasted from Explainer introduction]

Explainer¹ (minimally containing user needs and example code): https://github.com/w3c/wot-discovery/blob/main/explainer/Explainer.md
Specification URL:
- Editor's draft: https://w3c.github.io/wot-discovery/
- Working draft: https://www.w3.org/TR/wot-discovery/
- Review draft: https://github.com/w3c/wot-discovery/tree/review-pre-cr-wd
Tests: Draft Implementation Report
User research: WoT Use Cases and Requirements
Security and Privacy self-review²: https://github.com/w3c/wot-architecture/blob/main/publication/ver11/security_and_privacy.md
GitHub repo (if you prefer feedback filed there): https://github.com/w3c/wot-discovery
Primary contacts (and their relationship to the specification):
- Andrea Cimmino (AndreaCimminoArriaga), Universidad Politécnica de Madrid, editor
- Michael McCool (mmccool), Intel, editor/co-chair
- Farshid Tavakolizadeh, (farshidtz), Canonical, editor
- Kunihiko Toumura, (k-toumura), Hitachi, editor
- Sebastian Kaebisch (sebastiankb), Intel, co-chair
Organization(s)/project(s) driving the specification: WoT WG
Key pieces of existing multi-stakeholder review or discussion of this specification:
External status/issue trackers for this specification (publicly visible, e.g. Chrome Status):

Further details:

I have reviewed the TAG's Web Platform Design Principles
Relevant time constraints or deadlines: CR transition planned for 30 August 2022
The group where the work on this specification is currently being done: WoT WG
The group where standardization of this work is intended to be done (if current group is a community group or other incubation venue):
Major unresolved issues with or opposition to this specification:
This work is being funded by:

You should also know that...

Security and Privacy Questionnaire was done for WoT as a whole, but answers call out individual deliverables as appropriate.

We'd prefer the TAG provide feedback as (please delete all but the desired option):

🐛 open issues in our GitHub repo for each point of feedback

CAREFULLY READ AND DELETE CONTENT BELOW THIS LINE BEFORE SUBMITTING

Please preview the issue and check that the links work before submitting.

In particular, if anything links to a URL which requires authentication (e.g. Google document), please make sure anyone with the link can access the document. We would prefer fully public documents though, since we work in the open.

¹ We require an explainer to give the relevant context for the spec review, even if the spec has some background information. For background, see our explanation of how to write a good explainer. We recommend the explainer to be in Markdown.

² A Security and Privacy questionnaire helps us understand potential security and privacy issues and mitigations for your design, and can save us asking redundant questions. See https://www.w3.org/TR/security-privacy-questionnaire/.

Discussions

2022-06-13

Minutes

Amy: there are 3 things things.... Easier to talk about them all together...

Peter: max is on some of them...

Dan: timebox discussion here and then discuss rest in breakout C.

Amy: They have done a lot of work on security & privacy - good on many different angles. Guidelines, recommendations, answers to questionnaire... 2nd first impression - there is a LOT here. Lots to digest.. Overall I think it's probably fine. They have an architecture document -contains background material & examples. Doesn't feel like a normative document.

Dan: I agree ...

Amy: the way they've broken it up makes sense but the arch document doesn't seem to be rec track material. Maybe take the normative statements here and put them somewhere else and release it as a note?

Peter: meta question - there's a standard called Matter. Does this tie into that at all?

Amy: they do mention they are not trying to do something where they are trying to create a new competing standard but more of an overarching... We could ask them.

Peter: I thimk Matter does have an actual protocol - more IP based... works on bluetooth BLE, z-wave, etc... Does anyone care about web of things? is the industry going another way?

Amy: they discuss the fragmentation a lot...

Dan: to channel Sangwhan.. where does this fit into the web? There was a scripting API but saw no reference to that

Amy: it was published as a note in 2020 but I don't know why.. maybe no browsers involved?

Dan: I think that question is relevent. Doesn't invalidate the work or mean it shouldn't be happening, but is relevant to ask. Some of the demos I've seen do have an answer to this in terms of it's using browser interfaces and http

Peter: somewhat naive concern - when I look at home automation they use wifi and

Amy: I don't think they're ignoring - lots of discussion of things not being connected all the time... I don't want my things on the web. But I felt reasonably good about this by the time I finished reading.

Dan: Anything on the abuse use casess?

Amy: no location info shared (anything to do with geo is deferred to future)... everything in terms of discovery of devices is gated bethind authorization - but what they've asked us to review is about metadata of devices, not sensor data itself.

Peter: simple protocol to intgerate home devices...

Yves: note that some vendors use wifi-connected device but have the possibility to work only on the local network (ie: do not phone home). Also the privacy/security of BLE is... often not existant

Peter: I agree... security model is short range.

Dan: my understanding of the arch is that it imagines a proxy where that type of situation exists

Peter: the hub that controls these things locally is a web of thing thing

Yves: ways for devices to advertise themselves .. not phoning home.. but that's pretty niche

Peter: not an ideal model...

2022-06-20

Minutes

Amy's draft feedback:

Overall, the direction of this looks good. The two-stage discovery process seems sensible to us. What use cases can be met after only carrying out the first step?

We note that you have deferred work on geolocation queries. This is something we will be very interested to review in the future from a privacy and security, and general social impact, perspective. We would welcome early review requests on this as your draft progresses.

The [related work](https://github.com/w3c/wot-discovery/blob/main/explainer/Explainer.md#related-work) section in your explainer contains references to other work but without any links. Could you add some?

Please also see the [review for the Architecture specification](https://github.com/w3ctag/design-reviews/issues/736#issuecomment-1162135635) as this contains feedback that concerns all of the related specs.

Dan: +1

Hadley: looks good to me.

2022-07-11

Minutes

Amy: I left the massive esseay on the architecture issue - they asked for github issues feedback. I will file a bunch of issues instead...