This paper came up on the b2g-internal list today and gives a good overview: http://www.lix.polytechnique.fr/hipercom/SmartObjectSecurity/papers/EricRescorla.pdf - cross-posting here for reference.
On Wed, Dec 23, 2015 at 2:31 PM, Michiel de Jong <[email protected]> wrote: > Connecting from a web browser to a web site is just a special case of > using "Device A", to connect to "Device B". Looking at the generic case > where Device A and Device B can both be anyThing ;) brings up a few > interesting questions: > > 1) How can a certificate authority vouch for the identity of Device B, if > it does not have a URL? Unless we replace CA's with Web-of-Trust, this > might be something to think about as more devices come into play that have > no URL. > > 2) The user might have Device B in their eye sight. Does that help? > > If Device B can be many more things than just a web server in a data > center, then you may be able to connect to it with more accuracy. For > instance, by sticking a USB cable in it, touching it with your NFC reader, > or pointing a camera at it. > > 3) How can you accurately connect to a device if you have no URL, and also > no physical proximity? > > I'm not talking about how to protect Device B from unauthorized access > (WPS buttons on WiFi routers etc.). What interests me is how you as a user > can accurately identify the device you are connecting *to*. > > Curious if anyone has more thoughts on this! :) > > > Cheers, > Michiel. >
_______________________________________________ dev-fxos mailing list [email protected] https://lists.mozilla.org/listinfo/dev-fxos
