There’s a couple of cases:
1. A resource exists that is not discoverable at all. If you somehow know the full URI, you can use it. 2. A resource exists that is publicly discoverable. Everyone on the network can see its existence, even if you can’t do any operations on it. 3. A resource exists that is discoverable only to authenticated clients, but all authenticated clients can see all such resources. This is what JIRA IOT-2905 is about implementing, and https://lists.iotivity.org/pipermail/iotivity-dev/2017-November/008648.html is the email to the iotivity list with links to the relevant spec. 4. A resource exists that is only discoverable via some resource other than /oic/res, that supports oic.if.ll. Such other resource can be ACL’ed however you want. #3 is not implemented in iotivity yet, and #4 is something the app has to implement itself. Dave From: [email protected] [mailto:[email protected]] On Behalf Of Eduardo Henrique Alves Maia M Oliveira Sent: Monday, January 15, 2018 8:46 AM To: Mats Wichmann <[email protected]> Cc: [email protected] Subject: Re: [dev] Question about discoverable resources Hi guys, Excuse my dumbness but I'm not really getting it. How do you define in the ACL which resources are DISCOVERABLE? Because even if oic/res/ ask the client to authenticate, if I gave access to /oic/res/, the client will be able to discover any resource by only knowing it's type. Sure, the client won't be able to make changes on the resources, or see it's values. But the client will know that the resource exists... Can you guys give me some light as how to proper secure the discovery of resources? Thanks in advance, Eduardo Maia 2018-01-12 18:09 GMT-03:00 Mats Wichmann <[email protected]<mailto:[email protected]>>: On 01/12/2018 01:46 PM, Gregg Reynolds wrote: > On Jan 12, 2018 2:24 PM, "Thiago Macieira" > <[email protected]<mailto:[email protected]>> > wrote: > > On Friday, 12 January 2018 09:24:28 PST Filipe de Melo Silva wrote: >> So, are you saying that is impossible to reproduce this situation? > Suppose >> that we have a resource that can be discovered ONLY by a certain kind of >> users (ex.: Administrators), does IoTivity support it? > > I'm not sure that's a valid use-case. It may be that all resources are > discoverable, > > > As I read the spec, Discovery (which is really just RETRIEVE) is just like > any other request: maybe secure (i.e. authenticated), maybe not. Secure GET > /oic/res requires an authenticated client, and only exposes resources for > which that client is authorized. So it is not the case that all resources > are discoverable by any client. > > G The essence of the trick is if you perform discovery on a device using its' /oic/res, it has to answer, but it doesn't have to answer revealing anything private, it can instead respond effectively with "call me back on a secure line and we can talk". Then when you then do that, the acls are applied. _______________________________________________ iotivity-dev mailing list [email protected]<mailto:[email protected]> https://lists.iotivity.org/mailman/listinfo/iotivity-dev<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.iotivity.org%2Fmailman%2Flistinfo%2Fiotivity-dev&data=02%7C01%7Cdthaler%40microsoft.com%7C1cd7c59d23a44750ff0808d55c3770af%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636516315570943665&sdata=4VWg%2BalswEWBL1psCBv6WUx2LASeeD%2FA5e9zYSRaBFQ%3D&reserved=0>
_______________________________________________ iotivity-dev mailing list [email protected] https://lists.iotivity.org/mailman/listinfo/iotivity-dev
