Thanks, Karthikeyan Prakash. On Mon, Dec 26, 2016 at 10:59 AM, Gregg Reynolds <dev at mobileink.com> wrote:
> > > On Fri, Dec 23, 2016 at 6:58 PM, Heldt-Sheller, Nathan < > nathan.heldt-sheller at intel.com> wrote: > >> I think this question was already answered by Prakash on Tuesday 12/20, >> > > I'm not entirely sure, because the Spec is not exactly a paragon of > clarity, but my view is that Prakash's answer was incorrect. Or at least > unclear. He said: > > "IoTivity Secured Servers can be discovered by any Secured Clients. There > is nothing like authorization to check whether it is authenticated device." > > > To be honest, I am not at all sure what that means, but I'm pretty sure > it's wrong. To me, "secured" means exactly that encryption, > authentication, and authorization are enabled. (But "secured" is used very > loosely in Iotivity, so who knows?) "Secured Servers" and "Secured > Clients" is pretty close to meaningless, since the obvious next question is > "Secured how, and for what?". A credentialed client that is not granted > permission to read/discover resource "foo" by the server's ACL is still a > "Secured Client". > This process as I mentioned is only on the initial setup of the Client and Server Communication. In IoTivity it is mentioned as the Ownership Transfer which happens after the discovery part. Initially the Client discovers all the servers which holds Owned=False credential and it can be discovered by any of the clients. After the server is done with OT the ACL comes into picture. Once the OT is done, the server hold the credential about the client which are granted permission to discover. My reply was intended to the particular question and not generalised. The > > The Security spec v. 1.1.1 says, on page 26: > > "To achieve extensibility and scalability, this specification does not > provide a mandate on discoverability of each individual resource. > Instead, the OIC server, holding the resource will rely on ACLs for each > resource to determine if the requester (the client) is authorized to see/ > handle any of the resources." > > The problem (IMO) is that the specs are rather poorly written. Or maybe > "very poorly written" would be more honest. grrrr. > > The critical point is that "discovery" is not an OCF operation. It's > something you do with GET and multicasting, and creds, and ACLs, just like > any other resource action. See p. 100 of the security spec, which includes > "discover" in the "R" access policy - to allow discovery, your ACL must > include that, AFAIK. There is not, to my knowledge, anything in the Spec > that addresses discovery as distinct from GET etc. So the discoverability > of resources is subject to the same security constraints as any others, > which means in particular - to address the OP's question - that it is not > the case that "any client capable of discovering whatever device running > the stack". Since a "device" is just a resource, like any other. > > HTH > > gregg > > _______________________________________________ > iotivity-dev mailing list > iotivity-dev at lists.iotivity.org > https://lists.iotivity.org/mailman/listinfo/iotivity-dev > > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.iotivity.org/pipermail/iotivity-dev/attachments/20161226/fa24ee5d/attachment.html>
