Security is a house of many mansions. Data integrity, confidentiality, non-repudiatability, authorization, authentication, etc.
The Iotivity docs systematically conflate these attributes, resulting in confusion for devs who are not sec experts. Transport-layer security and access control security are totally orthogonal. The former is about integrity and confidentiality; the latter is about, well, something else. But every bit of Iotivity doc I have seen fails to make that critical distinction. If we want to increase uptake of OCF, this is a problem. For example, it is just wrong to say that OC_SECURE means a resource is secure. It only means that access to the resource must go thru d/tls. That's about the endpoint connection, not the resource. Access control is a completely separate issue afaik. The we have compiling with SECURED or not. Alas, I have not yet come up with better language. But if we want to attract devs we need clearer language. G
_______________________________________________ iotivity-dev mailing list iotivity-dev@lists.iotivity.org https://lists.iotivity.org/mailman/listinfo/iotivity-dev
