httpslocal / usecases Goto Github PK

Regarding a device CA, one of the things we need to clarify is whether such a domain in certificates issued by such a CA could be restricted to one domain or its subdomain or not. in other words, if such a restriction would be impossible, the CA would have to be a public CA.

If you have an interest and/or knowledge about this issue, any information or proposal, e.g. standards about domain-restricted CA if any, would be welcome.

This issue is to discuss use cases and security requirements of devices in the local network delegated by a gateway in the public IP address scope like Things Project by Mozilla.

This one is slightly easier to enforce because you have to have an USB link-local connection to it but the idea is that RGB mice would provide a web interface instead of spyware-loaded "drivers". It's obviously local networking (altho not "LAN") and shouldn't be accessible by random webpages at all.

We might have to introduce requirement ID (REQ-1, etc.) into requirements section.

This is a minute thing but I think UC-01 and UC-06 are similar.

I'd like to remove UC-06. what's your take on this?

Unless I hear from you to the contrary, I'll send a PR.

I think device discovery functionality is an optional feature but it looks mandatory in the current draft.

We don't have any requirements mapped to UC-07, which mentions intranet only network.

According to CfC, we would like to start to draft the CG Report on Use Cases and Requirements.

• Preview: https://httpslocal.github.io/usecases/
• Draft (Bikeshed): https://github.com/httpslocal/usecases/blob/master/index.bs

The HTML version of this draft is generated by Bikeshed. Python 2.7 is required to run Bikeshed. To generate the HTML version by Bikeshed in your Python environment (e.g. virtualenv), you should run:

$ bikeshed spec index.bs index.html

Currently, the original version of bikeshed causes an error when trying to generate a CG report for HTTPSLocal. To avoid such an error, please clone and run the modified version of Bikeshed by @tomoyukilabs in httpslocal git branch: https://github.com/tomoyukilabs/bikeshed/tree/httpslocal.

I would expect internet routers being the first use case: Users want to access the web-based configuration interface of their internet router via HTTPS - because the browsers show warnings when they see password fields on non-https pages.

I would consider an use case similar to UC-3, but without the frontend page loading from the internet, but locally. This would be possible with Service Workers, that now are under developement also in WebKit.

With HTTPSlocal and Service Workers would be possible to have a fully working comunication in an offline environment with the browser, requiring the page to be loaded online only once (and maybe refreshed every X days).

Sorry for my poor knowledge, I just wanted to explain my personal use case and show my support. Thank you.

This issue is a meta issue to assign mapping specs in RelevantIETFDocuments onto RelevantSpecs.md to myself.

IOT devices like sensors and actuators are usually small microcontrollers with some kind of network connection. These devices needs to be setup for communication with some edge server.

This setup is mostly done with an internal webserver. This service can be enhanced with a web interface.

My particular case is an ESP32 microcontroller is controlling several buttons and displays. This device has many settings:

• which MQTT server is used
• what are the MQTT topics published
• what MQTT topics are displayed on the display
• many more

Also the firmware must be upgradable.

To update these settings a JSON object can be downloaded and uploaded which contains the settings. I created an React (javascript) web application which makes this user friendly. This application is hosted on a secure https domain. However, if you make http (no https) call to the ESP32 these call are blocked because they are 'Mixed content'. So the webserver on ESP32 must support https!

At the moment, we cannot go to https://httpslocal.github.io/usecases from this repository (README). We need to add the link.

In parallel with use cases and requirements clarification work, we would like to collect IETF standards and internet drafts relevant to local network services. Specs and drafts collected here can include but not limited to:

• service discovery
• certificates and PKI
• local network architecture and domain name issue (like .local)
• authentication and authorization
• etc.

At this moment I haven't prepared any draft or template yet. Any forms of contributions and proposals are welcome.

@yoneyajp If time permits, could you facilitate this work?

So this project is dead but like, what if there was a way to buy a game and when you run it it spawns a webserver and opens your browser. if other ppl in the LAN wanna join you can open to LAN and they don't need to buy the game separately they can just join.

All you need is unrestricted same-origin networking and WebGL. everything else can be removed. and because it's not a secure context, other websites wouldn't be able to access it either, so it's a win-win all around. (and proxying trophies and whatnot through the server is like, fine. it's the same LAN so who cares, it's not like it's gonna use more internet if you have data caps.)

we would like to collect use cases where browsers communicate with web-server-capable via HTTP and/or WebSocket over TLS, for the purpose of clarifying network and security requirements. Summary of TPAC breakout session would be useful to understand why considering use of HTTPS/WSS seems to be necessary for devices in local network.

If you find another use case, please submit a Pull Request to add it to UseCases.md, or add your comment to this issue.

As a next step, I would like to start analyzing requirements. While the following items could be examples, I would like to ask you to add or modify them. Since these would be dependent on use cases, these items should be clarified per each use case.

• Network environment: a local network and/or a global network
• Certificate issuer: public CA / corporate or organizational CA / private CA
• Privacy scope: public / per service or device manufacturer / private
• ...etc.

@dajiaji Could you add an initial proposal, base on use cases indicated by you?

Text-To-Speech (TTS)

While the Web Speech API does provide basic capability to communicate with the local speech dispatcher socket speechd some functionality is not available, including

• SSML input
• File input
• File output

Speech-To-Text (STT)

Currently only Chrome, Chromium browsers implement STT. That functionality is based on recording the user voice (or other audio output) locally and sending that recording to a remote server, therefore, also some functionality is not available, including

• Local STT processing
• File input
• File output

Current workarounds

• https://github.com/guest271314/SpeechSynthesisRecorder (record audio output of speechSynthesis.speak() to get a file output)
• https://github.com/guest271314/SpeechSynthesisSSMLParser (parse SSML before executing speechSynthesis.speak() where espeak and espeak-ng accept SSML input directly)

TL;DR

• How to programmatically send a unix socket command to a system server autospawned by browser or convert JavaScript to C++ souce code for Chromium?
• https://bugzilla.mozilla.org/show_bug.cgi?id=1425523
• https://bugs.chromium.org/p/chromium/issues/detail?id=795371
• WICG/speech-api#10
• WICG/speech-api#56
• mozilla/DeepSpeech#2401

Direct communication with one or more local TTS/STT applications and control of local audio input and output devices over HTTPS/WSS are the use cases descibed in this issue.

Can file a PR for this if necessary.

I think we need to add privacy related requirements. I'll send a PR later.