This document provides an overview of the current technology landscape as seen by the W3C WoT interest group.

This is a template to capture the inputs from the wiki into a deliverable format.

Please contribute using github or the direct edit.

Terminology

This document uses the following terms defined elsewhere:

CoAP
Acronym for Constrained Application Protocol [[!rfc7252]]
HTTP Server
An application program that accepts connections in order to service HTTP requests by sending back HTTP responses [[!di-gloss]]
Internet of things (IoT)
A global infrastructure for the information society, enabling advanced services by interconnecting (physical and virtual) things based on existing and evolving interoperable information and communication technologies. [ITU-T Y.2060]
IRI
Acronym for Internationalized Resource Identifier. An IRI is a sequence of characters from the Universal Character Set (Unicode/ISO 10646) [[rfc3987]]
JSON
Acronym for JavaScript Object Notation [[!RFC4627]] [[ECMA-404]]
P2P
Peer-to-peer
Resource
Anything that might be identified by a URI or IRI [[!webarch]]
Thing
With regard to the Internet of things, this is an object of the physical world (physical things) or the information world (virtual things), which is capable of being identified and integrated into communication networks. [ITU-T Y.2060]
Thing Description
Description about a thing - interfaces, data and aspects of a Thing
URI
Acronym for Uniform Resource Identifier. A simple and extensible means for identifying a resource. [[!rfc3986]]
User Agent
One type of Web agent; a piece of software acting on behalf of a person. Browsers are examples of user agents, as are web robots that automatically traverse the web collecting information. [[di-gloss]] [[webarch]]
Web agent
A person or a piece of software acting on the information space on behalf of a person, entity, or process. [[!webarch]]
Web of Things (WoT)
A way to realize the IoT where (physical and virtual) things are connected and controlled through the World Wide Web. [ITU-T Y.2063]
WoT Client
a logical entity that accesses an WoT Resource on an WoT Server
World Wide Web
An information space in which the items of interest, referred to as resources, are identified by global identifiers called Uniform Resource Identifiers (URI). [[!webarch]]

Tech landscape for Thing description

Data model & Vocabulary & TD Model

Metadata & Metamodel

Serialization

Serialization formats suitable for representing Thing Descriptions are surveyed here.

Datatype description

Functional Description

Functional descriptions for RESTful APIs, hypermedia controls are surveyed here.

Tech landscape for Thing discovery

The aim of this technology landscape for discovery mechanisms for the Web of Things is to collect candidate discovery technologies, evaluate them, and to derive generic discovery interaction patterns. The list of discovery categories can be found in this section. The identified discovery interaction patterns are presented in this section. An evaluation of identified technologies can be found in this section. Further, we analyzed which discovery technologies are supported by which IoT consortia. This analysis can be found in this section.

Categories of Thing Discovery

Finding Things around me

This category of discovery includes technologies that allow to discover things around me (in a spatial sense).

Optical markers

  • this includes e.g. barcodes and QR codes which can be visually read and decoded by a program (e.g. by an app)
  • max range: vicinity of client
  • Interaction style: pull (client initiates interaction)

NFC

  • Near field communication (NFC) employs electromagnetic induction between two loop antennae when NFC devices (e.g. 'smart phone' and 'smart object') interact. NFC operates on globally unlicensed radio frequency ISM band of 13.56 MHz.
  • builds up on RFID by allowing two-way communication between endpoints
  • e.g. NFC can be utilized to bootstrap more powerful communication connections (e.g. Bluetooth or WiFi) between two devices
  • max range: ~10 cm

Markerless recognition

  • augmented reality technique using sensors such as accelerometer, camera, compass, GPS to determine client's location and field of view. Based on derived position, surrounding things are discovered.
  • implemented e.g. by AR browser LAYAR or AURASMA
  • max range: vicinity of client
  • Interaction style: pull (client initiates interaction)

UriBeacon (Google's Physical Web)

  • Base technology: Bluetooth Low Energy
  • BLE-enabled device periodically transmits an advertising packet containing a URI.
  • UriBeacon approach does not require an app. Since URI is identifying a beacon, standard Web mechanisms (DNS) can be used for resolving
  • UriBeacon is now part of the Eddystone open source project which allows to send other beacon formats in addition to URLs. Eddystone supports broadcasting URLs via its Eddystone-URL frame type.
  • max range: 100 meters (see: http://www.bluetooth.com/Pages/low-energy-tech-info.aspx)
  • Interaction style: push (beacons broadcast information)
  • https://github.com/google/uribeacon/tree/master/specification

iBeacon (Apple)

  • Base technology: Bluetooth Low Energy
  • BLE-enabled device periodically transmits an advertising packet containing a UUID.
  • iBeacon requires an app that is enabled to read whitelisted objects. UUID resolution requires an additional server.
  • max range: 100 meters (see: http://www.bluetooth.com/Pages/low-energy-tech-info.aspx)
  • Interaction style: push (beacons broadcast information)
  • https://developer.apple.com/ibeacon

Finding Things on my network

This category includes technologies that allow discovery of endpoints of things on the network.

mDNS (+ DNS-SD)

  • Base technology: IP + UDP
  • multicast DNS (mDNS) resolves host names to IP addresses within small networks. When an mDNS client needs to resolve a host name, it sends an IP multicast query message that asks the host having that name to identify itself. That target machine then multicasts a message that includes its IP address. All machines in that subnet can then use that information to update their mDNS caches.
  • often used in conjunction with DNS-SD that allows clients to conduct simple service discovery using standard DNS queries.
  • part of 'zeroconf' technology suite
  • implemented e.g. by Apple Bonjour
  • Interaction style: pull (client initiates communication)
  • https://tools.ietf.org/html/rfc6762 (+ https://tools.ietf.org/html/rfc6763)

Multicast CoAP

  • Base technology: IP + UDP + CoAP
  • CoAP supports making requests to an IP multicast group.
  • Clients can use multicast CoAP and the "All CoAP Nodes" multicast address to find CoAP servers. CoAP servers listen on the "All CoAP Nodes" address and the default CoAP port to reply to clients.
  • in combination with CoRE Link Format: a GET request to the appropriate multicast address is made for '/.well-known/core' (https://tools.ietf.org/html/rfc6690)
  • Interaction style: pull (client initiates communication)
  • https://tools.ietf.org/html/rfc7252

SSDP

  • Base technology: IP + UDP + HTTPU + SOAP
  • used by UPnP for discovery
  • 'Simple Service Discovery Protocol' (SSDP)
  • In order to discover SSDP services, an SSDP client multicasts a HTTP UDP discovery request to the SSDP multicast channel/Port. SSDP services listen to the SSDP multicast channel/Port. If a SSDP service hears a HTTP UDP discovery request that matches the service it offers then it will respond using a unicast HTTP UDP response.
  • Interaction style: pull (client initiates communication); however, some UPnP devices also push info periodically
  • https://tools.ietf.org/html/draft-cai-ssdp-v1-03

WS-Discovery

  • Base technology: IP + TCP/UDP + SOAP et al.
  • specifies multicast discovery via web service based communication; avoids the need for centralized registries in smaller networks.
  • used by OASIS' Device Profile for Web Services (DPWS)
  • implemented e.g. by Microsoft Web Services on Devices API
  • Interaction style: pull (client initiates communication)
  • http://docs.oasis-open.org/ws-dd/discovery/1.1/os/wsdd-discovery-1.1-spec-os.html

XMPP Service Discovery

  • Base technology: IP + TCP + XMPP
  • discovering information about other XMPP entities (e.g. user). Two kinds of information can be discovered: (1) the identity and capabilities of an entity and (2) the items associated with an entity, such as the list of rooms hosted at a multi-user chat service.
  • Interaction style: pull (client initiates communication)
  • http://xmpp.org/extensions/xep-0030.html
  • update: http://xmpp.org/extensions/xep-0115.html#discover

µPnP

  • Base technology: IP + UDP + CoAP + IPSO
  • CoAP support makes use of CoAP's Resource Directory. Modified 802.15.4 link layer for support of uPnP. Resources formatted using IPSO Objects.
  • http://www.micropnp.com/ipso/index.html

Searching in directories

In contrast to the above technologies, here, a central directory can be used for discovery of things and resources. Queries can be submitted to the directory to search for things and/or resources.

CoRE Resource Directory

  • Base technology: IP + UDP + CoAP
  • Resource Directory (RD) hosts descriptions of resources held on other servers, allowing lookups to be performed for those resources
  • Also defines lookup interface that allows simple queries (e.g.: GET /rd-lookup/res?rt=temperature )
  • https://tools.ietf.org/html/draft-ietf-core-resource-directory-04

XMPP IoT Discovery

  • Base technology: IP + TCP
  • Thing Registry can be searched for public Things and their metadata (various tags, e.g., location or serial number). A search is performed by providing one or more comparison operators in a search request to the registry.
  • http://xmpp.org/extensions/xep-0347.html#search

HyperCat

  • Base technology: IP + TCP + HTTP
  • HyperCat is an open, lightweight JSON-based hypermedia catalogue format for exposing collections of URIs. HyperCat catalogue may expose any number of URIs, each with any number of resource description framework-like (RDF-like) triple statements about it.
  • http://www.hypercat.io/standard.html

Push API

  • Base technology: HTTP + web push protocol
  • The Push API enables sending of a push message to a previously registered Service Worker of a web application via a push service, e.g. allowing the web application to resume on this device. The Push API makes it possible to discover, awaken and connect user devices.
  • https://w3c.github.io/push-api/
  • https://tools.ietf.org/html/draft-ietf-webpush-protocol-02

SIR

  • Base technology: IP + TCP + HTTP + XML
  • Discussion paper at the Open Geospatial Consortium (OGC) and part of the Sensor Web Enablement (SWE) framework.
  • Sensor Instance Registry (SIR) is a web service interface for managing the metadata and status information of sensors. Furthermore it is capable of automatically harvesting sensor metadata, and transforming the collected metadata sets into a homogeneous data model.
  • https://portal.opengeospatial.org/files/?artifact_id=40609

SPARQL Endpoints

  • Base technology: IP + TCP + HTTP + RDF
  • a SPARQL endpoint of a central triplestore accepts advanced queries (generally consisting of SELECT/WHERE statements) for RDF data.
  • http://www.w3.org/TR/2013/REC-sparql11-overview-20130321/

Research article: "Mobile digcovery: A global service discovery for the IoT"

  • A centralized infrastructure that allows registration of sensors. Employs 'digrectory' to handle different resources. Each directory is attached to a particular communication technology, such as NFC, IPv6 etc. A mobile app enables users to discover and access sensors. Discovery mechanism takes advantage of geolocation and context awareness.
  • http://dx.doi.org/10.1109/WAINA.2013.261

Research article: "A discovery service for smart objects over an agent-based middleware"

  • Indexes all smart objects connected to the registry. Indexing is done based on domains. Discovery process is based on searching the indices.
  • http://dx.doi.org/10.1007/978-3-642-41428-2_23

Research article: "A Semantic Enhanced Service Proxy Framework for Internet of Things"

  • A semantic based framework which uses the concept of service advertisement of a smart object. Authors argue that such a mechanism makes the service registration easier which in turn facilitates discovery. The advertisement contains a service metadata including name, id, endpoint, location and semantic annotation link.
  • http://dx.doi.org/10.1109/GreenCom-CPSCom.2010.116

Searching across peers

In peer to peer discovery, the directory is essentially distributed across the peers. This is often based upon distributed hash tables which maps the search space into a numeric range and then allocates servers to parts of that range. The technique works well for scale free networks. It requires Peers in the P2P overlay to host parts of the RD and to have full connectivity and certain computing power in order to forward overlay messages, keep a consistent DHT and routing tables in the node. P2P Overlays tolerate certain amounts of churn but it would be impractical for constrained devices to participate as full peers on the DHT.

"RFC7650": CoAP usage for RELOAD

  • Base technology: IP + UDP/TCP + CoAP
  • CoAP Usage for RELOAD allows CoAP nodes to store resources in a RELOAD peer-to-peer overlay, provides a lookup service, and enables the use of RELOAD overlay as a cache for sensor data. RELOAD is a DHT-based (Chord) P2P protocol of IETF.
  • https://datatracker.ietf.org/doc/rfc7650/

"IETF Draft": Distributed RD

  • Base technology: IP + UDP/TCP + CoAP
  • This document defines a Distributed Resource Directory (DRD) for Constrained Application Protocol (CoAP). This case uses raw DHT with no RELOAD dependencies.
  • http://tools.ietf.org/html/draft-jimenez-distributed-resource-directory-00.html

Research article: "A Scalable and self-configurable architecture for service discovery in the IoT"

  • IoT gateways are backbones of the architecture. Gateways enable registration and un-registration of smart objects. A list of registered objects are maintained in a CoAP server. Service discovery is based on sending a GET request to ./well-known/core. In the distributed architecture several gateways are interlinked through two P2P overlays namely distributed local service (DLS) and distributed geographic table (DGT) to facilitate global service discovery.
  • http://dx.doi.org/10.1109/JIOT.2014.2358296

Accessing Thing metadata

Once a "service" has been discovered with the approaches above, next "resources" and/or general metadata access at thing level needs to be performed.

CoRE Link Format

  • Base technology: IP + UDP + CoAP
  • lists URIs (links) for the resources hosted by the server, complemented by attributes about those resources and possible further link relations. A well-known relative URI "/.well-known/core" is defined as a default entry point for requesting the list of links about resources hosted by a server.
  • https://tools.ietf.org/html/rfc6690

HATEOAS

  • Base technology: IP + TCP + HTTP (typically)
  • abbrv. for 'Hypermedia as the Engine of Application State'
  • principle of REST architectures (not a standard)
  • hypertext should be used to find your way through the API => client interacts with an application through hypermedia provided dynamically by application servers - no prior knowledge on how to interact, since links to resources are provided
  • http://restcookbook.com/Basics/hateoas/

SOS

  • Base technology: IP + TCP + HTTP + SOAP etc.
  • Standard by the Open Geospatial Consortium (OGC) and part of the Sensor Web Enablement (SWE) framework.
  • Sensor Observation Service (SOS) is a Web service interface which allows querying sensor measurements as well as sensor metadata. Advanced spatial, temporal and thematic filtering is possible to query measurements.
  • http://www.opengeospatial.org/standards/sos

Semantic Based Discovery

Several research articles using semantics for discovery can be found below.

A web service discovery computational method for IOT system

  • Zhou and Ma presents an ontology concept for vehicular sensors. The algorithm calculates semantic similarity, relativity and combines them to work out the maximum value of the required concepts of the web services. Then a matching degree is computed to find out the relevant web services. @[1]

Semantic Enhanced Service Proxy Framework for Internet of Things

  • The authors of @[2] have introduced a semantic based framework which uses the concept of service advertisement of a smart object. They mention that such mechanism makes the service registration easier which in turn facilitates discovery. The advertisement contains a service metadata including name, id, endpoint, location and semantic annotation link.

An evaluation of semantic service discovery of a U-city middleware

  • Another semantic based service discovery is presented in @[3]. It proposes a middleware which performs SD using semantic web technologies on the contextual
    • information inferred from sensor data.

Discovery Interaction Patterns

Evaluation of Discovery Technologies

In the following, we analyze the identified discovery technologies according to a set of evaluation criteria. Those criteria are listed below.

Evaluation Criteria

  1. Interaction Pattern
    2. This criterion specifies whether a discovery technology complies with the identified interaction pattern in that discovery category.
  2. Support of higher layer discovery
    3. This criterion specifies whether a discovery technology provides means to submit search queries based on terms used in the underlying data model, so the thing description. This includes searches such as e.g.: 'search all things with name X' or 'search all things with property XYZ'.
  3. Bootstrapping
    4. This criterion specifies whether means are provided to start/interact with things after discovery.
  4. Lifetime / sleepy nodes
    5. This criterion specifies whether sleeping times of constrained devices are directly considered by the discovery technology.
  5. Range
    6. This criterion specifies the spatial extent within which a discovery technology is functioning. This is important for the category “finding things around me”.
  6. Support for (physically) local/remote discovery of things
  7. Richness of query
    8. This criterion specifies to what extent contextual query parameters can be passed in a search query to discover things. E.g., this may include spatial parameters ('search all things in NYC') and temporal parameters ('search all things active yesterday'). In comparison to the criterion 'Support of higher layer discovery', this criterion looks at richer search query mechanisms that go beyond a basic search for terms of the thing description model.
  8. Ranking of results
    9. This criterion specifies how/if the discovery mechanism is capable of ranking search results.

Category: 1) Finding things around me

Technology Follows Identified Interaction Pattern Higher Layer Discovery Bootstrapping Sleeping Time Support Range Local / Remote Discovery Richness of Query Ranking of Results
Optical Markers No (marker cannot send messages) No Pointing to thing endpoint n/a vicinity of client Local (vicinity of client) n/a n/a
NFC No (NFC initiator [client]starts interaction with target [thing]) No Pointing to thing endpoint n/a < 10 cm Local n/a n/a
Markerless Recognition No (things are not part of interactions) Yes (could be supported by filtering out things on an AR layer) Pointing to thing endpoint n/a vicinity of client Local n/a n/a
UriBeacon Yes No Advertise message points to thing endpoint There is support for sleep state in BLE and depends on which power mode is being used in the thing. For lowest power mode, the radio is switched off completely and the thing will not periodically announce its URI. There are power mode configurations where the thing powers on once every so many seconds, broadcasts, listens, then goes back to sleep. < 100 m (link) Local (around the client) n/a (since this discovery is not initiated by manual search) n/a
iBeacon Yes No Advertise message points to thing endpoint Same as above (need to confirm) < 100 m (link) Local (around the client) n/a n/a

Category: 2) Finding things on my network

Technology Follows Identified Interaction Pattern Higher Layer Discovery Bootstrapping Sleeping Time Support Range Local / Remote Discovery Richness of Query Ranking of Results
mDNS Yes No (but can be implemented on application layer) Client receives an IP address of the thing for direct interaction No n/a Local (network point of view) N/A since there is no manual entry of keywords No
Multicast CoAP yes yes, if resource directory is used address, port, and resource descriptions No n/a Local (network point of view) N/A since there is no manual entry of keywords No
SSDP Yes No (only basic filtering for devices or services with a specific type) Client receives the endpoint of the UPnP device description No n/a Local (network point of view) N/A querying using keywords is not possible No
WS-Discovery Yes Only basic filtering is possible. They use the term 'scope' for this. Discovery happens in two steps: (1) find services and (2) locate a target service, i.e., to retrieve its transport address(es) No n/a Local (network point of view) basic querying using service types and scopes No
XMPP Service Discovery No Yes (Two kinds of information can be discovered: (1) the identity and capabilities of an entity, including the protocols and features it supports; and (2) the items associated with an entity, such as the list of rooms hosted at a multi-user chat service) Provides information on identity and capabilities of an entity. No n/a Local discovery basic querying which discovers entity, features etc No

Category: 3) Searching in Directories

Technology Follows Identified Interaction Pattern Higher Layer Discovery Bootstrapping Sleeping Time Support Range Local / Remote Discovery (DOES THIS MAKE SENSE HERE??) Richness of Query Ranking of Results
CoRE Resource Directory Yes Yes, key-value-pair search based on tagged resources (e.g., "resource type", "interface type" etc.) is supported IP address & port of thing and list of resources matching the query No n/a Local and remote No. Not beyond tag concatenation. No
XMPP IoT Discovery Yes Yes Provides various metadata for discovered thing. Yes n/a Local and remote Basic (the spec is not finalized) No
HyperCat Yes Yes, flexible key-value-pair search based on tagged resources is supported Provides reference to thing. No n/a Local and remote No. Not beyond key-value-pairs. No
Push API Yes (???) Yes, through notifications Yes, Service Worker runs in the background n/a Yes (???) (???)
Sensor Instance Registry Yes Yes (bound to SensorML as thing description) Provides rich metadata description (SensorML) of discovered device No n/a Local and remote Yes. Spatial and Temporal queries. No
SPARQL Endpoint Yes Yes (flexible search interface - independent of underlying thing description) Provides description of discovered thing. No n/a Local and remote Yes, high flexibility in query formulation. Yes (with 'order by')

Category: 4) Searching across Peers

Technology Follows Identified Interaction Pattern Higher Layer Discovery Bootstrapping Sleeping Time Support Range Local / Remote Discovery Richness of Query Ranking of Results
CoAP RELOAD No pattern has been investigated See CoAP RD See CoAP RD No n/a Local and remote See CoAP RD No

Category: 5) Accessing thing metadata

Technology Follows Identified Interaction Pattern Higher Layer Discovery Bootstrapping Sleeping Time Support Range Local / Remote Discovery Richness of Query Ranking of Results
CoRE Link Format Yes No Yes, this format can be used for bootstrapping. No n/a Local and remote Low. Just direct access to metadata. Can be used by application layer to rank results
HATEOAS No (typically, not one metadata document, but information distributed and advertised via links) No Bootstrapping information can be gathered by following links. No n/a Local and remote Low. No
Sensor Observation Service Yes No Yes, it returns SensorML when metadata is queried. No n/a Local and remote Medium. Temporal queries are supported. No

Discovery Technologies used by IoT Consortia

Below we analyze which discovery technologies are used by related IoT consortia, initiatives, and working groups. "--" equals NO (not supported).
Consortium Focus Domain 1. Category: Finding things around me 2. Category: Finding things on my network 3. Category: Searching in Directories 4. Category: Searching across Peers 5. Category: Accessing thing metadata
IETF all -- mDNS; Multicast CoAP; SSDP CoRE Resource Directory CoAP RELOAD CoRE Link Format
OMA all -- -- OMA LwM2M uses CoAP -- OMA LwM2M can be extended to work with CoRE Link Format
OIC all  ?  ?  ?  ?  ?
Allseen Alliance smart home About Announcement mDNS  ? -- --
IPSO Alliance all -- Not explicitely supports this but CoAP can be extended CoAP -- CoRE Link Format
oneM2M telecomunication (Note from Soumya - oneM2M proposes to be independent of the underlying network and does not propose any specific protocols to work with. But they have worked on binding to HTTP and MQTT) Possible through UriBeacon Possible through mDNS Possible through CoAP -- CoRE Link Format
ThreadGroup smart home  ?  ?  ?  ?  ?
Hyper/Cat smart cities -- -- HyperCat Catalogue -- --
Open Group  ?  ?  ?  ?  ?  ?
OGC SWE smart cities, environmental monitoring -- -- Sensor Instance Registry -- Sensor Observation Service

Tech landscape for APIs and protocol mappings

Protocols

Rapidly changing sensor readings

REST or representational state transfer assumes that requests/responses transfer the state of the resource, but what does that mean when the state is constantly changing?

This has been addressed by creating extensions to the REST design style, both in CoAP Observe and HTTP EventSource, that allow for multiple serial state changes to be returned asynchronously in response to a request. The client/application simply responds to these using a handler and applies the resource state changes to the application state.

For example, if the application is a thermostat, the asynchronous temperature state updates invoke a handler that evaluates the thermostat mode and other controls and decides, on each response from the sensor, whether to turn the heating system on or off, heat or cool mode.

Additionally, a request can provide the URI for asynchronous call backs. This provides the notion of a subscription, or binding, where you may CREATE (POST) a control to a location that starts "web callbacks" which are POST or PUT operations sent to the destination address configured by the CREATE operation.

These patterns are becoming more well known and are described in the abstract transfer layer proposal.

In the CoRE Interfaces draft, there is a description of Observe Attributes, which are additional controls on the Observation. For example, the pmin attribute specifies the minimum interval between responses. By using pmin in conjunction with a content format that allows batch sample reporting (e.g. SenML) rapidly changing samples may be buffered at the source and sent as a batch in each periodic notification. Additional conditional observe attributes are defined and being defined to provide additional controls and filtering. These are appropriate for including in the payload when creating a subscription or binding.

Additionally, in a REST based hypermedia system, resources may be assigned media types and content formats that are designed for media streams. This works like a websocket upgrade, where a separate socket connection is made from the media stream data source to the handler in the application.

Resource Models & Protocol mappings from Consortia

  • ISO/IEC/IEEE P21451-1-4
    • approach is driving XMPP as IoT solution
    • emphasis on connecting of different (legacy) protocols to/over XMPP transport
    • strong security focus (domain federation and identity)
    • protocol-agnostic model
  • IETF Constrained RESTful Environments (CoRE)
    • Adjunct specifications and recommendations around CoAP
    • Provide an ecosystem for mainly RESTful IoT applications (but also pub-sub for instance)
    • Usually also applicable to HTTP (except for CoAP-specific features, e.g., involving observe)
    • Building blocks:
      • CoRE Link Format (RFC 6690): Format for collection of Web links with additional attributes, e.g., resource type (
        rt
        ) as semantic tag and interface (
        if
        ) for interaction type labels
      • CoRE Resource Directory (I-D): Registry for devices (and services) that supports updates, de-registration, and various look-ups as well as availability management (registration lifetime, heart beats)
      • CoAP over TCP/TLS (I-D): CoAP transport binding for legacy networks (IPv4, NATs, middleboxes) and point-to-point use cases
      • CoRE Interfaces (I-D): Collection of reusable interface definitions and patterns
      • CoAP PubSub (individual I-D): Publish-Subscribe mechanism modelled with CoAP methods
      • CoMI (individual I-D): CoAP Management Interface, enables the use and manipulation of datastores described by YANG modules over CoAP (HTTP version is called RESTCONF). YANG (RFC 6020) is IETF's data modeling language used for all recent device/network management work.
  • OMA (Mohammed Dadas / Orange, bryant sullivan / AT & T?)
  • LWM2M
  • GotAPI
  • OIC (Daniel Park, Michael Koster)
  • IPSO Alliance (Michael Koster)
  • oneM2M (Soumya to outreach: Martin Bauer,Omar.)
  • Hyper/Cat (TF-DI? -> Soumya, probably more related to TD)
  • Open Group (Dave to outreach)
  • OGC SWE (sensor things API - outreach to steve liang)
    Model for "Things"
    Protocol mapping
    Resource structure / web API
    Client-side scripting API to acces remote things
    Server-side API to create/expose things
    Additional, platform specific findings of interest for this landscape
  • ECHONET Consortium (Naka-san, Kazuo Kajimoto -> Johannes will copy from wiki)
    Model for "Things"
    Protocol mapping
    Resource structure / web API
    Client-side scripting API to acces remote things
    Server-side API to create/expose things
    Additional, platform specific findings of interest for this landscape
  • Allseen Alliance
    Model for "Things"
    Yes. See https://allseenalliance.org/framework/documentation/learn/core. Application exposes its services through a "BusObject" defining a set of interfaces, where each interface defines a set of Methods, Properties, and Signals (Events). Interface descriptions are XML-documents: https://allseenalliance.org/framework/documentation/learn/core/about-announcement/interface
    Protocol mapping
    AllSeen is an application layer concept that is tranport layer agnostic. Today mapping to TCP/IP and UDP/IP over WiFi, WiFi-Direct, Ethernet and PLC. Mapping to non-IP transports, e.g. Bluetooth LE, ZigBee or Z–Wave can be added. See https://allseenalliance.org/framework/documentation/learn/core/system-description/alljoyn-transport
    Resource structure / web API
    AllSeen is not web focused. Applications are written in C, C++, Obj-C, Java etc but it is probably possible to give access for web apps to an AllJoyn network through an AllSeen Gateway Agent.
    Client-side scripting API to acces remote things
    APIs are exposed in different native languages. See API refereence
    Server-side API to create/expose things
    APIs are exposed in different native languages. See API refereence
    Additional, platform specific findings of interest for this landscape
    For basics see architecture, system-description, learn

Potential scripting API patterns

Server-Side

There are numerous exisiting web api frameworks that can or could serve as current practise, e.g. refer to todobackend.com

Client-Side scripting APIs

  • W3C fetch API
  • W3C Presentation API: The W3C Second Screen Working Group works on a specification of an API that enables web content to access external presentation displays and use them for presenting web content. The specification aims to make presentation displays such as projectors or connected TVs, available to the Web and takes into account displays that are attached using wired (HDMI, DVI, or similar) and wireless technologies (Miracast, Chromecast, DLNA, AirPlay, or similar), but the Presentation API abstracts from these underlying protocols. It allows Browser vendors to implement the API on top of different protocols. The specification describes the conformance criteria for two classes of user agents: Controlling user agent: Web browsers that conform to the specifications of a controlling user agent must be able to monitor the availability of presentation displays, start new presentations, join or reconnect to running presentations and to exchange messages and binary data with presentations. Receiving user agent: Web browsers that conform to the specifications of a receiving user agent must be able to render presentations by providing the necessary inferfaces to accept launch or join requests from controlling user agents and to exchange messages and binary data with controlling pages. The concept of the Presentation API is relevant to the work of the this group since the WoT Thing API is intended to offer an API that abstracts from the underlying IoT protocols. The Presentation API can be seen as a concrete case of the generic Thing API if we consider presentation displays as kind of things that provide Thing Description with the necessary set of actions, properties and events to start and control presentations.
  • Geolocation API (Kaz to outreach chair)
  • NFC & Bluetooth API (Kaz to outreach)

scripting APIs to physical things

  • DAP Generic Sensor API (Johannes to outreach to tobie langel for basic design principles)
  • Vehicle API (Kaz to outreach chair)
  • Physical API such as WebGPIO API, WebI2C API: Browsers and Robotics CG is developing APIs for direct physical device (sensor, actuator) control via a general-purpose I/O (such as GPIO/I2C) from Webapps. Since those are very generic APIs that do not depend on devices, it is required to operate under the conditions of device safety (without destroying the devices). The concept of the API may be related to WoT IG work. Furthermore, in the future, there may be a variety of things and their APIs, so the concept may become a basis to discuss how to operate things safely. However, we have to consider that there might be several perspective and implementation method of GPIO/I2C operation, for example,
    • An improvement to current browser functionality for direct control devices from browsers.
    • An improvement to server side JavaScript (such as node.js) in order to control devices from the server side JavaScript (example).
  • johnnyfive (Johannes to outreach github-> maintainer )

embedded runtimes

  • node.js (Tibor)
  • micropython
  • Arduino (Dave Raggett)
  • CHIRIMEN: “CHIRIMEN” is a development environment that allows to control the physical devices (such as sensors and actuators) by Web browser technology. Their implementation includes hardware as a board computer, Web browser software (currently using B2G), and low-level device APIs (WebGPIO API and WebI2C API etc.) to control physical devices by web apps or JavaScript. It is developed by CHIRIMEN Open Hardware community and code-named “CHIRIMEN”. Their hardware and software have been released as open source.
  • ARM mbed
  • NodeMCU (Johannes to outreach)
  • Jerryscript

Tech landscape for Security&Privacy

While things may be of low value (say <50$) they can control (parts of) high value assets such as smart locks controlling access to homes or offices/factories. WoT aims at exposing the functonality of such things at public-facing endpoints in the Internet/Web. This establishes security as a top concern for WoT.

Things can reveal/expose data related to user habits such as lightning/heating practices or the human body such as heartbeat rates. This establishes privacy as another top concern for WoT. In the first place this refers to things owned/used by individuals esp. consumer goods. Privacy can also concern things owned/used by legal entities e.g. capital/investment goods such as health care equipment. But not all things owned/used by legal entities are subject to privacy concerns. There also are WoT scenarios which do not process individual user data such as industrial control systems.

This chapter provides the security&privacy landscape for WoT.

Takeaway

The WoT provides distributed IT-systems. The study of protecting distributed IT-systems started soon after their invention i.e. in the 60/70ies. So there is lots of prior art for security&privacy - collectively providing the current toolbox. But WoT needs security&privacy tools that are not yet present in the current toolbox. New security&privacy tools for WoT will come in 2 forms:

These new security&privacy tools need to come as (broadly resp. industry/domain-wide accepted) standards. These standards do not yet exist, they do emerge right now. This chapter elaborates on this hypothesis.

Inclusion of Physical Goods and Processes

The inclusion of physical goods and processes is the key differentiator between the Web-of-Things on the on hand and the Web-of-Services resp. the traditional Web (Web-of-Pages) on the other hand.

There are Web-of-Services and Web-of-Pages security&privacy requirements which translate to Web-of-Things in a straight-forward manner such as user authentication->thing authentication. For such requirements security&privacy mechanisms were established by other domains such as office/enterprise IT or Cloud computing. Corresponding standards and best practices do exist and may apply or may be translated to WoT. Note that constraints (number of instances, computing power, memory, IO and networking capabilities etc.) do change when considering the WoT image of a traditional requirement such as the authentication of a caller.

The inclusion of physical goods and processes also leads to security&privacy requirements or constraints with no real/good analogies in the digital World. These requirements resp. constraints are not yet covered by security&privacy technologies developed for existing domains. This includes security&privacy requirements as well as constraints such as:

Standardization

The W3C IG WoT is considering same as well as cross-domain interactions among resp. with things:

Thus, standards for security&privacy are mandatory for WoT. This refers to conventions for implementing security&privacy that are broadly resp. industry or application domain-wide accepted.

The state-of-the-art survey provided in this landscape document does consider existing and emerging standards for WoT security&privacy.

Technology Origin/Heritage

Numerous security&privacy-enabling tools do already exist. Prominent examples are Kerberos, SSL/TLS and OAuth. They were created to serve the needs encountered in office/enterprise IT (e.g. Kerberos), the classical Web (e.g. SSL/TLS) as well as new Web application styles esp. service-oriented applications, apps/REST APIs (e.g. OAuth). The corresponding mechanisms often are very mature i.e. they represent broadly accepted standards that are in large-scale production use.

This prior-art can help to address security&privacy for (parts of) WoT scenarios. But there is no guarantee that a (mature) security or privacy means with non-WoT origin/heritage does present a good match for WoT. For security/privacy mechanisms with non-WoT origin, fitness checks are needed.

Security&privacy mechanism with WoT or IoT origin are work-in-progress nowadays. They do not yet present the same maturity level (not yet broadly accepted standards, not yet in large-scale protection use). Hence (and for the time being) maturity checks are needed for security/privacy mechanisms with WoT origin.

Architectural Impact

Different security&privacy tools do have different impact on the architecture and implementation of WoT systems:

The former mechanisms require more attention during the architecture and design process than the latter.

Distribution of Complexity

Mechanisms invented <2010 for distributed IT-System security e.g. Kerberos, SSL/TLS, SAML happen to distribute logical and computational complexity quite evenly over client and server components.

This was a major issue for the Web app/API economy where 3rd pary developers create components (e.g. mobile apps) that interact with services provided by other parties. To overcome this obstacle the new generation security resp. security-enabling technologies invented >2010 (e.g. OAuth) distribute complexity unevenly:

The new approach tends to be a better fit for WoT than technologies with an even distribution of complexity.

Mechanisms' State-of-the-Art

The table below surveys potential building blocks for WoT security and privacy and identifies their current evolution stage (as of 2016-02-29):

- Informational Self-Determination Anonymization, Pseudonymization Authorization Management Authorization Enforcement Initial Authentication Single-Sign-On Confidentiality Data Origin Authentication, Integrity Credentialing Provisioning Status
UMA Core objective (through user-managed authorizations) - Addressed (users as primary policy management authorities) Addressed (push model, HTTP) - - - - - - IETF draft (individual submission to IETF oauth WG)
OATH - - - - Core objective (time, event or challenge-based OTP schemes) - - - Addressed (symmetric key containers and provisioning of symmetric keys) - IETF standards
OpenID Connect Side concern (users decide if their identity information is supplied to relying parties Implementation-specific - - Core objective (requests reports about [initial] authentication events) Core objective (SSO across organizations/domains and in the same domain) - - See OAuth See OAuth OpenID Forum standards
JWT - - - - Core objective (reports about [initial] authentication events) Side concern (allows to transfer and sustain information about authentication events) - - - - IETF standard
CWT - - - - Core objective (reports about [initial] authentication events) Side concern (allows to transfer and sustain information about authentication events) - - - - IETF draft (individual submission to IETF ace WG)
FIDO - Core objective (uses long-lived public key associations instead user names/identifiers) - - Core objective (framework for initial user authentication in the Web) - - - Side concern (defines the creation/supply of public/private keys to FIDO clients) - Submitted to W3C
OAuth - - Core objective (users or legal entities as policy management authorities) Core objective (push model, HTTP) - - - - Side concern (registration/management of OAuth clients) Side concern (registration/management of OAuth clients) IETF standards
OAuth-for-CoAP - - Core objective (legal entities as policy management authorities) Core objective (push model, CoAP) - (DTLS-based client authentication) - (no user actor) - - - - IETF working group draft (IETF ace WG)
DCAF - - Core objective (legal entities as policy management authorities) Core objective (push model, CoAP) - - - - - - IETF draft (individual submission to IETF ace WG)
DTLS - - - - Core objective (transport-level client/server authentication) - (does not define the transfer of authentication state across network servers) Core objective (transport-level message encryption) Core objective (transport-level signature) - - IETF standard
DICE - - - - As for DTLS - As for DTLS As for DTLS - - IETF working group draft (IETF dice WG)
JOSE - - - - - - Core objective (application-level encryption, JSON) Core objective (application-level signature, JSON) - - IETF standards
COSE - - - - - - Core objective (application-level encryption, CBOR) Core objective (application-level signature, CBOR) - - IETF working group draft (IETF dice WG)
OSCOAP - - - - - - Core objective (application-level encryption, CBOR or JSON) Core objective (application-level signature, CBOR or JSON) - - IETF working group draft (IETF ace WG)
SCIM - - - - - - - - - Core objective (manage metadata about system actors-not limited to users) IETF standards

Wrap-Up

As of today there are no broadly accepted protocol standards for authenticating and authorizing things. Current projects do either not address these challenges or create silos.
The IETF ACE working group happens to be the leading initiative in order to overcome this limitation:

From the perspective of the W3C IG WoT the (to-be-established) protocol standards for the authorization of actions and the authentication of actors in WoT should address/enable: For secure communications on transport-level, DTLS as well as TLS present commonly accepted standards. Their profiling/optimization for constrained devices and networks is a task that is currently ongoing. Note that securing communications on transport-level comes with limitations in the end-to-end security span which is achievable. For secure communications on application-level and secure storage, standards do exist for representing encrypted and signed data in JSON (a form-factor not suitable for very constrained components). Corresponding work is ongoing for CBOR (a form-factor suitable for very constrained components).

Moreover there are no commonly accepted standards for registering things resp. devices and supplying identity (meta-)data and credentials about things resp. devices as of now.

Tech landscape for decentralised P2P IoT

A decentralised, peer-to-peer (P2P) system is a collection of applications run on several local computers, which connect remotely to each other to complete a function or a task. A decentralised peer to peer overlay network manages connections between human and Internet of Things peers. The participants in the network are the peer nodes. The peer to peer network is scalable and an unlimited number of nodes can participate in the network.

Centralized corporate owned cloud is certainly an easier way to build out IoT platforms; however, the owners, application service providers, cloud service providers and authorities of these topologies have an influence upon the network and can exploit it. They can ban devices, spy on devices, and compromise the data integrity of the devices. In fact, the government can order the cloud service operators and centralised application providers to do all of these things.

In the near future, the doors, air condition units, and security system of homes will be fully internet connected. The users will be able to control their home automation system from a mobile phone device. It is essential that only the end user has full control over the IoT devices. Decentralised P2P Internet of Things aims to provide users with such exclusive and full control.

The following areas are in scope for decentralised P2P IoT

Security, including authentication, access control and data integrity

Existing and new standards

Protocols

Device discovery

Interoperability with client/server systems