Since Webthings is all about everything having a URL and polling instead of using something like MQTT, can’t COAP+DTLS be used in a manner in which everything gets a token key like the COAP+DTLS PSK method used by the Ikea Tradfri bridge? (where the psk is the QR code on the back)
If I understand correctly one can utilize a polling method as well as MQTT-style publish and subscribe to push event with COAP…
I refer to someone who seems to have explored this quite extensively:
Security. Trådfri uses CoAP+DTLS with a random Pre-Shared Key printed on the bottom of the device. You need physical access to the device to get this key and all communication with the gateway is always encrypted
An addon for this style of security for webthings seems like it would be highly advantageous while waiting for the “If/when a good solution for local HTTPS becomes available”, as you mentioned in your response above.
Also, as far as BeyondCorp at home practicality, while I don’t presume to know what the challenges would be, it seems that some work has been done on this that makes it at least seem like a something practically doable, for an professional developer to auto-implement some variation of it:
In the router image, we’d like to support separate VLANs, such that untrusted IoT devices can be separated from the trusted devices on your network (e.g. your smart phone)
Unfortunately while this seems like it would help a little bit, I think we’re getting to the point where no personal computer and no personal phone can normally be simply considered as “trusted” or “untrusted”.
E.g. Must users are completely unaware of the flood of network connections an average iPhone or Andriod makes when connected to wifi on a daily basis, as talked about in e.g., the privacy project at the New York Times newspaper.
Likewise, on both Macs and PC’s even apps bought through the native sandboxed Apple or Windows store leak a lot of information (including info about devices on a wifi network) that many users would strongly object to if they were are of it.
Point being, is that the user does not have control over what his/her device is doing, and he/she is often mislead about the vast degree privacy leakage, which of course affects security too.
There’s more trusted and less trusted, perhaps, but I think we are way beyond the days of trusted and untrusted.