On Mar 3, 7:51 am, Andy Buckingham <andy.bucking...@radiodns.org
> Just to let those interested parties know, I've made a few amends and
> added some inline comments to the draft specification after some
> further thought. It should all update live in the Google Doc:
> Look forward to hearing your thoughts soon.
Hi Andy and everyone else,
This is my first post to the list so I'll just quickly introduce
by saying that my name is Sean O'Halpin and I'm a Senior Software
in the Prototyping team in BBC R&D.
Here are some comments we have on the proposed RadioTAG spec version
First, some context: The points below arose out of discussions between
Andy Buckingham of Global and Chris Lowis and myself of BBC R&D during
a day long meeting on Thursday 3 March 2011.
Chris and I have been tasked with working within the RadioTag
specification process to help facilitate three outcomes: a) that
manufacturers adopt the specification; b) that it delivers useful
functionality to our audiences; and c) that it meets BBC policy
guidelines, in particular our security requirements.
There are three main areas we would like to comment on: first on the
focus of the specification and what should be included in it; next on
the Authentication and Registration protocol; and finally on the
structure of urls.
We're working on addressing the issues we raise here and will email
our proposals to the list early next week.
** General focus of specification
We think the focus of version 1.0 of the RadioTag specification should
be on what is required to enable a device to submit a tag to a tagging
service. This includes only Registration and Tag Submission.
We're not sure about the Tagged Events Feed in its current form. It is
not required to enable a device to perform tagging. Agreeing on the
format of the feed and exactly what metadata is included could occupy
many hours of discussion. For that reason, we'd like to move it into
an extension to the spec. (We'd also like to make it as compatible as
possible with RadioEPG but we won't get into that discussion here.)
We would like to exclude Syndication - it's not required for the base
functionality of tagging and we believe it can be better handled
somewhere other than on the device (e.g. on a account management web
page) and by better mechanisms (e.g. via OAuth).
In short, we're arguing to simplify what is required on the device to
perform tagging. More capable devices could take advantage of
extensions to provide a richer experience.
** The Authentication / Registration protocol
The PIN code is the only thing that can be used to associate a user
with a device.
This means collisions, spoofing, mistakes in entry and the eventual
exhaustion of PIN numbers are possible.
For example, Alice hits Register on her radio and gets the PIN
number 1234. Bob hits Register on his radio a minute later and gets
the PIN number 1243. Alice goes to the web site and mistakenly enters
the PIN 1243. She has now associated her account with Bob's radio and
will have access any tags Bob makes from that point on. When Bob tries
to register he's told that the device is already registered. The only
way to change that is to have some functionality on the radio to
invalidate the device id (which we would need to add to the spec, as
it is required on the device). Charlie in the meantime, who doesn't
even have a radio, creates an account and enters the PIN 1234. He now
has access to Alice's tags.
Another problem is resource exhaustion and denial of service attacks.
A PIN number is returned for every request to /.../<device_id>/.../.
As there is no provision for validating device ids, there is no way of
This makes it possible to exhaust PIN numbers or cause a rollover by
making multiple registration requests. It also makes it possible to
prevent registration by tying up all allocatable PIN numbers for the
duration of the PIN timeout.
A 4-digit PIN number allows only 10,000 combinations. This means you
can have only that many pending subscriptions at any one time.
Another and perhaps more important problem with the current spec is
that the only form of authentication is the uniqueness of the device
id. If there is no way to guarantee this uniqueness, there is also no
way to guarantee the authenticity of the request. As there is no
authorization token involved, there is only the request's assertion
that the request is being made on behalf of the specified device. This
is too easy to spoof (especially if we follow the rest of the spec and
broadcast our device ids in urls - see next point below). In general,
security through obscurity is not secure.
The current protocol raises a number of issues, not least of which is
the lack of security. Using a short PIN as the only means of
identifying the association between a user and a device is
** The URLs
There is a general problem with the form of urls which include the
device id as part of the path. Even though the request itself is
encrypted via HTTPS, the request url itself is not. This effectively
broadcasts your device id on the internet.
The proposed spec (0.7) has URLs of the form:
Where params would be 'fm/ce1/c586/09580'
We think a canonical form of the URL should start with the resource
and API version. In this case, the resource is the tag, not the
service, as it is the tag which is created as a consequence. The rest
of the parameters should be provided in the body of the request. Also,
we should stick to REST principles and use POST for adding a tag. So
the above would be (in pseudo-HTTP):
POST /tag/1.0 HTTP/1.1
The actual locator for the individual tag resource after creation
would then be simply
Andy suggested that instead of parsing the component parts of the
service string from RadioDNS and reconstituting them in the path, we
simply take the string as is and pass that to the server. This is a
great idea that at a stroke removes a lot of complexity from the spec.