A

Account Management

Via the Cloud Server, Example enables a user to create an account through which the user is able to manage their network of devices. This includes:

• Adding and removing devices.
• Classifying devices.
• Describing devices.
• Enabling applications to have access to devices and data, as well as updating application's access to data and devices.

Reference: Account Management (Differentiated Example Features)

Application (Cloud Security)

The Example Account Service controls how apps access both DeviceData and a user's devices. An application requests access to a user's account using the OAuth 2.0 protocol. The Example Account Service acts as the OAuth defined authorization server.

• If the User provides permission for the App to access its devices, the Example Account Service will provide the App an Access token which the App will present to the device or server that holds DeviceData.
• The App does not understand the contents of the token. These are processed by the device or the server holding the Device Data.

Reference: Application (Cloud Security)

▲ Top

B

Reference:

▲ Top

C

CaptureMode

A configuration that is specifically optimized to enable the processing of video or still images to obtain the required DeviceData.

Reference:

• Control Classes: CaptureMode
• Definition of CaptureModes
• DeviceMode: CaptureMode Table

Capture Control API

The Capture Control API enables the frame level switching of sensor configurations, lighting, and other device controls to enable:

• The most optimum capture of image and other data.
• The analysis by AI and Computer Vision systems to extract relevant information from the Device.

Reference: Capture Control API [[ TBD ]]

Chaining DeviceMarks and DeviceData (Cloud Security)

The creation of a DeviceMark entails the capture of DeviceData, the capture of Metadata regarding the DeviceData capture, and then augmenting the Metadata by performing an analysis of the DeviceData and already generated Metadata to create new Metadata.

• A DeviceMark may be constructed over time by different systems.
• The DeviceMark may be appended to years after the original DeviceData was captured.
• For example if a particular Device has high importance and a new algorithm becomes available it may make sense to append the output of the new algorithm to the existing DeviceMark for that Device.

Reference: Data (Cloud Security)

Cloud API

The Cloud API enables applications to access a User’s account through a map of available devices that are associated with the account. This includes descriptions of the views that the devices are capturing and the spatial relationships between devices. It enables applications to:

• Identify devices which are relevant to the application.
• Set DeviceModes for these devices.
• Consume DeviceMarks that are generated by the DeviceModes.
• The Application can switch the DeviceMode to enable the extraction of data most relevant to the Application.

Reference:

• Cloud API
• APP Service APIs
• Web Services APIs

Cloud Security

To ensure the security of Example data of any sensitive nature, there are several aspects relating to security that need to be handled by the Example specification. The major security assets in the system are the user's account, the devices, data (DeviceMarks and DeviceData) and Applications. Example Cloud Security consists of the following four areas: User Account, Data, Application, and Processing of JSON Structures.

Reference:

• Cloud Security: Overview
• User Account
• Data
• Application
• Processing of JSON Structures

▲ Top

D

Data (Cloud Security)

The Cloud Security Data area consists of the following three areas:

• Privacy Management System
• Roles
• Chaining DeviceMarks and DeviceData

Reference: Data (Cloud Security)

DeviceData

DeviceData comprised of the sequence of sensor image output, processed image data by local AP (e.g., cropped image of face detected), and data collected by the device synchronously with the sensor image from neiboring devices and sensors. This may be in the form of a sequence of video frames, still images, audio or other meta data.

Reference: DeviceData: Overview & DataScope

DeviceMark

DeviceMark is a specifc Device Data containing significant events or any change of the state in the data stream. These DeviceMarks may be of viewers' interests or worthy of notification.

• DeviceMarks can be generated due to detection or recognition of certain objects or movements, or due to meta data associated with the specific Device data (e.g. sound).
• Devicemarks can be generated by the device itself or Apps or Services analyzing the DeviceData stream in the cloud.

Reference: DeviceMark: Overview

DeviceMode

As found in standalone devices or device apps on the smartphone, the modes set the device to capture specific images – for example video, portrait, panoramic landscape, slow motion video, live photos, and etc.

• Similarly DeviceMode is a way to communicate between Apps and Device such that depending on the context or semantics of what's being desired to capture, an App may direct the device to capture certain or specific Device data.
• Being able to change the modes to change the Device data acquired may result in better way to analyzed the situational Device data stream as compared to simple continuous stream of video stream only.

Reference: DeviceMode: Overview

Device-based Device

Surveillance devices can be triggered by the detection of motion. This results in an "event", which can produce an overwhelming stream of events where every small motion in the field of view results in an "event". Example adds an additional layer of analysis and filtering that enables more detailed processing.

• This is based on the context defined by the DeviceMode to interprete whether a motion should constitute a Device or whether a sequence of "events" constitute a Device.
• It reduces the overall traffic of Devices to the end user to an application consuming DeviceMarks and DeviceData.

Reference: Device-based Device

DeviceMarks-based Data Acquisition

Instead of blindly trying to extract data from video (which can be expensive from a computational perspective), a DeviceMode provides:

• A context for information extraction.
• Feedback to ensure that the capture of raw data is optimized to enable the extraction of information.
• A defined workflow that provides the desired information in a compact and intelligent form.

Reference: DeviceMarks-based Data Acquisition

Device Code Signing (Device Security)

For updates of Firmware for the device, the file containing the software update shall be signed with a key that is associated with the device. The public key for the validation of the signature shall be loaded into the device either at manufacture or subsequently where it is signed using the Private key associated with the Example Licensing Authority. The signature that is generated for the code shall contain the following data fields:

• Period for which it is valid.
• A minimum version number.

Reference: Device Code Signing (Device Security)

Device Credential Management (Device Security)

Each device shall have the Example Licensing Authority Root Certificate stored in the device.

• The Credential Management Structure is signed using the Private Key of the Example Licensing Authority (as defined in the X.509 certificate stored in the device) and shall be encrypted with the unique Public Key corresponding to the Private Key of the device.
• The Device Private Key is also programmed into the device on manufacture.

Reference: Device Credential Management (Device Security)

Device Network Security (Device Security)

The Example system enables the device to have a firewall within the device itself. The implementation of the Firewall may be:

• Within a trusted execution environment.
  • This provides the highest level of security.
  • This provides a defense even when the application processor on the device has been compromised and simplifies the management of updates by enabling a single code image for security to be used on multiple device models.
  • The details of the Trusted Execution Environment are out of scope of this specification. (Options that may be implemented are Global Platform or within the Android specification (Trustee)).
• Within the application processor.

Reference: Device Network Security (Device Security)

Device Security

Example Device Security is made up of the following areas.

• Device Code Signing
• Device Credential Management
• Device Network Security
• Example Device Lifecycle

▲ Top

E

Example Device Lifecycle

The Example device has several stages in its lifecycle where different authorities have control over aspects of the device.

• At manufacture of the device the Example licensing authority provides credentials to the device that enable the device.
• The end user uses these credentials to authorize the Example Licensing Authority to enable the device to be linked to the Example Account Service Provider.
• The Example Account Service Provider is then able to download credentials to the device that allow the device to be controlled securely by a Example Service Provider or Apps that the end user allows to interact with their User Account.

Reference: Example Device Lifecycle

Example Overview

An introduction to Example that defines a standard way for devices to communicate with each other and collaborate to serve in better ways.

Reference: Example Overview

F

Fine Grain Privacy Rights Management

The Example system allows a User to define the types of data that an App can access and what the App may do with that data. For example, if the User does not wish for a person to be identified:

• The face that is detected in the video may be encrypted using a separate key.
• The identity of the face may be stored in a data field which is then encrypted with a different key.

Reference: Fine Grain Privacy Rights Management

Future Proof Reference

The Future Proof reference has become a defacto standard for the implementation of a particular function or capability. It describes a product, service or technological system that will not need to be significantly updated as technology advances. An example of such a standard is MPEG DASH (RFC 6983) where all new mobile, television, and PCs support this standard for playing back video. Examples:

• IEFT Specifications
• ISO MPEG Specifications

Reference: Future Proof Reference

▲ Top

G

Reference:

▲ Top

H

Reference:

▲ Top

I

Informative Reference

Informative references assist the user with regard to a particular subject area. For example, an informative reference might provide background or historical information. Example:

• ONIVF Specifications

Reference: Informative Reference

▲ Top

J

JSON Signing and Encryption

Any JSON object defined for Privacy Rights Management or for Network Security shall be encrypted in accordance to the JOSE Specifications external link icon for JSON encryption and authentication. The JOSE specifications refer to two types of serialization. For the purposes of Example the JWS serialization shall be used.

Reference: JSON Signing and Encryption

JSON Web Token Usage in the Example Ecosystem

The OAuth2 specification defines the process for a server to grant an access token to a client to enable the client to access a resource.

• The client presents the access token to the resource server and if the resource server determines that the token is valid the it provides access.
• OAuth2 does not specify the structure of the token or how the token is distributed to the resource server.
• RFC 7519 defines JSON Web Tokens (JWT).
• These are tokens containing required and optional fields defined in a JSON format.
• The encryption and authentication of these tokens is defined in the JOSE specifications also developed by the IETF.

Reference: JSON Web Token Usage in the Example Ecosystem

JWT (JSON Web Tokens) Format

The RFC 7519 external link icon specification defines the specific usage of fields defined in this RFC.

• The token shall be authenticated using the RS256 algorithm external link icon (RSA combined with SHA256 hash function).
• The identification of the Public Key to be used to authenticate the message shall be carried using an X.509 certificate.
• This certificate shall be validated against the Example LA root certificate.

Reference: JWT (JSON Web Tokens) Format

▲ Top

K

Keys and Credentials Management

The Example system simplifies the Credential and Key management for the end User. Devices are already shipped with keys and credentials embedded in the devices and these are updated in the field during the lifecycle of the device. This is all taken care of without the intervention of the User.

Reference: Keys and Credentials Management

▲ Top

L

Layers and Links (APIs) Architecture

DeviceModes enable the workflow for the analysis of data to be software defined, according to the DeviceMode that is defined by an application consuming data. The computation processing the data may be configured to utilize computing resources within the device or in the cloud, to enable optimum processing of data from both a cost and latency perspective.

• The Application is able to define the feedback to the capture process by controlling the DeviceMode of the system.
• This enables the application to tailor the capture process to be optimized for the data analysis that is being performed by the workflow defined by the DeviceMode.

Reference: Layers and Links (APIs) Architecture

▲ Top

M

Reference:

▲ Top

N

Normative Reference

Normative references specify documents that must be read to understand or implement the technology in the Example Specification, or whose technology must be present for the technology to work. The Normative reference standards contain provisions specified in text that constitute normative provisions of this Example Specification. Examples:

• ONVIF Specifications
• IEFT Specifications
• Other Specifications

Reference: Normative Reference

▲ Top

O

Reference:

▲ Top

P

Pipelined Data Processing

This feature provides Dynamic Edge and Cloud computing for A.I. (Artificial Intelligence), Machine Learning, Computer Vision, and Pipelined Data Encryption. The Example system enables processing to be flexibly distributed according to the capabilities at various points in the network. For example, where a device has the capability to perform facial recognition within the device, this can be configured to be performed in the device. If in the future a significant breakthrough is made in facial recognition and this algorithm is available in the cloud, the facial recognition operation can then be shifted into the cloud without requiring an upgrade to the edge device.

Reference: Pipelined Data Processing

Privacy Management System (Cloud Security)

Privacy Management enables the Example Service Provider under the instruction of the End User to control which applications may access which DeviceData or Devices. It provides fine grain control over the window of access and which data items may be accessed.

Reference: Privacy Management System (Cloud Security - Data)

Processing of JSON Structures

The Processing of JSON Structures consists of the following three areas:

• JSON Signing and Encryption
• JSON Web Token Usage in the Example Ecosystem
• JWT (JSON Web Tokens) Format

Reference: Processing of JSON Structures (Cloud Security)

▲ Top

Q

Reference:

▲ Top

R

Roles (Cloud Security)

Roles in Example Cloud Security consist of the following areas:

• Privacy Management Service
• Device
• Sensor
• Example Service Provider
• 3rd Party Application
• Data Encryption
• Privacy Objects
• Chaining DeviceMarks and DeviceData

Reference: Roles (Cloud Security - Data)

▲ Top

S

Reference:

▲ Top

T

Reference:

▲ Top

U

User Account

A Device Service Provider enables an end user or enterprise to manage their network of Example compliant devices. This management scope in detail includes:

• Adding devices to the account.
• Inputting data about the devices, for example what the device is looking at.
• Determining which 3rd party apps and services are able to make requests for Device modes, access Device data, or output feeds from devices.
• The level of access that 3rd party apps have.

Reference: User Account (Cloud Security)

▲ Top

V

Reference:

▲ Top

W

Reference:

▲ Top

X  Y  Z

Reference:

▲ Top