Requirements template - Please add a security checklist

[mlagally]

No description provided.

[mmccool]

We talked about this as well today in the Security TF call: see w3c/wot-security#168

I think at the very least the requirements template should include a "Security and Privacy Considerations" section. It can be free-from for now, but as we work through each use case we can add some structure (eg for authentication requirements, once the lifecycle is defined we can indicate when and where we need authentication in reference to it).

[mmccool]

By "checklist" I assume you want to know whether we need authentication, confidentiality, access controls, etc. In that case, we perhaps want to put a free-form "Security and Privacy Considerations" section in each use case and derive detailed requirements from that.

[mmccool]

At any rate, let me add this to the security meeting agenda for next week... in the meantime let's discuss here exactly what is needed.

[mlagally]

@mmccool This was coming out of an architecture discussion we had together. I think we should add two sections:

1. Security considerations
2. Privacy considerations
   These sections can be free-form for now and the content can be a brief paragraph raising the main issues. When we define the requirements we have to go down to more detail.

[mlagally]

If the security group comes up with a more detailed checklist, we should add that as well.

[mmccool]

My suggestion (to implement immediately):

1. Add both a security and privacy "considerations" section to the use case template (and to all existing use cases).
2. Add both a security and privacy "requirements" section to the requirement template. N ote: these should list needed features but not necessarily concrete implementations (eg they should say "needs support for scoped authorizations" not "needs OAuth2".

Later on, we need to do:
3. A list of questions to ask when looking at considerations and requirements, similar to https://www.w3.org/TR/security-privacy-questionnaire/ (and we can extract the relevant ones from this as a starting point, although there may be additional issues we have to address) -> put in wot-architecture/USE-CASES/security-questions.md
4. A table indicating which concrete implementations (eg OAuth2) satisfy which requirements (eg "scopes"). This table should go into the security best practices document. Need to define two axes: schemes, and features. Features can be extracted from requirement documents.

DE: Consider assets, domains, and flows. Fits under "list of questions", e.g. one question could be "What are the assets?" etc.
McCool: to do PR for 1 and 2.

[mlagally]

Arch call on 17.12.
This was done some time ago.
Need to revisit 3 and 4.

[mlagally]

@mmccool
The points 3 and 4 from above need a bit of further work. I removed the "done" label and deferred it to the 2.0 publication.