New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Finding a place to put the security paragraph in the bindings chapter #643
Comments
I am not sure what I should do here, finding a place for this text should not be my job but either someone from the security or someone with a good understanding of the entire document. I have only reviewed part that was related to "me". |
So, I'm currently trying to clean up/consolidate some stray security considerations in the TD spec that overlap with some stuff we have been working on in parallel in the S&P section... It would be good in general to at least add these to an explicit Security Considerations section in the document (used for security review), rather than in paragraphs here and there. For now I've marked this with the "security" label so it will pop up when the Security TF looks for labelled issues. Yes, Binding Templates is not technically normative, so wide review is not a technical requirement, but it would be good to use a consistent structure. |
took off security-needs-resolution label, that is for sec reviewers, not us |
@mmccool @egekorkan |
For now it seems that this section has been removed to not clutter up Architecture. In general there might be security details needed for bindings (e.g. how do you indicate that a password is required for MQTT access? The "basic" security scheme? Even though this is the term used for HTTP, not MQTT?) but it's not necessary to say much about that in the Architecture document. Probably. In the longer run TD 2.0 should probably have protocol-specific security schemes included with the vocab extension for the protocol binding, but we don't have time in this round to revamp this. Discussed in Security Call 11 July: ok to leave it as is (no mention of security here) but a short paragraph along the lines of "Security: A Binding Template may indicate how protocol-specific security is configured and how to use existing security scheme definitions." would also be ok to add. |
I added the propose-closing label. Note that I cannot remove the security-needs-resolution label since it is supposed to be added by security reviewers, not us. But this is NOT a wide review topic, just an organizational one. |
Arch call on Sept 22nd. Agree to close |
Currently, there is the following part in the spec at https://w3c.github.io/wot-architecture/#sec-binding-templates:
Security mechanisms can be applied at different layers of the communication stack and might be used together, often to complement each other. Examples are (D)TLS [RFC8446]/[RFC6347], IPSec [RFC4301], OAuth [RFC6749], and ACE [RFC7744]. Due to the cross-cutting nature of security, the necessary information to apply the right mechanism may be given within the general metadata of the Thing and/or specialized for each Interaction Affordance or form.
In the PR of #615 I have removed from the binding templates since it does not make any sense to put it under bindings templates. It should be in its own section. My reasons:
The text was updated successfully, but these errors were encountered: