Finding a place to put the security paragraph in the bindings chapter

[egekorkan]

Currently, there is the following part in the spec at https://w3c.github.io/wot-architecture/#sec-binding-templates:

Security:

Security mechanisms can be applied at different layers of the communication stack and might be used together, often to complement each other. Examples are (D)TLS [RFC8446]/[RFC6347], IPSec [RFC4301], OAuth [RFC6749], and ACE [RFC7744]. Due to the cross-cutting nature of security, the necessary information to apply the right mechanism may be given within the general metadata of the Thing and/or specialized for each Interaction Affordance or form.

In the PR of #615 I have removed from the binding templates since it does not make any sense to put it under bindings templates. It should be in its own section. My reasons:

• I do not know how I can write about this in the binding templates specification unless we rework the whole security mechanism in WoT to abstract them from protocols
• Available security/auth mechanisms are already in the TD spec
• The security mechanisms in the current text includes lower layer standards like TLS. These are already baked into the protocols

[egekorkan]

I am not sure what I should do here, finding a place for this text should not be my job but either someone from the security or someone with a good understanding of the entire document. I have only reviewed part that was related to "me".

[mmccool]

So, I'm currently trying to clean up/consolidate some stray security considerations in the TD spec that overlap with some stuff we have been working on in parallel in the S&P section... It would be good in general to at least add these to an explicit Security Considerations section in the document (used for security review), rather than in paragraphs here and there. For now I've marked this with the "security" label so it will pop up when the Security TF looks for labelled issues. Yes, Binding Templates is not technically normative, so wide review is not a technical requirement, but it would be good to use a consistent structure.

[mmccool]

took off security-needs-resolution label, that is for sec reviewers, not us

[mlagally]

@mmccool @egekorkan
Are there any further contributions to be expected before the PR?

[mmccool]

For now it seems that this section has been removed to not clutter up Architecture. In general there might be security details needed for bindings (e.g. how do you indicate that a password is required for MQTT access? The "basic" security scheme? Even though this is the term used for HTTP, not MQTT?) but it's not necessary to say much about that in the Architecture document. Probably. In the longer run TD 2.0 should probably have protocol-specific security schemes included with the vocab extension for the protocol binding, but we don't have time in this round to revamp this.

Discussed in Security Call 11 July: ok to leave it as is (no mention of security here) but a short paragraph along the lines of "Security: A Binding Template may indicate how protocol-specific security is configured and how to use existing security scheme definitions." would also be ok to add.

[mmccool]

I added the propose-closing label. Note that I cannot remove the security-needs-resolution label since it is supposed to be added by security reviewers, not us. But this is NOT a wide review topic, just an organizational one.

[mlagally]

Arch call on Sept 22nd. Agree to close