Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Limitations on TDs Utilising nosec #1490

Closed
harrisonsean opened this issue May 4, 2022 · 6 comments
Closed

Limitations on TDs Utilising nosec #1490

harrisonsean opened this issue May 4, 2022 · 6 comments
Assignees
@mmccool
Labels
privacy-tracker Group bringing to attention of Privacy, or tracked by the Privacy Group but not needing response.

Comments

@harrisonsean
Copy link
Member

This issue is part of the PING privacy review w3cping/privacy-request#84

This spec currently allows TDs to set nosec without restriction, however the spec also mentions that some TDs can contain IDs that are immutable by law (in some jurisdictions) and that some TDs can be associated with personal devices. Given this it seems reasonable to require that any device with an immutable ID or that can be associated with a personal device is forbidden from using nosec as a security policy.
@github-actions github-actions bot added the needs-triage Automatically added to new issues. TF should triage them with proper labels label May 4, 2022
@sebastiankb sebastiankb added the privacy-needs-resolution Issue the Privacy Group has raised and looks for a response on. label May 4, 2022
@sebastiankb
Copy link
Contributor

sebastiankb commented May 4, 2022
edited

from today's TD call:

  • @mmccool will address this issue with a PR
  • @mmccool will also address this issue in the security TF

@sebastiankb sebastiankb added PR needed and removed needs-triage Automatically added to new issues. TF should triage them with proper labels labels May 4, 2022
@sandandsnow sandandsnow added the privacy-tracker Group bringing to attention of Privacy, or tracked by the Privacy Group but not needing response. label May 4, 2022
This was referenced May 4, 2022
Open
Closed
@w3cbot w3cbot removed the privacy-tracker Group bringing to attention of Privacy, or tracked by the Privacy Group but not needing response. label May 5, 2022
This was referenced May 9, 2022
Merged
Closed
@mmccool
Copy link
Contributor

mmccool commented May 9, 2022
edited

I am working on a PR to address this and related matters, but I am putting it into WoT Architecture since it also relates to WoT Discovery. See w3c/wot-architecture#747
Unfortunately, access controls without TLS can be bypassed, and there is a general problem with using TLS on private networks, e.g. in the home. TLS can be set up in private networks with some difficulty but this is most appropriate in institutional environments, i.e. a factory. Many hubs etc. for the Smart Home don't support it in particular (due to lack of standards for properly setting up certs in such situations in a not-painful way). Please look at the above PR and let me know (by commenting on that PR) if it addresses this issue. I am attempting to codify some stronger statements about protecting remote access over the internet in particular.

@mmccool
Copy link
Contributor

mmccool commented May 16, 2022
edited

Some updated S&P considerations have been merged into Architecture, please review. I am doing a cleanup pass so let me know if you spot anything that needs to be addressed. See w3c/wot-architecture#753

@sebastiankb
Copy link
Contributor

from today's TD call:

@harrisonsean
Copy link
Member Author

These updates look good to me, closing the issue

@sebastiankb
Copy link
Contributor

perfect, thanks

@plehegar plehegar added privacy-tracker Group bringing to attention of Privacy, or tracked by the Privacy Group but not needing response. and removed privacy-needs-resolution Issue the Privacy Group has raised and looks for a response on. labels Oct 28, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mmccool mmccool

Labels
privacy-tracker Group bringing to attention of Privacy, or tracked by the Privacy Group but not needing response.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@plehegar @mmccool @sebastiankb @w3cbot @sandandsnow @harrisonsean