Add informative text defining use of proxy-to link relation type

[benfrancis]

First raised in #1324.

The proxy-to link relation type recommended in the table in section 5.3.4.1 Link is not defined anywhere.

The table references the W3C WoT Security and WoT Binding Templates documents, but I can't find a definition in either of them.

Unless a definition can be found (or added to the WoT Thing Description specification), I suggest removing this line from the table.

[sebastiankb]

@mmccool would be this ok or should we keep it, since we have it also in TD 1.0?

[sebastiankb]

based on yesterday's discussion: label it as at-risk and if there is no veto during CR phase we will remove it

[mmccool]

OK with that, but we probably do need to add some informative text if we keep it, to avoid ambiguity with "proxy" field in securityDefinitions. Probably this link type should be used in "virtual Things" acting as a proxy/shadow for another thing.

[mmccool]

The Security TF is looking at this, but we did not get to it this week, and next week the mtg will be cancelled due to the plugfest. However, I will explicitly put it on the agenda for the week after next.

[mmccool]

Discussion (Security TF 2022.10.10)

• Security TF Members still need to look at it in more depth... if they have more comments they can add them here, these should be considered my thoughts for now, although we did discuss this issue in the meeting and took a look at the existing text in the TD spec.
• First approximation: both make sense and can be used together.
  • The "proxy-to" link indicates WHAT is being proxied
  • The "proxy" field in the security scheme is used to provide security metadata for the proxy itself, e.g. what kind of authentication is needed, that is, HOW to connect to the proxy itself.
  • So if you do have a proxy, you could reasonably use both.
• We do lack even one implementation, however, let alone two. However, Intel implemented a proxy service and could provide at least one that also uses proxy-to.
• HOWEVER: This table itself is not part of an assertion, and each row in the table is NOT marked as an assertion.
  • Therefore we have no test data for these, and I expect that if we did a lot of the others would also be at-risk.
  • My understanding was that this table was a list of example values for the rel field in link, but was not a closed set (e.g. others could be used).
  • However, the text right before the table uses the word "recommended" but it is not an RFC2119 assertion. So we could also change this text to say "for example" instead of "recommended" if we are not going to use assertions here.
  • At this point I think it is impractical to convert every row in this table to an assertion.
• The last point said, some informative text would be helpful for proxy-to, e.g. in the table, comparing it to "proxy" in the SecurityScheme.
  • Something like the following additional sentence could be added to the description of "proxy-to" in the table: "Additional security metadata may be provided using the "proxy" field in a SecurityScheme."

[sebastiankb]

@mmccool

The last point said, some informative text would be helpful for proxy-to, e.g. in the table, comparing it to "proxy" in the SecurityScheme.

are you going to provide a PR for it?