search

camaraproject / Commonalities

Repository to describe, develop, document and test the common guidelines and assets for CAMARA APIs
Apache License 2.0
15 stars 28 forks source link

Create a meaningful security-considerations section #218

Open AxelNennker opened 6 months ago

AxelNennker commented 6 months ago

Problem description The current security considerations just refers to CloudEvent "security". Which is basically saying "CloudEvents cares about interoperability (and not about privacy and security)".

The example they provide does not even follow their own security advice.

Data Domain specific event data SHOULD be encrypted to restrict visibility to trusted parties. The mechanism employed for such encryption is an agreement between producers and consumers and thus outside the scope of this specification.

{
    "specversion" : "1.0",
    "type" : "com.github.pull_request.opened",
    "source" : "https://github.com/cloudevents/spec/pull",
    "subject" : "123",
    "id" : "A234-1234-1234",
    "time" : "2018-04-05T17:31:00Z",
    "comexampleextension1" : "value",
    "comexampleothervalue" : 5,
    "datacontenttype" : "text/xml",
    "data" : "<much wow=\"xml\"/>"
}

Note, despite their own recommendation data is not encrypted. Neither is comexampleextension1 nor comexampleothervalue.

Expected behavior Write a meaningful security considerations section

Additional context

AxelNennker commented 4 months ago

Still meaningless "security considerations" https://github.com/camaraproject/Commonalities/blob/main/documentation/API-design-guidelines.md#security-considerations