Security Best Practices for WoT Systems

[mmccool]

For systems written from scratch to support WoT, what security arrangements should we recommend? Note: WoT still needs to "descriptively" support a range of security configurations for brownfield systems. The "recommended practices" would be for new implementations. They may also change over time...

[mmccool]

There is a proposed session in the Bundang F2F to discuss this. We should at least go through the current "security considerations" document and summarize the best practices recommendations for security and privacy.

[mmccool]

We ARE going to have a Best Practices document of some kind if only to limit the scope of testing. Initially this will just be a section of the Security and Privacy Considerations document although we should break it out into a separate document eventually.

[mmccool]

An update on scoping: propose we focus on HTTPS-TLS, CoAPS-DTLS, and MQTT-TLS, and leave out others like CoAPS-TLS (based on CoAP over TCP) that are interesting, but add too much complexity to testing right now.

But from a security recommendation point of view, is there any particular reason to recommend CoAPS-TLS (coaps+tcp://) over CoAPS-DTLS (coaps://)?

[mmccool]

see https://github.com/w3c/wot-security/blob/master/wot-security-best-practices.md Will put recommended best practices there... follow structure in main document, but add detail.

[mmccool]

We are thinking that we should instead publish a W3C Note so we can refer to this from other documents, such as the Implementation Report and the TD Spec. Any comments on that? We would also publish the Security Testing Plan as a W3C Note, and both would be separate from the Security Considerations Document. This is the clearest separation of concerns, since it avoids updating the Security Considerations (for example) if testing requirements change, but it still looks reasonably efficient (and updating a Note after the first publication is relatively easy).

[draggett]

Sounds good to me!

[mmccool]

We plan to confirm one more time in the main call that we want to do a Note for these (also for Testing Plan) and then proceed to create repos for these and start populating them.

[mmccool]

We agreed to do this, and also to publish a testing plan as a Note also. We intend to ask for a formal resolution to publish initial versions of these as Notes during the May 8 meeting.