Closed mmccool closed 2 years ago
Other possible S&P considerations:
Comments (from discovery call):
Kaz mentioned some recent discussion in the DID group on a similar topic, we should look at that.
Some related issues where we have already raised some of these points:
Useful to review the JSON Path draft from IETF, apparently they addressed some of the security issues in the original (eg limiting the power of legal JS expressions): https://ietf-wg-jsonpath.github.io/draft-ietf-jsonpath-jsonpath/
Some confusion between DoS and DDoS that needs to be cleared up. DoS is attacking a service directly to bring it down or deny it to other people (e.g. a Directory service). DDoS is compromising a device and using it to launch DoS attacks on other devices. For Directories a direct DoS attack could take the form of a pathologically expensive query.
Need to:
Maybe add note about use of object security in unencrypted networks, e.g. .local domains that can't use normal TLS?
Going to close since created the new issue https://github.com/w3c/wot-discovery/issues/254 in Discovery repo for this. I could have transferred this issue (the discussion points here are still relevant) but want to consolidate, not create a duplicate.
See here for the labelled issues:
Deadline: update of security guidelines for July 2021, possibly WoT Discovery document updates to Security and Privacy considerations section.