Updates to "Security and Privacy Guidelines" (omnibus)

[mmccool]

The "Security and Privacy Guidelines" document has not been updated for a couple years and should be to take account of the new assertions in the new deliverables, and the removal of the Best Practices document (see Issue #208).

See also See also TAG Review of Architecture

[mmccool]

As suggested by @j1y3p4rk I have started a PR were we can collect suggested changes and review comments: PR 210.

To create the PR I had to make a minor change to the doc, so I added a comment the HTML header. We can remove it before merging assuming we make other changes.

[mmccool]

Some things I noticed need fixing:

• Says WoT is declarative, not prescriptive, but some parts now prescriptive
• Does not mention Discovery at all
• Mentions DoS as a threat, but not DDoS
• Intro section is quite weak, does not define security, and ignores privacy
• Lifecycle needs to be aligned with Arch (or just reference it)

[mmccool]

• No references after 2019 (of course), things like OWASP guidelines are published annually
• Should reference protocol bindings for other protocols rather than focusing on CoAP/HTTP/MQTT
• No mention of DID, SSI, other key distribution mechanisms

[mmccool]

Discussion in Security TF call Jan 30:

• End-to-end security mentions TD signing, but we have no good way to do that
• "Secure practices for..." is a bit redundant, can simplify titles
• "Requirements" section is not really requirements, consider a different name (perhaps "Analysis")
• Protocol-specific comments in secure transport really about TLS/DTLS, which are a separate layer from protocols (e.g. can have OPC UA over these secure transports, too...)
• Need to refactor to figure what goes where in new charter; a lot of overlap with security and privacy considerations in other documents, lifecycle is out of place, etc.
• Can we fix anything in this charter, or do we have to wait until the next charter?
• Quick fixes:
  • Update references, esp IETF versions, OWASP, e.g. things that are normally updated (Jiye) https://github.com/w3c/wot-security/issues/206
  • Mention new deliverables - Discovery & Profiles, and Arch 1.1 and TD 1.1 (McCool) https://github.com/w3c/wot-security/issues/211
  • Revise abstract to be more in line with Architecture wrt "descriptive" vs. "prescriptive", and generally position the document better (McCool) https://github.com/w3c/wot-security/issues/215
  • Expand the (currently very short) intro section (Jan) https://github.com/w3c/wot-security/issues/214
  • Rename "Requirements" section (-> Analysis) (Jiye) https://github.com/w3c/wot-security/issues/213
  • Add DDoS threat (McCool) https://github.com/w3c/wot-security/issues/212
  • See what's going on with Lifecycle; was it supposed to have been moved to Arch and we just didn't delete it here yet? (McCool) https://github.com/w3c/wot-security/issues/192

[mmccool]

Other:

• Maybe add a workitem to "align security and privacy considerations across deliverables" to next WG charter? These should be aligned with the "best practices" mentioned in the S&P Guidelines. In the short term, probably can't do that justice with a full reorg, but we should at least check for contradictions and fix them. (McCool - to wot repo for charter draft)

[j1y3p4rk]

Additional comments:

• Need to update 'Chapter 5, References to Existing Security Best Practices'. As written in EDITOR'S NOTE, we don't need to have all references listed.
• In chapter 7.1, I suggest to change

In case it is not possible to pre-provision any of the types of credentials described above during the network setup phase or if the WoT Thing wants to use a more fine-grained access control policy on the WoT Interfaces it is exposing (for example, different controls might require different levels of authorization), the following methods can be used instead:

to

If the WoT Thing wants to use a fine-grained access control policy on the WoT Interfaces it is exposing (for example, different controls might require different levels of authorization), the following methods can be used instead:

as the types of credentials described above are nothing to do with access control.

[mmccool]

Survey of Risks mentioned in various deliverables - we should make sure these are consistent with the Threats in the guidelines document (at least one is missing, DDoS):

Discovery:

• Security
  • 8.1Denial of Service
  • 8.2Amplification and Distributed Denial of Service
  • 8.3Self-Discovery on LANs
• Privacy
  • 9.1Location Tracking and Profiling
  • 9.2Query Tracking

Thing Description

• Security
  • TD Interception and Tampering
  • 10.2Context Interception and Tampering
  • 10.3Limited Duration Accesses
  • 10.4Vulnerability Auditing
  • 10.5Script Injection
  • 10.6JSON Parsing
  • 10.7JSON-LD Expansion
• Privacy
  • 11.1 Context Fetching
  • 11.2 Immutable Identifiers
  • 11.3 Fingerprinting
  • 11.4 ID Metadata
  • 11.5 Globally Unique Identifiers
  • 11.6 Inferencing of Personally Identifiable Information

Architecture

• Security
  • 10.1.1Thing Description Private Security Data Risk
  • 10.1.2Thing Description Communication Metadata Risk
  • 10.2.1Cross-Script Security Risk
  • 10.2.2Physical Device Direct Access Risk
  • 10.3.1Provisioning and Update Security Risk
  • 10.3.2Security Credentials Storage Risk
  • 10.4Trusted Environment Risks
  • 10.5Secure Transport
• Privacy
  • 11.1.1Thing Description Personally Identifiable Information Risk
  • 11.2Access to Personally Identifiable Information

[mmccool]

Test link to threat in S&P Guidelines: https://w3c.github.io/wot-security/#dfn-malicious-authorized-solution-user
See https://github.com/w3c/wot-security/issues/222

[mmccool]

Factor out the above survey of considerations in to a separate file: https://github.com/w3c/wot-security/pull/233

[mmccool]

Close this issue, but factor out into other small issues. A number of the things discussed here have already been taken care of. Above PR captures survey. Here is a consolidated list of all the discussion points that have not yet been addressed or for which an issue has not be created:

• Should reference protocol bindings for other protocols rather than focusing on CoAP/HTTP/MQTT
• No mention of DID, SSI, other key distribution mechanisms
• End-to-end security mentions TD signing, but we have no good way to do that
• Protocol-specific comments in secure transport really about TLS/DTLS, which are a separate layer from protocols (e.g. can have OPC UA over these secure transports, too...)
• Need to refactor to figure what goes where in new charter; a lot of overlap with security and privacy considerations in other documents, lifecycle is out of place, etc.

Will create one issue just for these points, close this issue.

Here are some points we have outstanding issues for:

• (abstract) Says WoT is declarative, not prescriptive, but some parts now prescriptive
• No references after 2019 (of course), things like OWASP guidelines are published annually
• Does not mention Discovery at all
• Intro section is quite weak, does not define security, and ignores privacy
• Lifecycle needs to be aligned with Arch (or just reference it)

Here are some points that we have already addressed:

• Mentions DoS as a threat, but not DDoS
• "Secure practices for..." is a bit redundant, can simplify titles
• "Requirements" section is not really requirements, consider a different name (perhaps "Analysis")

[mmccool]

content has been reorganized into other issues/PRs.