Closed mmccool closed 8 months ago
As suggested by @j1y3p4rk I have started a PR were we can collect suggested changes and review comments: PR 210.
To create the PR I had to make a minor change to the doc, so I added a comment the HTML header. We can remove it before merging assuming we make other changes.
Some things I noticed need fixing:
Discussion in Security TF call Jan 30:
Other:
Additional comments:
In case it is not possible to pre-provision any of the types of credentials described above during the network setup phase or if the WoT Thing wants to use a more fine-grained access control policy on the WoT Interfaces it is exposing (for example, different controls might require different levels of authorization), the following methods can be used instead:
to
If the WoT Thing wants to use a fine-grained access control policy on the WoT Interfaces it is exposing (for example, different controls might require different levels of authorization), the following methods can be used instead:
as the types of credentials described above are nothing to do with access control.
Survey of Risks mentioned in various deliverables - we should make sure these are consistent with the Threats in the guidelines document (at least one is missing, DDoS):
Discovery:
Thing Description
Architecture
Test link to threat in S&P Guidelines: https://w3c.github.io/wot-security/#dfn-malicious-authorized-solution-user
See https://github.com/w3c/wot-security/issues/222
Factor out the above survey of considerations in to a separate file: https://github.com/w3c/wot-security/pull/233
Close this issue, but factor out into other small issues. A number of the things discussed here have already been taken care of. Above PR captures survey. Here is a consolidated list of all the discussion points that have not yet been addressed or for which an issue has not be created:
Will create one issue just for these points, close this issue.
Here are some points we have outstanding issues for:
Here are some points that we have already addressed:
content has been reorganized into other issues/PRs.
The "Security and Privacy Guidelines" document has not been updated for a couple years and should be to take account of the new assertions in the new deliverables, and the removal of the Best Practices document (see Issue #208).
See also See also TAG Review of Architecture