Update Security Requirements

[mmccool]

• Use respec links for sections as in discovery
• Use separate security and privacy requirements sections.
  • W3C generally treats them separately, but there are many requirements that overlap.
  • Privacy is about information flow and access to information (especially PII)
  • Security is more general and concerned with confidentiality but also integrity, authentication, etc.
  • At least attempt to do two sections and see if can work out labelling, etc.

Note: In general - S&P G docs does not separately list "privacy threats". For example, we don't have a "tracking" threat in the S&P G doc. So can't use exactly the same structure as with security. For now, let's focus on security and look at privacy later.

To do:

• [x] Update links to use cases using ReSpec triple-square-bracket to automatically fill in section numbers and names. Use same formatting as in proposed Discovery requirements: https://github.com/w3c/wot-usecases/pull/242. Can be used for links from categories to use cases, and from requirements to categories (or use cases).
• [ ] Populate links from categories to use cases (e.g. put each use case in one or more categories). Maybe be useful to start with a CSV table - need list of use cases for first column. Can use this as a starting point: https://github.com/w3c/wot-usecases/blob/main/USE-CASES/security-categories.csv
• [ ] Modify requirements to address specific mitigations for particular threats. Some threats may have more than one mitigation. Some mitigations may address multiple threats. Should align with existing security (and privacy) mitigations.
• [ ] Populate links from requirements to categories.
• [ ] Populate (if necessary) links from requirements to specific use cases.

[mmccool]

Let's split out privacy and look at it separately: https://github.com/w3c/wot-usecases/issues/246

[mmccool]

Also, categorization is just preliminary, we really should be asking stakeholders (e.g. initial use case contributors). Going forward, new use case template can ask for categories (or new category if an existing one is not relevant; ditto for specific requirements).

Created initial table to capture security category to use case mapping: https://github.com/w3c/wot-usecases/blob/main/USE-CASES/security-categories.csv

[mmccool]

Merged PR #249, but this PR really only establishes the formatting of the links. Also, links only added under Categories, the triple-bracket does not work to linking requirements to categories, since the latter are not in sections, so we will just use links.

Marking first item in list above as completed.

[mmccool]

Probably should split "Private Information" category into "Private Infromation" (for PII) and "Confidential Information" (e.g. business confidential). They have different requirements, e.g. GPDR and things like right-to-deletion are a PII thing, not a confidential information thing. For now will use "conf" and "pii" in that column of the table. However, business HR information would be considered PII.

[mmccool]

• Cameras are privacy risks, but only if pointed at people
• Location can be a privacy risk, but only if associated with a person
• Lifecycle management (category? Management of physical device?)
• People/not, type of damage (information, physical)