[w3ctag/design-reviews] WIP: Web of Things (WoT) Thing Description 1.1 - Security Review (Issue #715) from Michael McCool on 2022-02-14 (public-webapps-github@w3.org from February 2022)

From: Michael McCool <notifications@github.com>
Date: Mon, 14 Feb 2022 05:51:28 -0800
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/715@github.com>
Braw mornin' TAG!

**NOTE: This Issue is WIP, do not initiate a security review yet.  We are collecting materials still and waiting on a few items to clear, such as a WD update.**

I'm requesting a TAG review of the Web of Things (WoT) Thing Description 1.1.

WIP: [One paragraph summary of idea, ideally copy-pasted from Explainer introduction]

  - Explainer¹ (minimally containing user needs and example code): WIP
  - Specification URL: WIP (WD in process)
  - Tests: [Testing process (WIP) in github](github.com/w3c/wot-testing); see also the [draft implementation report](https://w3c.github.io/wot-thing-description/testing/report.html)  
  - User research: [Use cases](http://w3c.github.io/wot-usecases/) (includes stakeholder input)
  - Security and Privacy self-review²: [WIP](https://github.com/w3c/wot-thing-description/pull/1382)  
  - GitHub repo (if you prefer feedback filed there): [repo](https://github.com/w3c/wot-thing-description)
  - Primary contacts (and their relationship to the specification):
      - [Sebastian Kaebisch](@sebastiankb), Siemens
      - @takuki
      - @mmccool
      - @vcharpenay
  - Organization(s)/project(s) driving the specification: N/A
  - Key pieces of existing multi-stakeholder review or discussion of this specification: see use case document above
  - External status/issue trackers for this specification (publicly visible, e.g. Chrome Status): N/A

Further details:

  - [ ] I have reviewed the TAG's [Web Platform Design Principles](https://www.w3.org/TR/design-principles/)
  - Relevant time constraints or deadlines: [please provide]
  - The group where the work on this specification is currently being done: WoT WG
  - The group where standardization of this work is intended to be done (if current group is a community group or other incubation venue): WoT WG
  - Major unresolved issues with or opposition to this specification: None (WIP: may want to link to outstanding issues in tracker that have been pushed to TD 2.0)
  - This work is being funded by: members

You should also know that...

- [Previous review of 1.0 version](https://github.com/w3ctag/design-reviews/issues/357)

In the Thing Description 1.1 specification, text and table entries highlighted with a yellow background will indicate a feature associated with an at-risk assertion for which insufficient implementation experience exists. When an entire section is at-risk the words "This section is at risk." will be placed at the start of the section and highlighted with a yellow background.

- The [WoT Security and Privacy Considerations](https://github.com/w3c/wot-security/) document provides extra discussion of security with an IoT focus.
- The related [WoT Architecture 1.1](https://github.com/w3c/wot-architecture) document is being submitted for TAG review at the same time.
- The related [WoT Discovery](https://github.com/w3c/wot-discovery) document will be submitted for TAG review shortly.
- The related [WoT Profile](https://github.com/w3c/wot-profile) document will be submitted for TAG review shortly.

There are also some related informative documents:
- The [WoT Binding Templates](https://github.com/w3c/wot-binding-templates) informative WG Note describes an optional WoT building block.  This Note explains how to use the WoT Thing Description for specific IoT protocols.
- The [WoT Scripting API](https://github.com/w3c/wot-scripting-api) informative WG Note describes an optional WoT building block, and describes a JS API that can be used to implement behaviour in a WoT Thing (exposing a network API described by a WoT Thing Description) or a device consuming (reading) a WoT Thing Description.
- The [WoT Use Cases and Requirements](https://github.com/w3c/wot-usecases) informative WG Note includes a collection of stakeholder-submitted use cases driving requirements.

During the TAG review period, we plan to update the test results in the implementation report to reduce the number of at-risk assertions as much as possible before CR submission.  The link above refers to the master branch of the repository, not the TAG-review branch.

We'd prefer the TAG provide feedback as (please delete all but the desired option):

  🐛 open issues in our GitHub repo for **each point of feedback**

------------------------------------------------------------------------------------
WIP!  Will delete below only once this issue is complete and the referenced documents are ready for review.

CAREFULLY READ AND DELETE CONTENT BELOW THIS LINE BEFORE SUBMITTING

Please preview the issue and check that the links work before submitting.

In particular, if anything links to a URL which requires authentication (e.g. Google document), please make sure anyone with the link can access the document. We would prefer fully public documents though, since we work in the open.

¹ We require an explainer to give the relevant context for the spec review, even if the spec has some background information. For background, see our [explanation of how to write a good explainer](https://tag.w3.org/explainers/). We recommend the explainer to be in [Markdown](https://github.github.com/gfm/).

² A Security and Privacy questionnaire helps us understand potential security and privacy issues and mitigations for your design, and can save us asking redundant questions. See https://www.w3.org/TR/security-privacy-questionnaire/.



-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/715

You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/715@github.com>
Received on Monday, 14 February 2022 13:51:48 UTC