- From: Michael McCool <notifications@github.com>
- Date: Mon, 18 Jul 2022 05:46:24 -0700
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3ctag/design-reviews/issues/736/1187325252@github.com>
Response from WoT Security TF: 1. The "Security Best Practices" document was meant to contain a set of non-normative statements about security such as the best version of TLS to use, when to use it, etc. but these have been superseded by the normative statements about these in the current version of the deliverables (TD, Architecture, Discovery, and Profiles). We were going to update the "Security Best Practices" document but as it seems redundant at this point will remove reference to this document by the CR transition. **ACTION: Remove references to "Security Best Practices" in normative documents.** 2. The "Security and Privacy Guidelines" document was unfortunately not defined as a normative deliverable in our last charter. We might want to consider making it normative in our next charter and consolidating normative assertions about security and privacy in it, but can't do so according to our current charter. It's true this document has not been updated in a while but it currently makes general statements which are still correct. Being informative, we were also planning to update it after the current normative deliverables are in CR but prior to PR. **ACTION: Review and update prior to PR transition of other deliverables.** 3. References to "Security and Privacy Guidelines" should note that it is an informative document. **ACTION: Update references to ensure that all references to "Security and Privacy Guidelines" are informative.** 4. The "Security and Privacy Guidelines" document however also was also used as a place to put testing recommendations for security. In general we will be reviewing assertions prior to CR transition and making sure they are testable statements about implementations and not statements about policy. For example, a statement about "Identifiers SHOULD be rotated" should probably be "Implementations SHOULD provide a means to rotate identifiers." We would like to somehow make statements about recommended policies but these are hard to test in an implementation as they depend on usage of systems not available at release time (unfortunately). But at least we can make sure the suggested policy is *possible*. **ACTION: Review and update security and privacy assertions so they are testable statements about implementations.** -- Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/736#issuecomment-1187325252 You are receiving this because you are subscribed to this thread. Message ID: <w3ctag/design-reviews/issues/736/1187325252@github.com>
Received on Monday, 18 July 2022 12:46:38 UTC