AW: [IG-SP] Review of Security&Privacy Requirements Catalogue

I added a (forward-looking) section to capture things discussed here in Wiki: https://www.w3.org/WoT/IG/wiki/Security%26Privacy_Requirements_Catalogue#Next_Step



I hope this helps and things do make sense with this addition. Please let me know if anybody thinks that this is not the case



Kind regards,

Oliver



Von: Pfaff, Oliver [mailto:oliver.pfaff@siemens.com]
Gesendet: Dienstag, 11. August 2015 08:14
An: Claes1.Nilsson@sonymobile.com; public-wot-ig@w3.org
Betreff: AW: [IG-SP] Review of Security&Privacy Requirements Catalogue



Thanks for your comments Claes!



What we can achieve here is something in style of a "vocabulary". For example take wearables (use case "Sports and Entertainment") and industrial control systems:

-          Both may be part of WoT systems/solutions/products - according my understanding of WoT

-          Privacy is of paramount interest for wearables but de facto irrelevant for industrial control systems

So the final determination of the relevance of a specific security/privacy requirement e.g. 'informational self-determination' in WoT depends on the considered use case and has to be left to it.



What we can do is supporting the TFs resp. their use case descriptions by pre-selecting the items that deserve consideration and spell them out in a sound way. So per item there is:

-          A 1-liner resembling what glossaries usually state

-          Some qualifications about important aspects such as applicability to WoT (e.g. SSO) or common approaches (e.g. application vs. transport-level security)



The work on security/privacy requirements it not meant to be finished with the proposed page: we need to interact with the TFs and help them to weave our input on security/privacy requirements into their use cases



Regarding your concrete points:

-          @1: Yes we probably need some numbering scheme to have a short way of referencing

-          @2a: Goes along my thinking but I'd add some relaxation e.g.  A tangible list of the security&privacy features applicable for WoT that needs to be covered by WoT IG deliverables [such as W3C standards (existing and new)], using MUST, SHOULD and MAY vocabulary? ("total and tangible" scares me a bit as we explore new terrain)

-          @2b: That's a possible outcome of the work on the security/privacy landscape in my eyes. I would not see this as an outcome of the work on security/privacy requirements only



Best regards,

Oliver



Von: Nilsson, Claes1 [mailto:Claes1.Nilsson@sonymobile.com]
Gesendet: Montag, 10. August 2015 16:49
An: Pfaff, Oliver; public-wot-ig@w3.org<mailto:public-wot-ig@w3.org>
Betreff: RE: [IG-SP] Review of Security&Privacy Requirements Catalogue



Hi Oliver and others,



Thanks for compiling this catalogue. I have some initial comments:



1.       Maybe each requirements should have a number or any other id. That would make it easier in discussions and follow-up of requirements.

2.       The list does more look like a the Security&Privacy Glossary in more detail than a list of requirements. That might be ok depending what we want to achieve. Do we want this or do we want?

a.        A total and tangible list of the security&privacy features applicable for WoT that needs to be covered by W3C standards (existing and new), using MUST, SHOULD and MAY vocabulary?

b.      A tangible list of the security&privacy features applicable for WoT that needs to be standardized by W3C in addition to what exists today (or what is in progress being standardized), i.e. a gap list, using MUST, SHOULD and MAY vocabulary?

WDYT?



BR

  Claes







Claes Nilsson

Master Engineer - Web Research

Research&Incubation



Sony Mobile Communications

Tel: +46 70 55 66 878

claes1.nilsson@sonymobile.com<mailto:Firstname.Lastname@sonymobile.com>



sonymobile.com<http://sonymobile.com/>



Sony logotype_23px height_Email_144dpi



From: Pfaff, Oliver [mailto:oliver.pfaff@siemens.com]
Sent: den 5 augusti 2015 13:48
To: public-wot-ig@w3.org<mailto:public-wot-ig@w3.org>
Subject: [IG-SP] Review of Security&Privacy Requirements Catalogue



Dear colleagues,

until now the Security&Privacy Requirements Catalogue<https://www.w3.org/WoT/IG/wiki/Security%26Privacy_Requirements_Catalogue> used to be a bit of a laundry list. That changed and now there is a first draft version for review.



Formally the Wiki page is public (as well as this mail) and we'd accept comments from anybody in WoT IG. However I would like to ask for review and feedback from [IG-SP] before sending heads-up notices to the TFs.



When reviewing, please check for:

*         Completeness: does the catalogue cover all requirements that we want to highlight (caveat: it should not become too lengthy, special interest items may have to be dropped to avoid the 'TL;NR' syndrome)?

*         Correctness: are the contents of the catalogue sufficiently sound (caveat: it should not become academic, becoming too nitty-gritty should be avoided)?

*         Comprehension: do the contents compile when reading through the catalogue with common sense, are the contents intuitively accessible?

*         Wording: which improvements are needed to pass the 'native speaker check'?



I suggest a review/feedback period (within SP) until Aug, 12. Please provide suggestion and addition/change requests on the public mailing list or in a personal exchange (suggestions and addition/change requests that arrive thereafter will also be accommodated - this is not meant as a final call)



Please note that I will do a round of double-checking against the IIC reference architecture during this review/feedback period (=> there might be some [hopefully minor] updates)



Please also note that there will be some derivative work that will reflect the structure of the security&privacy requirements catalogue => adding (new) catalogue items later on will be easy, tweaking the structure will be tedious. So let's put a priority on establishing a structure that has a good chance of staying stable



Kind regards,

Oliver