Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security http sections #364

Merged
merged 2 commits into from
Feb 22, 2023
Merged

Security http sections #364

merged 2 commits into from
Feb 22, 2023

Conversation

lu-zero
Copy link
Contributor

@lu-zero lu-zero commented Feb 13, 2023

Initial wording for #6.


Preview | Diff

@lu-zero
Copy link
Contributor Author

lu-zero commented Feb 13, 2023

@benfrancis I hope I addressed your feedback.

@benfrancis
Copy link
Member

benfrancis commented Feb 13, 2023

I'm afraid I don't agree with this change. Please see #6 (comment)

I don't think any of the assertions in Common Constraints can be assumed to be applicable to all future profiles, only the current set of HTTP profiles. The current Common Constraints section is an HTTP Common Constraints section.

I also don't see why some of the constraints you've moved to the separate HTTP Common Constraints section (e.g. Links) could not apply to other protocols in the future like CoAP.

Splitting assertions into Common Constraints and HTTP Common Constraints implies that the former apply to profiles using multiple protocols, which I don't think we can assert at this point.

I suggest leaving this as it is and re-assessing at such a point as we add non-HTTP Profiles. Only then will a separate section be necessary.

@lu-zero
Copy link
Contributor Author

lu-zero commented Feb 13, 2023

60ef6cc can be omitted from the patchset without additional changes, is the rest fine for you?

index.html Outdated
<p><span class="rfc2119-assertion" id="common-constraints-security-3">
A Thing MAY implement multiple security schemes.</span>
A Thing MAY implement multiple security schemes, at least one of the above MUST be supported.</span>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As I understand it the tooling for extracting assertions doesn't support multiple RFC 2119 key words in a single assertion. You probably need to split this into two separate assertions with their own id.

index.html Outdated
Comment on lines 654 to 657
The <a href="https://w3c.github.io/wot-thing-description/#basicsecurityscheme">
<code>BasicSecurityScheme</code>
</a> SHOULD be avoided if the underlying transport is not
<a href="https://w3c.github.io/wot-architecture/#sec-security-consideration-secure-transport">secure</a>.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Whilst I don't disagree with this assertion (where it's possible to use TLS), I'm not sure this advice is unique to the Basic security scheme. A man-in-the-middle attack can be used to intercept tokens in the OAuth2 security scheme too.

Note that the Security Considerations section already says:

The security considerations of the WoT Architecture and WoT Thing Description MUST be adopted by compliant implementations.

This includes WoT Architecture's section on secure transport which you linked to, which goes into more detail and mentions that tokens are at risk as well as passwords.

Also note that assertions need to be wrapped in a <div> or a <span> with class="rfc2119-assertion" and a unique id.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some comments:

  • We can change to MUST in the profile ?
  • TLS should be for all security mechanisms indeed (except nosec).

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can change to MUST in the profile ?

Regular reminder: TLS doesn't work on local networks. This would effectively forbid the use of profiles on local networks.

Use case: WebThings Gateway currently exposes its API via http://gateway.local, and optionally https://{subdomain}.webthings.io, and uses profiles on both.

@mmccool
Copy link
Contributor

mmccool commented Feb 15, 2023

Let's discuss this further in the Security call next week. I would like to clean up this PR by next week's Profile call. @benfrancis thanks for your review, please look for an update next week that I hope will address your concerns (may be a new PR, we'll see if this one can be repaired first).

@egekorkan
Copy link
Contributor

It is not here anymore but I think that each profile should explain the security scheme on its own. Is OAuth2 usable in Webhook?

@lu-zero
Copy link
Contributor Author

lu-zero commented Feb 16, 2023

Hopefully now it is more acceptable.

index.html Outdated
<p><span class="rfc2119-assertion" id="common-constraints-security-3">
A Thing MAY implement multiple security schemes.</span>
A Thing MAY implement multiple security schemes</span>,
<span class="rfc2119-assertion" id="common-constraints-security-4"> at least one of the above MUST be supported.</span>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suggest splitting this into two sentences. Once these assertions get extracted out into implementation reports the latter is not going to make any sense.

Copy link
Contributor

@mlagally mlagally Feb 16, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree in principle to improve the language, however splitting into two sentences does not solve the problem. The 2nd sentence should contain the members of the list above.
However, since this MR does not contain any contentious content anymore, I suggest we be oragmatic, merge it and do the split into two sentences in another PR.

@benfrancis
Copy link
Member

@egekorkan wrote:

Is OAuth2 usable in Webhook?

That's a good question, I don't know.

@mlagally mlagally mentioned this pull request Feb 22, 2023
@@ -643,12 +643,15 @@ <h2>Security</h2>
</ul>
</div>
<p><span class="rfc2119-assertion" id="common-constraints-security-2">
Conformant Consumers MUST support all of these security schemes.</span>
Conformant Consumers MUST support at least all of these security schemes.</span>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you mean...

Consumers MUST support at least one of these security schemes?

IF not.. "at least all" sounds strange, then I would rather stick to "all"

Copy link
Member

@benfrancis benfrancis Feb 22, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consumers must support all of the security schemes in order to guarantee interoperability with all conformant Things.

I agree the existing wording made more sense.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@danielpeintner
We discussed it in today's call and agreed to merge it. If there's a need to improve the text, please create a new issue.

@mlagally mlagally merged commit 439d590 into w3c:main Feb 22, 2023
@@ -643,12 +643,15 @@ <h2>Security</h2>
</ul>
</div>
<p><span class="rfc2119-assertion" id="common-constraints-security-2">
Conformant Consumers MUST support all of these security schemes.</span>
Conformant Consumers MUST support at least all of these security schemes.</span>
Copy link
Member

@benfrancis benfrancis Feb 22, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consumers must support all of the security schemes in order to guarantee interoperability with all conformant Things.

I agree the existing wording made more sense.

</p>

<p><span class="rfc2119-assertion" id="common-constraints-security-3">
A Thing MAY implement multiple security schemes.</span>
</p>
<p><span class="rfc2119-assertion" id="common-constraints-security-4">
A Thing MUST support at least one of the above security schemes.</span>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm sorry for asking to keep asking for further changes but there are now two similar sounding assertions which say different Things:

Below is a list of security schemes which conformant Web Things MAY use

A Thing MUST support at least one of the above security schemes.

The text originally said "Below is a list of security schemes which conformant Web Things MAY use and conformant Consumers MUST support" but I believe it was split into two assertions because sentences can't include two RFC 2119 keywords.

The former assertion also uses the term "MAY" incorrectly, which is my fault.

Let's just stop dancing around grammatical structures and duplicate the list 🙂...

Conformant Web Things MUST use at least one of the following security schemes [[wot-thing-description]]:

  • NoSecurityScheme
  • BasicSecurityScheme
  • OAuth2SecurityScheme with the code or client flow.

Conformant Consumers MUST support all of the following security schemes [[wot-thing-description]]:

  • NoSecurityScheme
  • BasicSecurityScheme
  • OAuth2SecurityScheme with the code or client flow.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants