Comments (8)
We talked about this as well today in the Security TF call: see w3c/wot-security#168
I think at the very least the requirements template should include a "Security and Privacy Considerations" section. It can be free-from for now, but as we work through each use case we can add some structure (eg for authentication requirements, once the lifecycle is defined we can indicate when and where we need authentication in reference to it).
from wot-usecases.
By "checklist" I assume you want to know whether we need authentication, confidentiality, access controls, etc. In that case, we perhaps want to put a free-form "Security and Privacy Considerations" section in each use case and derive detailed requirements from that.
from wot-usecases.
At any rate, let me add this to the security meeting agenda for next week... in the meantime let's discuss here exactly what is needed.
from wot-usecases.
@mmccool This was coming out of an architecture discussion we had together. I think we should add two sections:
- Security considerations
- Privacy considerations
These sections can be free-form for now and the content can be a brief paragraph raising the main issues. When we define the requirements we have to go down to more detail.
from wot-usecases.
If the security group comes up with a more detailed checklist, we should add that as well.
from wot-usecases.
My suggestion (to implement immediately):
- Add both a security and privacy "considerations" section to the use case template (and to all existing use cases).
- Add both a security and privacy "requirements" section to the requirement template. N ote: these should list needed features but not necessarily concrete implementations (eg they should say "needs support for scoped authorizations" not "needs OAuth2".
Later on, we need to do:
3. A list of questions to ask when looking at considerations and requirements, similar to https://www.w3.org/TR/security-privacy-questionnaire/ (and we can extract the relevant ones from this as a starting point, although there may be additional issues we have to address) -> put in wot-architecture/USE-CASES/security-questions.md
4. A table indicating which concrete implementations (eg OAuth2) satisfy which requirements (eg "scopes"). This table should go into the security best practices document. Need to define two axes: schemes, and features. Features can be extracted from requirement documents.
DE: Consider assets, domains, and flows. Fits under "list of questions", e.g. one question could be "What are the assets?" etc.
McCool: to do PR for 1 and 2.
from wot-usecases.
Arch call on 17.12.
This was done some time ago.
Need to revisit 3 and 4.
from wot-usecases.
@mmccool
The points 3 and 4 from above need a bit of further work. I removed the "done" label and deferred it to the 2.0 publication.
from wot-usecases.
Related Issues (20)
- Update Privacy Requirements
- Review Discovery Requirements and Use Case Links HOT 3
- Update Status of each Discovery Requirement
- [Discuss] Focus on Functional Requirements HOT 11
- [Process] Not proceeding to feature definition if there is no gap HOT 1
- [Process] Not accepting Use Cases if there is no hint of a gap HOT 1
- [Process] Aligning with Relationship between groups document HOT 1
- Thoughts from the TD Use Case Discussions HOT 5
- How to extract information, e.g., about requirements, from the UC description? HOT 1
- When/which level of UC description to be generated? HOT 1
- Who/how to submit UCs? HOT 1
- How to deal with gap analysis? Ned clear definition for "gap analysis HOT 1
- How to deal with gap analysis? Need clear definition for "gap analysis" HOT 5
- The structure/category of the use case description HOT 1
- What level (technical, functional, business, etc.) to be described for use cases? HOT 1
- What would be the possible items for use case description?
- How to deal with the feedback from the TFs working on each specification HOT 1
- Expectations of the TD stakeholders from the Use Case process
- What we mean by "functional" and "technical"
- What we expect for "user stories" from the Use Case description HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from wot-usecases.