Adding relevant Arch Assertions #2151
Description
The relevant assertions are below. They were categorized as A3 or A2. They will be assigned to people tomorrow
@k-toumura the next 4
-
1. In W3C WoT, the description metadata for a Thing instance MUST be available as a WoT Thing Description (TD) [WOT-THING-DESCRIPTION]. (arch-td-metadata)
- Add to Behavioral Assertions?)
-
3. To be considered a Thing, however, at least one TD representation MUST be available. (arch-td-mandatory) - Can be merged with 1
- As informative note)
-
13. Extension relation types MUST be compared as strings using ASCII case-insensitive comparison, (c.f. ASCII case insensitive). (If they are serialized in a different format they are to be converted to URIs). (arch-rel-types)
- We should change the TD spec as the https://www.rfc-editor.org/rfc/rfc8288.html#section-2.1.1 requires case insensitive comparison. The receiver should be permissive
-
14. Nevertheless, all-lowercase URIs SHOULD be used for extension relation types [RFC8288]. (arch-rel-type-lowercase)
- Conflict at
controlledBy
- Conflict at
@egekorkan next 4
-
16. Form context and submission target MAY point to the same resource or different resources, where the submission target resource implements the operation for the context. (arch-form-iris2)
- Explanation: basically GET and PUT can point to the same resource but we differentiate with methods. This is not explicit in TD spec
-
17. The request method MUST identify one method of the standard set of the protocol identified by the submission target URI scheme. (arch-op-request-method)
- After https://w3c.github.io/wot-thing-description/#td-bindings-server-accept
- Rewording that linked assertion can be also enough. Basically, this is saying that the TD cannot contain an HTTP method like
GIT.
-
20. Interaction Affordances MUST include one or more Protocol Bindings. (arch-hypermedia)
-
24. Protocol Bindings MAY have additional information that specifies representation formats in more detail than the media type alone. (arch-media-type-extra)
@k-toumura next 4
-
11. Events MAY be triggered through conditions that are not exposed as Properties. (arch-event-trigger)
-
25. Thus, the Interaction Affordance for structured data types SHOULD be associated with a data schema to provide more detailed syntactic metadata for the data exchanged. (arch-schema)
-
28. Authentication and authorization SHOULD be established based on separately managed Private Security Data. (arch-security-consideration-auth-private-data)
-
29. Producers of TDs MUST ensure that no Private Security Data is included in TDs. (arch-security-consideration-no-private-security-data)
- Fits to https://w3c.github.io/wot-thing-description/#behavior-security
- Should be merged with 27 and 28. 29 covers the other two. There is no way to violate one but fullfil the other two. Then 27 and 28 will be A2.
@k-toumura for the rest
-
46. When secure transport over TCP is appropriate, then at least TLS 1.3 [RFC8446] SHOULD be used. (arch-security-consideration-tls-1-3)
- This should be a generic assertion to all bindings that can support TCP. The implementation enforcement can only happen in the binding, which is informative. However, we should recommend all implementers to do that. In the binding documents, there should be informative notes about this that can point back to TD.
- Note: the same concern seem to apply to OPC UA, which can use other mechanisms that TLS for security. We need to change the 3 following assertions to not constrain to a specific transport layer security. QUIC is over UDP for example.
-
47. If TLS 1.3 cannot be used for compatibility reasons but secure transport over TCP is appropriate, TLS 1.2 [RFC5246] MAY be used. (arch-security-consideration-tls-1-2)
-
48. If DTLS 1.3 cannot be used for compatibility reasons but secure transport over UDP is appropriate, then DTLS 1.2 [RFC6347] MAY be used. (arch-security-consideration-dtls-1-2)
-
49. Versions of DTLS or TLS earlier than 1.2 MUST NOT be used for new development. (arch-security-consideration-no-earlier-tls-or-dtls)
-
50. Storage of explicit PII in TDs SHOULD be minimized as much as possible. (arch-privacy-consideration-min-explicit-pii)
-
53. Things returning data or metadata (such as TDs) associated with a person SHOULD use some form of access control. (arch-privacy-consideration-access-control-mandatory-person)