Conversation
egekorkan
added
Editorial
k-toumura
left a comment
k-toumura
left a comment
There was a problem hiding this comment.
Regarding assertion 48: Since QUIC can be used as a secure transport over UDP, we might need to rephrase this assertion.
danielpeintner
left a comment
danielpeintner
left a comment
There was a problem hiding this comment.
LGTM.
I have 2 questions:
- shall we really state various "secure" versions while they might get out of date?
- what does it mean if we tick or not tick the checkboxes?
| - D (can also be B and in Scripting API but this is not limited to scripting api implementations) | ||
|
|
||
| - [ ] 35. A WoT Runtime implementation SHOULD provide a hardware abstraction layer for accessing the low-level device hardware interfaces. ([arch-security-consideration-use-hal](https://www.w3.org/TR/wot-architecture11/#arch-security-consideration-use-hal)) | ||
| - D (can also be B and in Scripting API but this is not limited to scripting api implementations) |
There was a problem hiding this comment.
Categorization is fine.
BTW, I don't really see any difference to 34 🤷♂️
There was a problem hiding this comment.
I would say that 35 is what you should do to avoid 34. 35 is more of a guideline so we should keep that.
Note: Technically by not exposing anything device-related, one would achieve 34. Like adding two numbers that happen purely in software.
|
|
||
| - [ ] 47. If TLS 1.3 cannot be used for compatibility reasons but secure transport over TCP is appropriate, TLS 1.2 [RFC5246] MAY be used. ([arch-security-consideration-tls-1-2](https://www.w3.org/TR/wot-architecture11/#arch-security-consideration-tls-1-2)) | ||
|
|
||
| - A3: This should be a generic assertion to all bindings that can support TCP. The implementation enforcement can only happen in the binding, which is informative. However, we should recommend all implementers to do that. In the binding documents, there should be informative notes about this that can point back to TD. |
There was a problem hiding this comment.
Maybe it is just me, but I think we should state that the most secure transport should be used unless not possible. Specifying 1.3 while it might be possible that in the near future 1.4 is released does not make sense to me.
There was a problem hiding this comment.
I agree. We can put an informative note after the assertion saying something like "At the time of writing, this is TLS and DTLS 1.3, but please check the most recent version"
3 participants
Description of Changes
This contains the categories for my and @mjkoster assertions. @relu91 and @danielpeintner there are some assertions related to "WoT Runtime", which is not necessarily the Scripting API. Feel free to comment on those.
Related Issue
part of #2126
Type of Change