-
Notifications
You must be signed in to change notification settings - Fork 63
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[security] API key and PSK security schemes are not referenced or explained #998
Comments
@ereshetova and also @OliverPfaff - would be good to comment.
We should at least explain the purpose of these better; I agree that they are underspecified, and we should include the above examples at a minimum. If anyone can suggest any references it would be helpful. |
Here are some possible references (but web pages; not sure if there are "normative" references in the usual sense, which may or may not be an issue):
"API key" is kind of a marketing term, since it depends on other technologies. In a sense these are "security patterns" widely used in industry, rather than "standards". However, we do know that Amazon, etc. will use a combination of technologies in a certain way. Google and Amazon, however, will use different combinations of technologies. So this is still useful to identify expectations in a consumer... To make this more complete we MIGHT also want to identify the "vendor ecosystem" - so we MAY need some additional information to make this complete. Right now it does specify where the API key can be found, though. Our understanding at the time that this would be enough to cover all the different vendor ecosystems, though, since they provide the encoded API key, and the consumer just has to present it when needed. For PSK, there are also some variants (see TLS-PSK, there are multiple ciphersuites... which identifies the flavor, e.g. symmetric keys, or authenticated key exchange, etc). IANA is a good source for the names of these ciphersuites: https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4 HOWEVER, it seems the PSK scheme is missing the ciphersuite used, which would be a useful addition (it is, however, provided during TLS negotiation). I think if we added this information it would be a non-breaking change, since it would be ignored by earlier implementations and resolved via negotiation. However, we also need to go back and look at previous discussion; we might have left this out to reduce complexity, and depend on existing TLS/DTLS negotiation mechanisms. |
TODOs:
|
I agree with the added explanations. I think that we have to specify how they are used since they are very common but not standardized (like JSON Schema). Also, API Key is sadly used a lot in URIs but there is no way to describe them in TDs yet. This is not a TM related problem though, there should never be a TD that gets generated that has credentials in the URI (A TM implies that a TD should be generated from it). Related to #923 |
Regarding API keys in URIs, yes, the idea is that you would NOT put these in the TD. However, the apikey scheme has a "name" parameter and you can also say it is "in" the "query". Our intention in this case was that the actual URI would be formed with an additional query parameter of the form Further points:
|
There is also issue #923. Here there is an API key being used, but it is actually appended to the URL rather than being a query parameter. This would not fall under the "in" with "query" pattern, but needs a NEW pattern (perhaps "template", and then "name" would be used to identify the name of the template parameter). You could ALSO handle the "query" pattern this way but (a) I'd rather not remove things already in the spec if I can help it (b) the "query" pattern covers a common use case in a less verbose way than the proposed "template" pattern would. |
I would say that this is needed. I would be supporting the |
So the above PR #1031 I think addresses this issue and so I recommend that this issue be closed (if the current explanations are good enough). |
They are definitely better but I, personally, still do not understand what PSK describes. The only implementation for it was by @mkovatsc and there is only one example at https://w3c.github.io/wot-thing-description/#example-mylampthing-with-coap-protocol-binding maybe we can at least point to it? |
(I hope it is okay to add the first part here, otherwise I would open another issue for that.) Dealing with the Regarding the PSK scheme: Maybe the use of this Scheme for CoAPS could be added as an example/explanation? I think this is probably the most relevant scenario at the moment. It seems to me as if TLS-PSK is not (that well?) supported by HTTPS implementations, right? |
I think we should close this issue, as the main issue has been addressed. There are a few new comments but these should be followed up in new, more specific issues. A few final comments, however:
|
I also just checked and the current implementation report records two PSK implementations, and three for API key. So we're good for testing. |
from today's TD call, decided to close @mmccool please reopen this issue if you think this issue is not solved yet |
In contrary to the other security schemes, API key and PSK are not referenced to other specifications that specify them. I thought a W3C recommendation cannot use a non standardized "standard" without properly explaining the way it works? The security guidelines document (https://w3c.github.io/wot-security/) provides no explanation either. In that regard, this has slipped through the review process before publication.
In another regard, if I am reading the TD recommendation for the first time, I have no idea what these security schemes are, when they are used, how they are used or simply where to find more information about them
The text was updated successfully, but these errors were encountered: