Delete definitions of Security and Privacy #368
Conversation
|
Note that technically definitions are normative but deleting these definitions will not change any implementation, so it should be permissible. Best to check with Kaz first. |
|
One source of definition for PII is IIC Vocabulary Technical Report. The PII in particular is defined here. |
|
A good reference for PII is section 2.9 of https://www.iso.org/obp/ui/#iso:std:iso-iec:29100:ed-1:v1:en |
|
I created a PR with a PII reference, please review: |
|
After checking the arch document in the call on 4.7. we think it would be better to define the terms "security" and "privacy" in the arch document. |
|
For the record, I think it is also fine to define Privacy and Security using external references. The reason I defined them in the first place is that they are often confused. However, it is reasonable and correct to say that these should not be normative definitions, just clarifying usage. It would be odd, however, to only define Privacy using an external reference and not "Security". So the question is, can we find an external reference for Security as well? I will bring this up in the security call... |
|
ISO/IEC 27000:2018 (https://www.iso.org/obp/ui/#iso:std:iso-iec:27000:ed-5:v1:en), section 3.28 has a definition of "information security" which includes availability, integrity, and confidentiality. This would be a good reference, but I would suggest that we define "Security" as a shorthand: "In this document and in the WoT documents generally, the term Security is to be considered equivalent to the term Information Security defined in...". "Security" by itself is not actually defined in this ISO document, as I imagine there are conflicts with its use for other forms of security (eg bodyguards, buildings, etc.), but in our context I think it is reasonable to define the short form (and going through all the documents to change it to "Information Security" would be a pain, not to mention it is not parallel to "Privacy"). |
|
It's interesting the IIC Vocabulary document cited above includes "privacy" and terms like "information security risk" but oddly not "information security" or "security" (although it does have "physical security"). I assume this is just an oversight... |
mmccool
changed the title
|
During the security call on July 8 we agreed that modifying the definitions to refer to the ISO standards makes sense, but defining "Security" to be equivalent to "Information Security" is also a pragmatic approach. We also agreed to add a definition (referencing ISO...) for "Physical Security" to distinguish it from "Information Security". I will update this PR to reinstate the definitions with these changes, and so have changed the title from "Delete" to "Modify". |
There is a definition for "security" in the IIC document, which we could use. Note that it contains basically the same text as the definition of "Information security" in https://www.iso.org/obp/ui/#iso:std:iso-iec:27000:ed-5:v1:en |
|
Sorry I did not yet get around to updating this PR to include "standard" definition with references for Security and Privacy. That is my intention, and I plan to get it done today in time to be reviewed in the Architecture call tomorrow. |
mmccool
changed the title
|
For technical reasons, I am closing this PR (without a merge!) and replacing it with PR #384. The new PR adds definitions based on ISO standards rather than deleting them as this PR does. |
NOTE: This PR should only be applied after we have received official TAG feedback and have gotten group consensus. But it seems likely it will be a recommended change, so I am queuing up a PR for it.
Based on feedback here, remove definitions of the terms "Security" and "Privacy" from the WoT Architecture document. Note that these terms are, however, defined in the WoT Security and Privacy Guidelines document.
This PR DOES leave the definition for "Personally Identifiable Information" in place. In a separate issue we may want to find and reference an external definition of this term rather than defining it ourselves.
This PR resolves issue w3c/wot-security#134
Preview | Diff