Web of Things (WoT) Profile 2023-02-16 > 2023-03-20

[mmccool]

In the issue title above add the document name followed by the date of this request, then the date of your proposed deadline for comments.

• name of spec to be reviewed: Web of Things (WoT) Profile

• URL of spec: https://www.w3.org/TR/2023/WD-wot-profile-20230118/

• What and when is your next expected transition? CR, on 2023-03-30

• What has changed since any previous review? No previous review; however, see change log for changes from FPWD

• Does your document have an in-line Privacy Considerations section, ideally one separate from the Security Considerations? Yes.

• Please point to the results of your own self-review: https://github.com/w3c/wot-architecture/blob/main/publication/ver11/security_and_privacy.md

• Where and how to file issues arising? please file individual issues at https://github.com/w3c/wot-profile/issues

• Pointer to any explainer for the spec? https://github.com/w3c/wot-profile/blob/main/explainer/Explainer.md

Other comments:

• Ideally we would have issues filed by 2023-03-20 so we have time to respond to them and implement any corrections prior to our planned CR transition on 2023-03-30.

[NalaGinrut]

hi, I'm IE of PING, I'd like to help to review this issue, thanks for all your previous work!

[NalaGinrut]

I've reviewed WoT profile spec roughly. It puts forth a set of guidelines to aid in ensuring compliance with interoperability for implementations.
Here're some comments:

1. In HTTP Basic Profile. When querying the API for read-only access, authentication should be required. For instance, to remotely detect if a person is present in a room, a script could query the state of "is the lamp turned on." It would be more appropriate to label this as a privacy concern for the implementors.
2. There're more sections that have the same concern too, say, queryallactions, SSE.
3. Is it possible to confirm that a specific operation follows the guidelines specified in the TD? In case the profile introduces new privacy measures in the future version, the profiling server could be able to assess compliance.

cc @pes10k

[pes10k]

@NalaGinrut thank you for raising these issues. Will you be on the PING call tomorrow (March 16th) to share your findings? Otherwise, I can try to summarize the issues you've raised with PING, and you can follow up and present them to the WOT group

[NalaGinrut]

@pes10k Unfortunately, I don't have time to join the meeting. It's appreciated if you can summarize it for me this time. ;-)

[pes10k]

Sounds good, i will do my best. I will also summarize any conversation that comes up here. I'm happy to help then however I can when you file the issues with the group

[pes10k]

I'm going to close this issue out. Again, thank you very much @NalaGinrut for doing the review, and I hope i summarized your concerns correctly in the following issues. If you think either or both should be "upgraded" to blocking (i.e., privacy-needs-resolution) issues, please feel free to do so (or let me know and i can do so)

• How can clients verify that a device they're interacting with is compliant? w3c/wot-profile#385
• Read-only events should require authentication w3c/wot-profile#384