You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardexpand all lines: documentation/API-design-guidelines.md
+13-10
Original file line number
Diff line number
Diff line change
@@ -1892,20 +1892,21 @@ Note: There is no normative enforcement to use any of these patterns, and they c
1892
1892
1893
1893
#### Security Considerations
1894
1894
1895
-
As notifications may carry sensitive information, privacy and security constraints have to be considered.
1895
+
As notifications may carry sensitive information, privacy and security have to be considered.
1896
1896
1897
-
CloudEvents specification only provide some limited guidance there: https://github.com/cloudevents/spec/blob/v1.0.2/cloudevents/spec.md#privacy-and-security
1898
-
CloudEvents allows many protocols which each have their own security measures.
1897
+
CloudEvents specification only provide some limited privacy and security guidance there: https://github.com/cloudevents/spec/blob/v1.0.2/cloudevents/spec.md#privacy-and-security
1899
1898
1900
-
Camara Notifications MUST use HTTPS. The implementation of the Notification Sender MUST follow [10.2 Security Implementation](#102-security-implementation).
1899
+
This document restricts the allowed values of `protocol` to `HTTP`. CloudEvents allows many protocols which each have their own security measures.
1900
+
This Security Considerations need to be reconsidered if other protocols than `HTTP` are allowed.
1901
+
Camara Notifications MUST use HTTPS. The value of `sink` MUST be an URL with url-scheme `https`.
1902
+
The implementation of the Notification Sender MUST follow [10.2 Security Implementation](#102-security-implementation).
1901
1903
1902
-
Camara restricts the the `credentialType` to ACCESSTOKEN. Neither `PLAIN`nor `REFRESHTOKEN` are allowed.
1903
-
CloudEvent access tokens are basically shared secrets (PLAIN) with a lifetime.
1904
+
This document restricts the `credendentialType` to `ACCESSTOKEN`. Neither `PLAIN`nor `REFRESHTOKEN` are allowed.
1905
+
This Security Considerations need to be reconsidered if other `credentialsType` values are allowed.
1904
1906
1905
-
CloudEvent Security and Privacy considerations RECOMMEND protecting event data through signature and encryption.
1906
-
As Camara Notifications are JSON, Camara RECOMMENDS that the Camara Notification is signed and encrypted using [JSON Web Signature (JWS)](https://datatracker.ietf.org/doc/html/rfc7515) and [JSON Web Encryption (JWE)](https://datatracker.ietf.org/doc/html/rfc7516). The signing key should be made available through an public URL, which is agreed upon at API Consumer onboarding-time. The public key to which the notification event data is encrypted should be availabe through public URL, which is agreed upon at API Consumer onboarding-time.
1907
-
1908
-
To prevent notification-replay attacks the API Consumer SHOULD inspect the notification's `id` and `time` fields. Whether to reject or ignore notifications that have already been received or that are too old is a API Consumer's policy decision.
1907
+
CloudEvent Security and Privacy considerations RECOMMEND protecting event **data** through signature and encryption. The value of the `data` field of the notifications SHOULD be signed and encrypted.
1908
+
As Camara Notifications are JSON, Camara RECOMMENDS that the Camara Notification is signed and then encrypted using [JSON Web Signature (JWS)](https://datatracker.ietf.org/doc/html/rfc7515) and [JSON Web Encryption (JWE)](https://datatracker.ietf.org/doc/html/rfc7516).
1909
+
The API Consumer and event producer have to agree which keys to use for signing and encryption e.g. at onboarding time or at subscription time.
1909
1910
1910
1911
It is RECOMMENDED that the API consumer inspects all the fields of the notification, especially `source` and `type`. It is RECOMMENDED that if the notification event data is signed, that then the `source` and the signature key are associated.
1911
1912
@@ -1915,6 +1916,8 @@ API Consumers SHOULD validate the schema of the notification event data that is
1915
1916
1916
1917
Any system permitting the registration and delivery of notifications to arbitrary HTTP endpoints holds the potential for abuse. This could occur if someone, either intentionally or unintentionally, registers the address of a system unprepared for such requests, or for which the registering party lacks authorization to perform such registration.
1917
1918
1919
+
To prevent notification-replay attacks the API Consumer SHOULD inspect the notification's `id` and `time` fields. Whether to reject or ignore notifications that have already been received or that are too old is a API Consumer's policy decision.
1920
+
1918
1921
To protect the sender, CloudEvents specification provides some guidance there: https://github.com/cloudevents/spec/blob/main/cloudevents/http-webhook.md#4-abuse-protection
1919
1922
1920
1923
Event Producers shall choose based on their internal security guidelines to implement measures based on the above guidance to ensure abuse protection. For e.g., An event producer might ask the subscriber to pre-register the notification URL at the time of app onboarding. If this registered notification URL doesn't match later with the notification URL in the request, the event producer can choose to reject the request with the relevant error code.
0 commit comments