Re: Procedure proposal from Junichi Hashimoto on 2015-07-30 (public-auto-privacy-security@w3.org from July 2015)

From: Junichi Hashimoto <xju-hashimoto@kddi.com>
Date: Wed, 29 Jul 2015 22:30:43 -0700
To: public-auto-privacy-security@w3.org
Message-ID: <55B9B683.4060601@kddi.com>
Hi Kevin,

During the meeting in Seattle, members have reached a consensus that the 
use case list is useful not only for security and privacy but also for 
Vehicle APIs. We've added many items (including your use cases) into the 
list and will discuss them in the next tel-conference.

I'd like you to take a look on the list and add more items that are 
missing. We have only a few days but I hope we discuss the security and 
privacy aspect of the use cases via this ML before the tel-conference.

Regards,
Junichi



On 15/07/29 08:34 , Gavigan, Kevin wrote:
> Hi Junichi,
>
> Thanks, your proposal seems like a good idea to me as it will help us to
> gather scenarios more quickly
>
> I will plan to add brief use cases to the spreadsheet...
>
> Regards and best wishes,
>
> Kevin
>
> *Kevin Gavigan BSc (Hons), MSc, PhD, MCP MCTS*
> */Software Architect/*
> */Connected Infotainment
> /*
>
> */Mobile: 07990 084866
> /*
> /*Email:*/ kgavigan@jaguarlandrover.com
> <mailto:kgavigan@jaguarlandrover.com>
>
> */Office address:/*
> *GO03/057** • **Building 523, **Gaydon** • **Maildrop: (G03)**/
> /**Jaguar Land Rover • Banbury Road • Gaydon • Warwick • CV35 0RR*
>
> On 24 July 2015 at 02:58, Junichi Hashimoto <xju-hashimoto@kddi.com
> <mailto:xju-hashimoto@kddi.com>> wrote:
>
>     Hi,
>
>     I've investigated several methods and practices of security/privacy
>     analysis (e.g., goal oriented analysis, misuse case analysis,
>     STRIDE/DREAD, ISO 15408, ITU-T X.1121) and think that we should
>     apply a customized procedure for our case.
>
>     Compared to usual security analysis, our security/privacy target is
>     not completely definable because it is not actual software but
>     rather a platform for software. So listing up use cases as Kevin did
>     would be the best way to figure out our scope.
>
>     On the other hand, I personally think we could start with a bit
>     simpler description for our first step and add the details later,
>     e.g., during the second iteration of use case discussion, to get
>     ideas from wider stake holders.
>
>     What do you think?
>
>     FYI, I've just put some examples on a spreadsheet[1] to show what I
>     am thinking.
>
>     Also the following is the basic (simple) procedure I'd propose:
>     Step 1. Listing up brief use cases and concerns
>     Step 2. Select items for our scope and investigate them deeply
>     (Kevin's is this level)
>     Step 3. Derive requirements from the investigation
>
>     In order to gather all the important points, I'd like to suggest we
>     iterate the above procedure at least twice before LC.
>
>     Please feel free to give your comments on the above proposal.
>     I'd like to talk about this procedure during the upcoming f2f
>     meeting in Seattle as well.
>
>     [1]
>     https://docs.google.com/spreadsheets/d/14ij-2I-H4HbilVQ_muCmUayVqmVfdbkoke690MA0kdo/edit#gid=0
>
>     Junichi
>
>
>
Received on Thursday, 30 July 2015 05:41:17 UTC