- From: Rachna Dhamija <rachna.public@gmail.com>
- Date: Mon, 4 Jun 2007 16:54:36 -0700
- To: public-wsc-wg@w3.org
- Message-ID: <a175c0a10706041654y1c2524f3v1da909dde24c51b8@mail.gmail.com>
It would be helpful if people could look over the threat trees before or during the next call: http://www.w3.org/2006/WSC/wiki/ThreatTrees I modified the tree to add some attacks that are in scope but were not reflected. One source of confusion was that the section previously labeled "site-impersonation attacks" only listed techniques to lure users to the wrong website (e.g., sending a link in email), rather than site-impersonation attacks themselves (e.g. chrome spoofing). Luring and site-impersonation attacks are now in separate sections. If you disagree with anything here, please edit the wiki! As we discussed at the F2F, we still need to: - determine how to integrate threats with the use cases (Rachna and Johnathan think that use cases and threats are independent and don't need to be integrated. Tlr may disagree). - add references to evidence of actual attacks and vulnerability databases (as suggested by Stephen F and seconded by Rachna) - add any missing attacks (so far, only Yngve has reviewed and added attacks) - make the terminology more formal and distinguish vulnerabilities, risks, threats and exploits (as suggested by PHB) - decide what to do with out of scope attacks (include them or not) I am closing out this action, though I expect that related actions will be assigned during the next call. Rachna
Received on Monday, 4 June 2007 23:54:41 UTC