W3C home > Mailing lists > Public > public-wsc-wg@w3.org > June 2007

RE: ACTION 215: Revisit threat trees

From: Rachna Dhamija <rachna.w3c@gmail.com>
Date: Tue, 19 Jun 2007 15:37:20 -0700
Message-ID: <20abbc510706191537v3f7124c3r6e47354795458cec@mail.gmail.com>
To: "Doyle, Bill" <wdoyle@mitre.org>
Cc: public-wsc-wg@w3.org

I think that re-categorizing the vulnerabilities or attacks in this way
might make sense.  Right now, I am having a hard time understanding what is
in and out of scope.  Do you have any concrete suggestions (channeling Mez
here) on how to re-categorize or prioritize the vulnerabilities?

You recently proposed that we should have an assumptions section- I think
that going through the process of writing one would help a lot.  For
example, we assume that the browser is not compromised.  Do we also assume
that the user is visiting a website that has not been compromised?


On Jun 12, 2007, at 11:40 AM, Doyle, Bill wrote:

Sorry for the delay.

M2C is that threats due to a flaws in code, OS, network or application
design should be separated from vulnerabilities due to limitations of the
environment itself. Threats due to flaws in code and in use by OS, network,
User Agent, GUI are often fixed or due to be fixed by a patch. Since many of
the vulnerabilities are out of scope, maybe the WSC WG could decide on a
subset of test that are important and priority of the tests to run. It could
be interesting to see if a specific recommendation enables a user to retain
a secure posture in the event of DNS poisoning, but is this the first test
that should be run?

Bill D.

From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On
Behalf Of Rachna Dhamija
Sent: Monday, June 04, 2007 7:55 PM
To: public-wsc-wg@w3.org
Subject: ACTION 215: Revisit threat trees

It would be helpful if people could look over the threat trees before or
during the next call:
Received on Wednesday, 20 June 2007 05:42:58 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:14:16 UTC