- From: Junichi Hashimoto <xju-hashimoto@kddi.com>
- Date: Fri, 24 Jul 2015 10:58:32 +0900
- To: public-auto-privacy-security@w3.org
Hi, I've investigated several methods and practices of security/privacy analysis (e.g., goal oriented analysis, misuse case analysis, STRIDE/DREAD, ISO 15408, ITU-T X.1121) and think that we should apply a customized procedure for our case. Compared to usual security analysis, our security/privacy target is not completely definable because it is not actual software but rather a platform for software. So listing up use cases as Kevin did would be the best way to figure out our scope. On the other hand, I personally think we could start with a bit simpler description for our first step and add the details later, e.g., during the second iteration of use case discussion, to get ideas from wider stake holders. What do you think? FYI, I've just put some examples on a spreadsheet[1] to show what I am thinking. Also the following is the basic (simple) procedure I'd propose: Step 1. Listing up brief use cases and concerns Step 2. Select items for our scope and investigate them deeply (Kevin's is this level) Step 3. Derive requirements from the investigation In order to gather all the important points, I'd like to suggest we iterate the above procedure at least twice before LC. Please feel free to give your comments on the above proposal. I'd like to talk about this procedure during the upcoming f2f meeting in Seattle as well. [1] https://docs.google.com/spreadsheets/d/14ij-2I-H4HbilVQ_muCmUayVqmVfdbkoke690MA0kdo/edit#gid=0 Junichi
Received on Friday, 24 July 2015 02:09:01 UTC