[vibration] Structuring the security considerations section (#49) from Simone Onofri via GitHub on 2024-10-30 (public-device-apis-log@w3.org from October 2024)

From: Simone Onofri via GitHub <sysbot+gh@w3.org>
Date: Wed, 30 Oct 2024 12:33:57 +0000
To: public-device-apis-log@w3.org
Message-ID: <issues.opened-2623957969-1730291635-sysbot+gh@w3.org>

simoneonofri has just created a new issue for https://github.com/w3c/vibration:

== Structuring the security considerations section ==
This issue refers to the security review requested in this issue https://github.com/w3c/security-request/issues/71

Structuring the Security Considerations section along the lines of [RFC 3552](https://datatracker.ietf.org/doc/html/rfc3552#section-5) and as discussed in https://github.com/w3c/security-request/issues/71#issuecomment-2440005127.

- **Introduction**: a brief description of the security impact of the feature and assets to be protected.
- **Security Assumptions**: paraphrasing what is described in the [Common Criteria, section 7.1.4](https://www.commoncriteriaportal.org/files/ccfiles/CC2022PART1R1.pdf), assumptions are those elements that are considered true about the operating environment of the feature (e.g., [C2PA's Assumptions](https://c2pa.org/specifications/specifications/1.0/security/Security_Considerations.html#_threat_and_attack_assumptions)).
- **Attacks/Threats**: list of attacks or threats with title and a brief description (e.g., https://github.com/w3c/security-request/issues/71#issuecomment-2307483632). For each attack/threat:
   - **Mitigations/Countermeasures**
      - If it is _in-scope_: title and description of the countermeasures, referring to the specific section in which it is described. If the group decided not to apply any mitigation/countermeasure to the Attack/Threat, write a rationale for accepting that risk (_business justification_).
      - If it is _out-of-scope_: describe why.
   - **Residual Risk**:  after the application(e.g., https://github.com/w3c/security-request/issues/71#issuecomment-2349865890).
   
If there are any doubts, we remain available.

Thank you

[cc'ing @anssiko, @himorin, @KimCerra]

Please view or discuss this issue at https://github.com/w3c/vibration/issues/49 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 30 October 2024 12:33:58 UTC