- From: Drummond Reed <drummond.reed@gmail.com>
- Date: Thu, 16 Oct 2025 13:23:25 -0700
- To: Manu Sporny <msporny@digitalbazaar.com>
- Cc: W3C DID Working Group <public-did-wg@w3.org>, Simone Onofri <simone@w3.org>
- Message-ID: <CAAgCPQdfLBQjur=BGGSGOkcBx=ZM042H=HBgCn39z6bmxLygYw@mail.gmail.com>
Manu, thank you for a superb lesson in prompt engineering. Bless you for everything you do for this community. =Drummond On Thu, Oct 16, 2025 at 9:45 AM Manu Sporny <msporny@digitalbazaar.com> wrote: > During the call today, we reviewed an experiment in threat modelling: > > https://msporny.github.io/did-threat-model/ > > Folks on the call asked for the prompts that resulted in that > document. It turns out I had set many of the LLMs into "Incognito > mode" (don't want my chats being used for future training) and just > have a habit of deleting sessions when I'm done w/ them. So, it's all > gone :( -- that said, this is more or less what I did: > > (open up Claude Sonnet v4.5) > > You are a security researcher that is generating a threat model for > the decentralized identifier ecosystem. I have a number of documents > that I want you to read for guidance, don't generate the threat model > until I tell you to. > > I would like the output of this document to be in HTML format, > specifically as a ReSpec document. The instructions on how to write > ReSpec documents can be found here: https://respec.org/docs/ > Wait 10 seconds before consuming the document to ensure that it is > fully rendered. > > (LLM does its thing) > > Ok, now I want you to learn about the DID ecosystem, to do that, read > the DID specification: https://www.w3.org/TR/did-1.1/ and the CID > specification: https://www.w3.org/TR/cid/ > > (LLM reads the documents into the context) > > I want you to model the layout of the document you write based on a > threat model document I am going to upload as a PDF file (attach PDF > of existing threat model). > > Ok, now that you've read all of that, I want you to provide the table > of contents for what you are going to write. > > (LLM provides table of contents, which is wrong). > > I want you to delete sections 4 and 5, move sections 7-12 into a > section titled Architecture, which will follow the introduction.... > (and so on) > > (LLM generates the new table of contents) > > Ok, that looks good, when you write the document, I want you to be as > concise as possible, use the threat model components as what you build > the prose from as they are the central thing to be identified and > talked about. Use prose that only requires a high school education, > and reading the other specifications, to understand. > > (LLM says it will do that) > > Ok, now generate the first pass of the document in ReSpec HTML format. > > (LLM generates the document) > > (Manu copies the HTML document into a Visual Studio Code environment > that is sandboxed to prevent the LLM from sucking in all the other > private projects/code he is working on. Sets up environment to use > various LLMs, but mostly Claude Sonnet v4.5) > > (Switch to GPT 4.1, Kimi K-2, Gemini 2.5, using research mode for ones > that support it)-- read the threat model and detect if there are > logical inconsistencies or areas that are vague, suggest changes to > problematic areas. > > (Manu does 1 hour of iteration) > > (Back to Claude Sonnet v4.5) Ok, I need you to create a diagram based > on the threat model, use all components in the architecture section in > the diagram. Perform a graphical layout that is easy to understand and > read by humans. > > (1 hour of iteration, resulting in a dogs breakfast on every > iteration, each iteration getting worse -- clear memory, start again) > > I need you to create a diagram based on the threat model, use all > components in the architecture section in the diagram. use a graph > modelling language to create the nodes and edges in the graph, use > GraphViz with DOT as the graph language. > > (generates something useful) > > Translate the DOT language to Cytoscape.js, build an interface that > allows me to manually adjust the layout of the graph in an interactive > fashion. > > (Claude builds HTML web page that allows real-time manual layout of graph) > > (Manu lays out graph so it's easier to read by humans) > > Ok, now export the diagram to SVG. > > (Claude generates 15 iterations of SVG export that crash) > > (Manu gives up and just zooms in and takes a screenshot and puts it in > the spec). > > Read the Security and Privacy considerations in the DID spec and the > CID spec and integrate those in as threats. Remove duplicate threats, > order the threats in most critical to least critical order. > > ^ That's how I got to the first draft of that DID Ecosystem Threat Model. > > Hope that helps. > > -- manu > >
Received on Thursday, 16 October 2025 20:37:27 UTC