- From: Simone Onofri <simone@w3.org>
- Date: Thu, 6 Nov 2025 16:47:56 +0100
- To: "public-fedid-wg@w3.org" <public-fedid-wg@w3.org>
- Cc: zebadiansaroudi@fbk.eu, Amir Sharif <asharif@fbk.eu>
Hi all, Thanks to all for the comments received. To work best with the group, we moved to Google Docs. https://docs.google.com/document/d/1BpBBiv7GgkGi1_Y7NvyD3Mkalj0g857Qw-aan3NqYwU/edit?tab=t.0 This document is a work in progress for the Threat Modeling exercise for the Digital Credentials API, as also recommended by the Preventing Abuse of Digital Credentials. If you would like to contribute, feel free to request permission to suggest and comment. Since the DC API is part of a larger ecosystem, it includes an analysis of the Credentials layer, with a deep dive into the specific aspects of the Digital Credentials API and neighboring technologies at the same level, to ensure maximum safety for the end user. Once sufficient refinement and consensus within the Group have been achieved, relevant threats will be documented in the Security Considerations sections of the specification. In general, the “Security Considerations” sections serve as notes on external security in a threat model, and this document will be referred to in a Group Note. The security considerations will follow the structure specified in RFC 3552, including a discussion of the following: - What is in scope - What is out of scope, and why - Threats that the specification is susceptible to - Residual risk to users, implementers, and related technologies - Threats the standards protect against (with reference to the specific section of the standard) Thank you, Zahra, Amir, Simone > On 4 Nov 2025, at 17:29, Simone Onofri <simone@w3.org> wrote: > > Hi all, > > Zahra, Amir, and I worked on the Security Considerations section. > > We just published on the wiki: > > https://github.com/w3c-fedid/digital-credentials/wiki/Security-Considerations-Section > > To facilitate the discussion on Friday, please read it in advance so you can anticipate questions. > > The idea is to discuss each threat and understand if there are other threats > > Then, for each threat, agree on the response (that then needs to be reflected in the spec). > > For ecosystem threats, we have a separate document; feel free to put issues/PRs here for ecosystem threats, but not on the API: > > https://w3c.github.io/threat-model-digital-credentials/ > > It can be good to have an editor representing FedID WG, if someone would like to join. > > Thank you, > > Zahra, Amir, Simone > >
Received on Thursday, 6 November 2025 15:48:28 UTC