Re: CfC to publish Threat Modeling Guide as a First Public DraftNote < 2026-01-14 as a First Public Draft Interest Group Note < 2026-01-14 from Greg Bernstein on 2026-01-06 (public-security@w3.org from January 2026)

From: Greg Bernstein <gregb@grotto-networking.com>
Date: Tue, 6 Jan 2026 10:08:32 -0800
To: public-security@w3.org
Message-ID: <7215564b-3e66-48e5-b63a-e3487fc9f9ef@grotto-networking.com>

Hi Simone, I support the publishing of the “Threat Modeling Guide”.

 1.

    Nice work! I saw some formatting issues and small nits. Don’t know
    if you want feedback.

 2.

    Do we have a /threat model/ somewhere for DIDs? I’m trying to wrap
    my head around the did:web, did:webvh, and did:cel methods (proposed
    methods) with respect to security.

 3.

    Similarly question for VCs. It seems that we could have additional
    threat models for VCs claiming various properties, like the privacy
    preserving (unlinkability) stuff I’ve been working on.

Best Regards and Happy New Year

Greg B.

On 1/6/26 8:36 AM, Simone Onofri wrote:

> Dear Group,
>
> This is a Call for Consensus (CfC) for the Group publishing the “Threat Modeling Guide” and for enabling autopublish.
>
> [[
> This document describes when, why, and how to perform threat modeling during the development of a specification at the World Wide Web Consortium (W3C). This is designed to help standards developers understand threats and countermeasures from the beginning of standard development and to document the model in the security considerations section.
> ]]
>
> During the 2026-01-06 meeting, the participants had already agreed. To ensure everyone has an opportunity to weigh in, this will serve as a record of the group's decision, one way or another.
>
> The deliverable is available for inspection here:
>
> https://w3c.github.io/threat-modeling-guide/

>
> In response, please state one of the following:
>
> * I support the publishing of the "Threat Modeling Guide”.
> * I do not support the publishing of the "Threat Modeling Guide”, but it's fine if we decide to proceed
> * I object to the adoption of the "Threat Modeling Guide” due to Issues filed in the open issue <#number> of the securityig repository
>
> If there are no further objections, we will confirm the decision by February 21, 2025, at midnight Pacific time.
>
> Just so you know, if the deliverable is published, it will be marked as a First Group Note Draft, which does not imply W3C endorsement.
>
> Please respond by 2026-01-14; at that point, this CfC will be closed.
>
> Thank you,
>
> Simone
>
-- 
------------------------------------------------------------------------

Dr. Greg M. Bernstein, https://www.grotto-networking.com


&#8203;

Attachments

application/pgp-keys attachment: OpenPGP public key

Received on Tuesday, 6 January 2026 18:08:41 UTC