Re: Guidance on Privacy/Security or Threat Models? from Simone Onofri on 2026-03-29 (public-security@w3.org from March 2026)

From: Simone Onofri <simone@w3.org>
Date: Sun, 29 Mar 2026 15:55:44 +0200
To: Manu Sporny <msporny@digitalbazaar.com>
Cc: public-security@w3.org, public-privacy@w3.org
Message-Id: <78541546-C79F-45E1-B088-98F7F9308329@w3.org>

> On 29 Mar 2026, at 15:36, Manu Sporny <msporny@digitalbazaar.com> wrote:
> 
> On Sun, Mar 29, 2026 at 6:06 AM Simone Onofri <simone@w3.org> wrote:
>> For now, a common approach for review (I was reading the Privacy documentation, too) is precisely to understand the use cases (which are in the first sections of a specification), and then to use as a drive the security consideration sections to understand what the threats are and how they are managed, according to where the data pass (which is why one or more diagrams are useful).
> 
> Thanks for the information, Simone. Unfortunately, it doesn't answer
> my question concretely. I'm not looking for a "you can do this, or you
> can do that" sort of response. I want to know what the review criteria
> are for new specifications going through the W3C Process.
> 
> Is there an option to drop the Privacy and Security Considerations
> sections in lieu of a Threat Model?
> 

Hi Manu, ok thanks for the feedback I will try to answer you :)

For what the Security and Privacy Questionnaire [1] says, we need to have Security and Privacy consideration sections in the standard, and that they contain what is defined in RFC 3552 section 5 (section 2.16).

My reasoning was about how to structure and generate the content in a usable manner, as well as provide a rationale.

The questionnaire always says it's convenient to do it with a Threat Model (section 3), and if this is made explicit somewhere (within the section or in a separate document, at the discretion of the group), facilitates and expedites reviews.

In that in RFC 3552 a (rather simple but effective) Internet Threat Model is made explicit within it, and it is easy to refer to, whereas the Web one is more complex, which is why we have been working on it in the Threat Model for the Web and the Threat Modeling Guide.

Happy to hear your opinion,

Simone

[1] https://www.w3.org/TR/security-privacy-questionnaire/#considerations

> -- manu
> 
> -- 
> Manu Sporny - https://www.linkedin.com/in/manusporny/
> Founder/CEO - Digital Bazaar, Inc.
> https://www.digitalbazaar.com/
>

Received on Sunday, 29 March 2026 13:56:19 UTC