dokieli CSVW and threat modeling from Sarven Capadisli on 2025-08-25 (public-solid@w3.org from August 2025)

From: Sarven Capadisli <info@csarven.ca>
Date: Mon, 25 Aug 2025 13:35:27 +0200
To: public-solid@w3.org, public-dpvcg@w3.org
Message-ID: <b089ada9-47c5-43a1-bdcd-6e641ecbe83a@csarven.ca>

Hi all,

We've done a threat model of dokieli based on STRIDE as part of our 
initial security audit. This exercise gave us additional insight into 
dokieli, and also raised some considerations related to the Solid Protocol.

While deciding on how to best publish the results, entirely out of our 
own interest and transparency, we thought it'd be cool if we could share 
the CSV tables of the assessments, risks, and mitigations, that we 
produced in a way that people could read them easily and that we could 
have them as linked data.

This is where we naturally ate our own cooking in dokieli, and went on a 
side quest to build some new features:

* Importing of CSV files accompanied with its schema metadata based on 
the CSVW standard. It is also possible to import plain CSVs (without 
metadata). It outputs a table in HTML+RDFa with the data from the CSV as 
well as provenance information.
* Enable multiple `open` params in URL.
* Add `graph-view=true` param in URL for any resources, which displays 
the graph for that resource or set of resources (e.g., 
https://dokie.li/docs#graph-view=true )

Since we used our own thread model as an example, we modeled our data 
using DPV ( https://w3id.org/dpv ) and RISK ( https://w3id.org/dpv/risk 
). The provenance-related data uses a bit of PROV-O ( 
https://www.w3.org/TR/prov-o/ ).

It includes some understanding of STRIDE, and we plan to apply LINDDUN next.

See the threat model tables and graph here:

https://dokie.li/#open=https://dokie.li/tmp/metadata.json&open=https://dokie.li/tmp/assessments.csv&open=https://dokie.li/tmp/risks.csv&open=https://dokie.li/tmp/mitigations.csv&graph-view=true


We'll also publish a static version of the report.

Here is a 25-second screencast showing the local CSVs and metadata of 
the dokieli threat model opened and viewed:

https://dokie.li/media/video/dokieli-csvw-threat-modeling.webm


We encourage everyone to create a threat model for their own software, 
then try importing your CSVs and metadata into dokieli, and let us know 
how it goes.

-Sarven
https://csarven.ca/#i

Attachments

application/pgp-keys attachment: OpenPGP public key

Received on Monday, 25 August 2025 11:35:34 UTC