- From: Rachna Dhamija <rachna.w3c@gmail.com>
- Date: Tue, 19 Jun 2007 15:37:20 -0700
- To: "Doyle, Bill" <wdoyle@mitre.org>
- Cc: public-wsc-wg@w3.org
- Message-ID: <20abbc510706191537v3f7124c3r6e47354795458cec@mail.gmail.com>
Bill, I think that re-categorizing the vulnerabilities or attacks in this way might make sense. Right now, I am having a hard time understanding what is in and out of scope. Do you have any concrete suggestions (channeling Mez here) on how to re-categorize or prioritize the vulnerabilities? You recently proposed that we should have an assumptions section- I think that going through the process of writing one would help a lot. For example, we assume that the browser is not compromised. Do we also assume that the user is visiting a website that has not been compromised? Rachna On Jun 12, 2007, at 11:40 AM, Doyle, Bill wrote: Sorry for the delay. M2C is that threats due to a flaws in code, OS, network or application design should be separated from vulnerabilities due to limitations of the environment itself. Threats due to flaws in code and in use by OS, network, User Agent, GUI are often fixed or due to be fixed by a patch. Since many of the vulnerabilities are out of scope, maybe the WSC WG could decide on a subset of test that are important and priority of the tests to run. It could be interesting to see if a specific recommendation enables a user to retain a secure posture in the event of DNS poisoning, but is this the first test that should be run? Bill D. From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On Behalf Of Rachna Dhamija Sent: Monday, June 04, 2007 7:55 PM To: public-wsc-wg@w3.org Subject: ACTION 215: Revisit threat trees It would be helpful if people could look over the threat trees before or during the next call: http://www.w3.org/2006/WSC/wiki/ThreatTrees
Received on Wednesday, 20 June 2007 05:42:58 UTC