- From: Doyle, Bill <wdoyle@mitre.org>
- Date: Sun, 24 Jun 2007 19:16:51 -0400
- To: "Rachna Dhamija" <rachna.w3c@gmail.com>
- Cc: <public-wsc-wg@w3.org>
- Message-ID: <518C60F36D5DBC489E91563736BA4B5801815452@IMCSRV5.MITRE.ORG>
Anything that is Network and OS is out. User Agent attacks are up for further review. Cisco has a good write up of a number of attacks that seem to be in scope. They also seem to have a product that may provide some level of user security.against this class of attacks. http://www.cisco.com/en/US/products/ps6120/tsd_products_security_respon se09186a008073f7b3.html B ________________________________ From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On Behalf Of Rachna Dhamija Sent: Tuesday, June 19, 2007 6:37 PM To: Doyle, Bill Cc: public-wsc-wg@w3.org Subject: RE: ACTION 215: Revisit threat trees Bill, I think that re-categorizing the vulnerabilities or attacks in this way might make sense. Right now, I am having a hard time understanding what is in and out of scope. Do you have any concrete suggestions (channeling Mez here) on how to re-categorize or prioritize the vulnerabilities? You recently proposed that we should have an assumptions section- I think that going through the process of writing one would help a lot. For example, we assume that the browser is not compromised. Do we also assume that the user is visiting a website that has not been compromised? Rachna On Jun 12, 2007, at 11:40 AM, Doyle, Bill wrote: Sorry for the delay. M2C is that threats due to a flaws in code, OS, network or application design should be separated from vulnerabilities due to limitations of the environment itself. Threats due to flaws in code and in use by OS, network, User Agent, GUI are often fixed or due to be fixed by a patch. Since many of the vulnerabilities are out of scope, maybe the WSC WG could decide on a subset of test that are important and priority of the tests to run. It could be interesting to see if a specific recommendation enables a user to retain a secure posture in the event of DNS poisoning, but is this the first test that should be run? Bill D. From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On Behalf Of Rachna Dhamija Sent: Monday, June 04, 2007 7:55 PM To: public-wsc-wg@w3.org Subject: ACTION 215: Revisit threat trees It would be helpful if people could look over the threat trees before or during the next call: http://www.w3.org/2006/WSC/wiki/ThreatTrees
Received on Sunday, 24 June 2007 23:17:02 UTC