Re: Threat Trees from Stuart E. Schechter on 2007-03-14 (public-wsc-wg@w3.org from March 2007)

From: Stuart E. Schechter <ses@ll.mit.edu>
Date: Wed, 14 Mar 2007 09:21:39 -0400
To: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
CC: Web Security Context WG <public-wsc-wg@w3.org>
Message-ID: <C21D6F23.11A66%ses@ll.mit.edu>

> Thanks Stuart. I'd like to put this on the agenda for our next meeting.
> Will you be there and able to lead discussion?

   I can be there.  I think the primary discussion items would be
   1) What's missing from the use cases/tree?
   2) What's in and out of scope?
   3) Is this useful?

   I'm fine with folks adding items to the tree or editing it since it's
easy to track the changes.  Hopefully, we can get that out of the way before
the meeting, focus on questions of scope, and then decide whether having the
use cases and trees in these forms is useful enough to continue with the
current structure.
 
> It's a bit of a nit (or not, depending on how you look at it), but  for:
>> Bookmark or other relationship stored in browser or OS
> As we've discussed several times, we shouldn't assume the user agent is a
> browser. 

   I don't know what you mean by user agent---it's an awfully generic term
and so I was unable to put it in the glossary without knowing what it was
meant to imply.

   If you are saying that not all web clients are web browsers, as defined
in the glossary, than I'd agree.  The use cases should be inclusive of all
possibilities, rather than excluding those that are not always possible.
Thus, I'd be more concerned if one source of a link was the source code of a
scripted agent and you thought this was worth including.

>> Email link 
> I'm not convinced that's general enough. I can think of at least one other
> data push application that's not the web - instant messaging.

  OK.  I've updated the new use case structure for that.  I'm fine with
anyone editing the document---it's easy enough to see who changed what.

> Related to that, the web link categories don't seem to encapsulate the
> social networking/user data aspects of web links (like blogs).

   Is there a motivation for encapsulating this information?  We can delve
into more detail in any of a number of areas.  Doing so adds complexity.
So, before we enumerate those details we should ask whether doing so will
make salient some information that would not have been clear otherwise.

Received on Wednesday, 14 March 2007 13:22:35 UTC