Re: ACTION 215: Revisit threat trees from Thomas Roessler on 2007-05-21 (public-wsc-wg@w3.org from May 2007)

From: Thomas Roessler <tlr@w3.org>
Date: Tue, 22 May 2007 01:09:13 +0200
To: Rachna Dhamija <rachna.public@gmail.com>, ses@ll.mit.edu
Cc: public-wsc-wg@w3.org
Message-ID: <20070521230912.GA32071@raktajino.does-not-exist.org>

Working on ACTION-173, I'm going through the use case dimensions and
thread trees again.

I wonder to what extent dimensions 2.D and 2.E identify a relevant
distinction.  As phrased in the Wiki at this point, these are about
a "Link provided by an external application", and a "Web link".
Looking at the threat trees, the example given there for a "Link
provided by an external application" is a link in an e-mail.

Now, most of the relevant applications (including e-mail and instant
messaging) could actually be implemented as a Web application and
run in a browser, therefore falling under 2.E, "Web link".

It strikes me that the relevant characteristics aren't really
exposed on the level of 2.D and 2.E, but in the distinctions below
2.E.

Therefore, I'd suggest to change the use case dimensions as follows:

	D. Link

	i. from prima facie unrelated machine-readable source
	(e-mail, instant message, advertisement)

	ii. from a partner site (e.g. citi.com to accountonline.com)

	iii. other

I'm not even sure that this distinction is really needed.

Rachna, Stuart, your thoughts?

Regards,
-- 
Thomas Roessler, W3C  <tlr@w3.org>

On 2007-05-18 02:18:55 +0000, Rachna Dhamija wrote:
> From: Rachna Dhamija <rachna.public@gmail.com>
> To: public-wsc-wg@w3.org
> Date: Fri, 18 May 2007 02:18:55 +0000
> Subject: [Moderator Action] ACTION 215: Revisit threat trees
> X-Spam-Level: 
> Old-Date: Thu, 17 May 2007 14:12:44 -0700
> X-Diagnostic: Not on the accept list
> X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.1.5
> 
> I have added added a section to the bottom of the threat trees wiki page
> that lists attacks we might want to include in the tree.  I would encourage
> others to add attacks as well and/or to integrate these into the existing
> tree.
>
> I realize that many attacks are clearly out of our scope (it is easier to
> grow the tree first and prune it later or to mark branches out of scope).
>
> http://www.w3.org/2006/WSC/wiki/ThreatTrees
>
> Rachna

Received on Monday, 21 May 2007 23:09:16 UTC