Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ig/security] Add a concrete threat model for the Web to the deliverables. #583

Open
wants to merge 1 commit into
base: gh-pages
Choose a base branch
from
Open

[ig/security] Add a concrete threat model for the Web to the deliverables. #583

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 20 additions & 2 deletions 2024/ig-security.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,7 +98,7 @@ <h1 id="title">PROPOSED Security Interest Group Charter</h1>
<td>
See the <a href="https://www.w3.org/groups/ig/@@/charters">group status page</A> and <a href="#history">detailed change history</a>.
</td>
</tr>
</tr>
<tr id="Duration">
<th>
Start date
Expand Down Expand Up @@ -186,6 +186,24 @@ <h2>
In joint with W3C's <a href="https://www.w3.org/2001/tag/">Technical Architecture Group (TAG)</a> and <a href="https://www.w3.org/groups/ig/privacy/">PING</a>, with a specific focus on Security aspect.
</p>
</dd>
<dt id="TM" class="spec">
A Threat Model for the Web
</dt>
<dd>
<p>
A description of the Web's threat model, which new specifications need to maintain.
This threat model may include goals that have not yet been achieved across the whole
web platform, but which will still be enforced in reviews of new and changed
specifications. This will be developed with input from other relevant groups such as
the TAG, PING, WebAppSec, and the <a
href="https://www.w3.org/groups/cg/tmcg/">Threat Modeling Community Group</a>.
</p>
<p><b>Potential input documents:</b></p>
<ul>
<li><a href="https://chromium.googlesource.com/chromium/src/+/master/docs/security/web-platform-security-guidelines.md">Chromium Web Platform Security guidelines</a></li>
<li>The <a href="https://xsleaks.dev/">XS-Leaks Wiki</a></li>
Comment on lines +201 to +204
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ideally the charter would list a few more input documents from outside of Chromium's orbit. These are just the documents I had handy.

<ul>
</dd>
<dt id="TMG" class="spec">
Threat Modeling guide
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure if the concrete threat model should replace this general guide. If this IG is meant to subsume the Threat Modeling CG, then the guide should definitely remain one of this group's deliverables, but otherwise maybe the CG should be the sole owner, and this group should just be willing to schedule some discussion time for it.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i think that there are different things, one more generic and another one tied to the web platform

</dt>
Expand Down Expand Up @@ -220,7 +238,7 @@ <h3>
<li>Primer or Best Practice documents to support web security when designing standards and applications.</li>
</ul>
</section>

<section id="success-criteria">
<h2>Success Criteria</h2>
<ul>
Expand Down