W3C

– DRAFT –
Threat Modeling @ W3C

25 September 2024

Attendees

Present
Bert, ChrisLilley, reillyg, simone, tzviya8
Regrets
-
Chair
Simone Onofri
Scribe
reillyg

Meeting minutes

Slideset: https://docs.google.com/presentation/d/1zauMqnZ_e0U3JlNe3bCJacNh9h1VOkBX4_UynjqvQeg/edit#slide=id.g303b479e16d_0_15

Slideset: https://docs.google.com/presentation/d/1zauMqnZ_e0U3JlNe3bCJacNh9h1VOkBX4_UynjqvQeg/edit

[Slide 1]

simone: Earlier today we were trying to threat model the Digital Credentials API. Here we're going to discuss threat modeling in general.

[Slide 2]

[Slide 3]

[Slide 4]

[Slide 5]

simone: I have a threat of dropping my phone, so I use a rugged cover. I have a threat of shoulder surfing, so I use a privacy screen.

<reillyg> s/thread/threat/

[Slide 6]

[Slide 7]

[Slide 8]

<ChrisLilley> Security and Privacy section*s*

[Slide 9]

[Slide 10]

[Slide 11]

[Slide 12]

<reillyg> s/Slideset/My slides/

[Slide 13]

simone: What is the best model? It depends on what we're trying to do!

[Slide 14]

<reillyg> s/Slideset:/Slideset/

[Slide 15]

[Slide 16]

[Slide 17]

[Slide 18]

[Slide 19]

[Slide 20]

[Slide 21]

[Slide 22]

simone: It can be difficult to switch your mind to the attacker's perspective.

[Slide 23]

[Slide 24]

[Slide 25]

[Slide 26]

[Slide 27]

?, you mention authentication. Is authorization rolled into that?

simone: In OSSTTM yes.
… This was an important question because words may have different meanings for different people.

[Slide 28]

[Slide 29]

[Slide 30]

[Slide 31]

[Slide 32]

[Slide 33]

simone: For example, w3c/security-request#71 (comment)

[Slide 34]

[Slide 35]

[Slide 36]

[Slide 37]

[Slide 38]

[Slide 39]

?, how does third party risk from software ecosystems fit into what you've discussed?

? is Susan

simone: I used to work in threat response. Absolutely (gives recent examples).
… A threat actor will just ignore your threat model if it allows an attack.

Maxim: Who gets to decide what is out of scope (e.g. malware vs. WebAuthn)?

simone: These are areas where there's ongoing work.
… Sometimes the mitigation is in a different group, or requires a completely different approach.
… E.g. Passkeys were design to remove passwords because if you don't have a password it can't be phished.

reillyg: In the malware example. It creates so many other problems that trying to mitigate it in just one place is unhelpful.

Minutes manually created (not a transcript), formatted by scribe.perl version 229 (Thu Jul 25 08:38:54 2024 UTC).

Diagnostics

Succeeded: s/thread/threat

Failed: s/thread/threat/

Failed: s/Slideset/My slides/

Succeeded: s/slideset/Slideset/

Succeeded: s/Slideset/My slides/

Failed: s/Slideset:/Slideset/

Succeeded: s/My slides/Slideset:/

Maybe present: Maxim

All speakers: Maxim, reillyg, simone

Active on IRC: Bert, ChrisLilley, reillyg, simone, tpac-breakout-bot, tzviya8