Structuring the security considerations section #49
Description
This issue refers to the security review requested in this issue w3c/security-request#71
Structuring the Security Considerations section along the lines of RFC 3552 and as discussed in w3c/security-request#71 (comment).
- Introduction: a brief description of the security impact of the feature and assets to be protected.
- Security Assumptions: paraphrasing what is described in the Common Criteria, section 7.1.4, assumptions are those elements that are considered true about the operating environment of the feature (e.g., C2PA's Assumptions).
- Attacks/Threats: list of attacks or threats with title and a brief description (e.g., Vibration API 2024-06-28 > 2024-09-20 security-request#71 (comment)). For each attack/threat:
- Mitigations/Countermeasures:
- If it is in-scope: title and description of the countermeasures, referring to the specific section in which it is described. If the group decided not to apply any mitigation/countermeasure to the Attack/Threat, write a rationale for accepting that risk (business justification).
- If it is out-of-scope: describe why.
- Residual Risk: after the application(e.g., Vibration API 2024-06-28 > 2024-09-20 security-request#71 (comment)).
- Mitigations/Countermeasures:
If there are any doubts, we remain available.
Thank you