Frank,
I have posted a tidied up version of a browser threat
model at:
http://iang.org/ssl/browser_threat_model.html
It's really a start more than anything, there are some
known shortfalls such as no attack tree, and emphasis
on browsing not email. I don't know what your time
table for that project is, but please consider this
as one input and use it how you see fit.
One question. I wonder if you mean in point 9., below,
"security model" rather than "threat model" ? The
latter is part of the former, and the former, the
security model, is what drives the architecture in
this context.
(I've not been able to find a definition of either, nor
is there any documented models for the HTTPS system
that I know of.)
iang
PS: it's obviously biased (in the extreme?) towards
my world view, and will clash with the world view of
the establishment. I'm looking forward to their
comments, and their opposing arguments being documented!
PPS: Extract from
http://www.hecker.org/mozilla/ca-certificate-metapolicy/
9. Risks to typical Mozilla users should be assessed
in accordance with a documented threat model based on
the activities in which those users might tpically
engage, e.g., online shopping and banking, using other
access-controlled web sites and services, submitting
personal information to companies and government
agencies, exchanging personal email with others,
downloading and installing new software on their
personal systems, and comparable activities.
Rationale: Risk analysis doesn't make sense in
the absence of an agreed-upon threat model, and
that threat model should be based on what users
are actually doing in practice.
_______________________________________________
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto
