I have posted a tidied up version of a browser threat model at:
http://iang.org/ssl/browser_threat_model.html
Thanks for posting this. Whether people agree with your conclusions or not, I think it is valuable to discuss this stuff.
It's really a start more than anything, there are some known shortfalls such as no attack tree, and emphasis on browsing not email. I don't know what your time table for that project is, but please consider this as one input and use it how you see fit.
Note that for a full treatment we really need to consider email and downloading executable code as well, since those are the other two major uses for certificates in the context of Mozilla and related software.
One question. I wonder if you mean in point 9., below, "security model" rather than "threat model" ? The latter is part of the former, and the former, the security model, is what drives the architecture in this context.
I am but a mere amateur when it comes to the subject of security terminology. I'm willing to accept the judgement of the people on this forum as to what exactly I should be calling the things we need here, and what exactly they should address.
PS: it's obviously biased (in the extreme?) towards my world view, and will clash with the world view of the establishment. I'm looking forward to their comments, and their opposing arguments being documented!
I'm going to go back and look in the newsgroup archives for previous postings addressing threat models (or security models, whatever). Some things I've found so far include Nelson's posting "On a crypto security threat model for mozilla users":
http://www.google.com/groups?selm=c0mp01%24cip1%40ripley.netscape.com&output=gplain
and John Meyers' posting in a thread Nelson started about "On criteria for trusting public root CAs":
http://www.google.com/groups?selm=9dadnUFVDPKtVbTdXTWc-g%40speakeasy.net&output=gplain
There are more useful comments in these threads and others.
What I am really looking for is something nice and crisp that would be brief enough to include in the policy details FAQ. If we have to make this security/threat model thing a whole separate document then I can live with that, but the document has to be a consensus document since it will be published under Mozilla Foundation auspices; I can't just point to your threat model document or anyone else's.
Frank
-- Frank Hecker [EMAIL PROTECTED] _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
