Closed bslassey closed 1 year ago
Protect content in transit on relay server - confidentiality (encrypt content stored on relay), integrity (impersonation attacks by storing malicious content - protect by device attestation at the time of creation) and availability - introduce measures against denial of service - protect the webapp on the network level.
This may came a bit vague, if you could suggest a better wording, it would be very much appreciated!
@dimmyvi do you have a threat model document that we can work off of here?
Yes, we have a review tomorrow with security team and will publish it - probably in a day. Will add a link to it here. Do you feel it needs to be a separate document or shall it be appended to the requirement draft?
Thanks, I look forward to reading it.
We added a threat model draft, still adding content to it: https://github.com/dimmyvi/tigress-sample-implementation/blob/main/draft-tigress-sample-implementation.md
Hi Brad, I finished updating the threat model document, planning to publish it tomorrow (5 November) on Datatracker. If you could review and provide feedback, I'd very much appreciate it
Sample solution and threat modeling document has been published on Datatracker. link is here: https://datatracker.ietf.org/doc/draft-tigress-sample-implementation/01/ I f noone objects, we can close this issue..
I don't think publishing the security model resolves this, but it is an important step in getting a shared understanding of the security requirements such that they can be described accurately in this doc.
Apologies for not being able to review the security model yet, it is on my to-do list.
this was addressed in a new requirements document with sample implementations was published on 17 Feb. We can close the issue
It is unclear to me what this requirement is trying to say. What are the threats we're trying to protect against?