chvote-etat-de-geneve
commented
7 years ago The public and rather general threat model is published in the swiss federal chancellery ordinance on Electronic Voting, chapter 3.1.
We have a more detailed threat model used for our risks assessments, but it covers far more than just the offline administration application, and we cannot publish it as it covers other parts than the published component that must legally remain confidential. Furthermore, it is currently written only in french. Publishing only parts of it would not make sense either, because of common references between the published component and still confidential components..
We will however take seriously your issue in our future developments, keeping in mind that such information is mandatory to have an efficient collaboration.
from https://github.com/republique-et-canton-de-geneve/chvote-1-0/blob/master/docs/system-overview.md#threat-assessment:
I believe it would be very welcome to have the threat model published along with the system overview documentation. While the architecture and code seems well documented, the motivations driving the security design are crucial and mostly missing.
This would lead to a more efficient and smooth collaboration from the community, allowing to focus security review on the most critical (publicly available) parts of the system depending on the rating and priorities.
For example, #15 raises interesting questions regarding the passwords. Humans are notoriously bad at picking good passwords (especially repeatedly) and there is a consensus that arbitrary composition rules are near useless (humorously depicted in https://xkcd.com/936/). It is then understandable that this topic raises concern. But if overall the passwords are low priority targets in the threat model — and it is clearly stated, then a lengthy discussion about them may be avoided saving everyone's time and energy.