TomHennen
commented
4 weeks ago I don't think this is quite right. In example 1 and 2 the threat described is that an existing attestation is tampered with, the mitigation described detects these problems because the attacker cannot modify the valid attestations without invalidating the expected signatures.
However, I think 'example 3' should probably be captured in a threat by itself as that deals with expectations mismatching which is usually captured elsewhere.
Threat: Issue an attestation that purposefully misrepresents the subject.