Structuring the security considerations section

[simoneonofri]

This issue refers to the security review requested in this issue https://github.com/w3c/security-request/issues/71

Structuring the Security Considerations section along the lines of RFC 3552 and as discussed in https://github.com/w3c/security-request/issues/71#issuecomment-2440005127.

• Introduction: a brief description of the security impact of the feature and assets to be protected.
• Security Assumptions: paraphrasing what is described in the Common Criteria, section 7.1.4, assumptions are those elements that are considered true about the operating environment of the feature (e.g., C2PA's Assumptions).
• Attacks/Threats: list of attacks or threats with title and a brief description (e.g., https://github.com/w3c/security-request/issues/71#issuecomment-2307483632). For each attack/threat:
  • Mitigations/Countermeasures:
    • If it is in-scope: title and description of the countermeasures, referring to the specific section in which it is described. If the group decided not to apply any mitigation/countermeasure to the Attack/Threat, write a rationale for accepting that risk (business justification).
    • If it is out-of-scope: describe why.
  • Residual Risk: after the application(e.g., https://github.com/w3c/security-request/issues/71#issuecomment-2349865890).

If there are any doubts, we remain available.

Thank you

[cc'ing @anssiko, @himorin, @KimCerra]

[anssiko]

Thank you @simoneonofri. I'd also note the group's prior work in this space: the Generic Sensor API and Compute Pressure API threats and mitigations. To be updated based on learnings from this restructuring exercise.

[anssiko]

Status update: the group's imminent plan is to publish a new CRS and incorporate restructured security considerations in a subsequent specification update. The group is committed to work closely with @simoneonofri and other security experts to help dogfood emerging guidelines for writing security considerations for W3C specs (a la RFC 3552) as outlined in this issue.