Write down a threat model for Jelly #26
Labels
documentation
Improvements or additions to documentation
enhancement
New feature or request
security
Comments
Ostrzyciel
added
documentation
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Recommended reading: https://owasp.org/www-community/Threat_Modeling
I've recently received some feedback on the lack of security considerations in the Jelly spec, and that it doesn't have a threat model. That's fair.
While I did design and implement Jelly with security in mind, I admit I did not have the time to prioritize documenting this. I've partially resolved it by adding a section on security considerations to the spec (PR, documentation).
But, this is not a full threat model. I think that making one is a worthwhile effort, if Jelly is to get broader adoption. It could become a big advantage of the protocol, especially because RDF serializations from W3C have a rather relaxed approach to security, and the other binary serializations... well, I didn't any security considerations for them.
The threat model should be attached to the spec as a separate document, but the meaningful recommendations for implementers should be in the security appendix (just like we have them now).
The text was updated successfully, but these errors were encountered: