[OLPC Security] Re: Periodic identity updates

[frumioj at mac.com]

Most security-oriented specifications with which I am familiar usually
discuss both a threat model (and mitigations for threats) and a list of
areas which are known not to be covered by the security measures listed.

The intent of security specifications (in my opinion) is to pick a
particular threat model and present mitigations for that threat model. I
think that's what Bitfrost is doing. It seems, however, that there are
threats that are already known not to be covered by the specification,
and an assumed domain model for the entities secured (or not) by the
specification. I am arguing that the domain model and the known
uncovered threats should be explicitly listed, either in the
specification on on the FAQ to avoid pointless discussion on the email
list.

I don't believe that gives attackers a whole lot more to work with  - a
security specification cannot cover all possibilities, and a determined
attacker will know that. Public scrutiny of the specification will make
the specification better - explicit listing of non-goals is simply
making existing information a bit more public than it appearing in a
public mail-list.

Regards,

- John

Frank Ch. Eigler wrote:
> frumioj at mac.com writes:
> 
>> I wasn't suggesting that any unknown universe of negatives be
>> enumerated; rather that /known/ "non-goals" of the specification are
>> noted somewhere explicitly [...]
> 
> One problem with explicitly listing some "non-goals" is that they are
> tantamount to assumptions about parts of the overall system.  (Say,
> "We don't address possible screwups in domain X." roughly implies "We
> assume that domain X will not screw up".)  That in turn provides a
> focal point for an attacker to undermine the system ("Hey, let's try
> to subvert X!").  So, in a way, listing the "non-goals" could be
> self-defeating.
> 
> - FChE