index.html

<!DOCTYPE html>
<html lang="en">

<head>
  <meta charset="UTF-8">
  <meta content="width=device-width" name="viewport">
  <title>Threat Modeling for Decentralized Identity @ W3C</title>
  <link rel="stylesheet" href="https://www.w3.org/Talks/Tools/Shower3-1/slides.css">
  <script src="https://www.w3.org/Talks/Tools/Shower3-1/shower.js" type="text/javascript"></script>
  <style>
    .slide .icon-block {
      display: block;
      position: relative;
      padding: 0 0 0 4em;
      line-height: 1.5;
      min-height: 3em
        /* 2 lines */
    }

    .slide .icon-block>.icon {
      position: absolute;
      font-size: 1.8em;
      text-align: center;
      top: 0;
      left: 0;
      width: 1.5em;
      height: 1.5em;
      margin: 0;
      object-fit: cover
    }

    .slide li.icon-block {
      margin-left: 0;
      list-style: none
    }

    .slide li.icon-block::before {
      content: none
    }

    dd {
      margin-left: 2em;
    }

    .text-right {
      text-align: right;
    }

    #members {
      border-collapse: collapse;
    }

    #members td,
    #members th {
      border: 1px solid;
    }

    #members td {
      vertical-align: top;
    }

    .spaced {
      margin-top: 3em;
    }

    .spaced>li {
      margin-top: 1em;
    }

    /* one item on 2 columns */
    .two-columns {
      column-count: 2;
      column-gap: 1.2 rem;
    }

    /* 2x1 grid */
    .grid2 {
      display: grid;
      gap: 1.2rem;
      grid-template-columns: 1fr 1fr;
      place-items: center center;
    }

    /* 1+2 grid */
    .grid12 {
      display: grid;
      gap: 1.2rem;
      grid-template-columns: 1fr 2fr;
      place-items: center center;
    }

    figure {
      margin: 10px;
    }

    /* 3x1 grid */
    .grid3 {
      display: grid;
      gap: 0rem;
      grid-template-columns: 1fr 1fr 1fr;
    }

    .grid3 h4 {
      text-align: center
    }

    .grid3 h4.green {
      color: rgba(124, 181, 84);
    }

    .grid3 h4.blue {
      color: rgba(65, 131, 215);
    }

    .grid3 div {
      padding: 5px;
      border-radius: 20px;
    }

    .grid3 div.green {
      background: rgba(124, 181, 84, 0.2);
      border: 1px solid rgba(124, 181, 84, 0.5);
    }

    .grid3 div.blue {
      background: rgba(65, 131, 215, 0.2);
      border: 1px solid rgba(65, 131, 215, 0.5);
      padding: 20px;
    }

    /* 2x2 grid */
    .grid4 {
      display: grid;
      gap: 1.2rem;
      grid-template-columns: 1fr 1fr;
      grid-template-rows: 20vh 20vh;
      place-items: center center;
    }

    .grid2 *,
    .grid4 * {
      max-width: 100%;
    }

    .grid2 * {
      max-height: 350px;
    }

    .grid4 * {
      max-height: 175px;
    }

    figcaption {
      text-align: center;
      font-size: 0.8em;
      color: blue;
    }
    .slide.cover address {
      font-family: My Gill Sans;
    }
    .todo {
      background-color: yellow;
    }
    .center {
      text-align: center;
    }
  </style>
</head>

<body class="shower">
  <div class="progress">
    <!-- Remove this element if you don't want a progress bar -->
  </div>

  <section class="slide cover clear" id="start">
    <h1>Threat Modeling for Decentralized Identities @ W3C</h1>
    <p>September 6th, 2024</p>
    <address style="font-size: medium">
      Simone Onofri<br>
      <span style="font-size: small;">W3C Security Lead</span><br>
      WeChat: wxid_3hq0pclnrhr512<br>
      Email: simone@w3.org<br>
    </address>
  </section>
  <!-- Introduction -->
  <section class="slide">
    <h1>Who am I?</h1>
    <ul class="spaced">
      <li>W3C <a href="https://www.w3.org/mission/security/">Security</a> Lead <span lang="cn">安全标准领域负责人</span> since 2024
        <ul>
          <li>Staff Contact for Web Application Security, Web Authentication, Federated Identity Working Groups, and <i>proposed</i> Security Interest Group</li>
          <li>Co-Chair of <em>Threat Modeling Community Group</em></li>
        </ul>
      </li>
      <li>I was in W3C in 2006 for the Semantic Web Deployment Working Group</li>
      <li>But in general, I am Security Geek since 2004 (and before) for Red Teaming, Blue Teaming, Security Research, etc...</li>
      <li><em>I care about a secure Web</em></li>
    </ul>
  </section>

  <section class="slide side right">
    <h1>World Wide Web Consortium 万维网联盟</h1>
    <img class=side src="https://www.w3.org/comm/assets/graphics/w3c-composition.png" alt="W3C composition">
    <ul style="font-size: 80%;">
        <li>Founded in 1994 by Tim Berners-Lee, who was Director until June 12, 2023 由 Tim Berners-Lee 于 1994 年创立，并担任董事至 2023 年 6 月 12 日</li>
        <li>Over 500 technical Web standards<!-- https://www.w3.org/standards/stats/?startdate=1994-10-01&enddate=2024-08-29 -->,<br>480 in progress 约480份开发中的标准 <!-- https://w3c.github.io/spec-dashboard/report.html --></li>
        <li>Consensus-driven process 由共识驱动的流程, <br>Royalty-Free patent policy 免版税专利政策</li>
        <li>Over 350 Members 超过 350个成员单位</li>
    </ul>
  </section>

  <!-- Decentralized Credentials Threat Model -->
  <section class="slide">
      <h1>What is Threat Modeling?</h1>
      <ul>
        <li>Threat Modeling is a <strong>family of structured, repeatable processes</strong> that allow us to make <strong>rational decisions</strong> to secure applications, software, and systems (Shostack, 2014).</li>
        <li>During Threat Modeling, <strong>we can anticipate potential threats</strong>, such as vulnerabilities or absence of controls, and prioritize the mitigations (OWASP).</li>
        <li>It is a form of risk assessment that <strong>models aspects of the attack and defense</strong> sides (NIST SP 800-53 Rev. 5, NIST SP 800-154).</li>
      </ul>
    </section> 

  <section class="slide">
    <h2>Why Threat Modeling for Digital Credentials?</h2>
    <ul>
      <li>At W3C, we use Threat Modeling to analyze standards and write the <a href="https://www.w3.org/TR/security-privacy-questionnaire/">security and privacy considerations</a> sections.</li>
      <li>When members proposed the standardization of the <a href="https://github.com/w3c/strategy/issues/450">Digital Credentials API</a>, members requested a <a href="https://github.com/w3c/strategy/issues/458">comprehensive threats analysis</a> because the API will mediate in the Browser high-assurance and government-issued credentials.</li>
      <li>Therefore, we created the <a href="https://www.w3.org/groups/cg/tmcg/">Threat Modeling Community Group</a> open to all to discuss the various threats.</li>
      <li>We started a generic 'meta' model, not only on the API, that can also be used as a starting point by any <abbr title="Standards Development Organizations">SDOs</abbr>, Governments, and Implementers.</li>
    </ul>
  </section>

  <section class="slide">
    <h1>How are we doing Threat Modeling?</h1>
    <p>We are using the "<a href="https://github.com/adamshostack/4QuestionFrame">Four Questions Frame</a>":</p>
    <ul>
      <li><strong>What are we working on?</strong><br>(understanding scope, architecture, actors, data flows, etc...)</li>
      <li><strong>What can go wrong?</strong><br>(understanding threats, threat actors, attacks, etc...)</li>
      <li><strong>What are we going to do about it?</strong><br>(Identifying and prioritizing countermeasures, residual risk, etc...)</li>
      <li><strong>Did we do a good job?</strong><br>(reiterating until we are happy with the result)</li>
    </ul>
  </section>
  
  <section class="slide">
    <h1>What are we working on?<br><strong>Architecture</strong></h1>
    <p>We started from the <a href="https://www.w3.org/TR/vc-data-model-2.0/">Verifiable Credentials Data Model (VCDM)</a> to identify main Actors, Data Flows, and Data to protect.</p>
    <figure class="center">
      <img src="https://www.w3.org/TR/vc-data-model-2.0/diagrams/ecosystem.svg">
      <figcaption>The actors and data flows of VCDM</figcaption>
    </figure>
  </section>

  <section class="slide">
    <h1>What are we working on?<br><strong>Actors and Data Flows</strong></h1>
      <ul>
        <li>We have an <strong>Issuer</strong>, which issues the <i>Verifiable Credential</i> to the <i>Holder</i> and manages the status (e.g., revocation).</li>
        <li>We have a <strong>Holder</strong>, who stores the <i>Verifiable Credential</i> in a <i>Wallet</i>, and send the <i>Verifiable Presentation</i> to a <i>Verifier</i>.</li>
        <li>We have a <strong>Verifier</strong>, who verifies the <i>Holder</i>'s <i>Verifiable Presentations</i> to give access to a resource or a service.</li>
        <li>We also have a <strong>Verifiable Data Registry (VDR)</strong>, which stores <i>identifiers</i> and schemas.</li>
      </ul>
  </section>

  <section class="slide">
    <h1>What are we working on?<br><strong>Exchanged Data</strong></h1>
    <ul style="font-size: 80%">
      <li><strong>Verifiable Credentials</strong> (created by the Issuer):
        <ul>
          <li>Metadata: of the Credentials (e.g., reference to the issuer, the validity date)</li>
          <li>Claim(s): one or more assertions where a characteristic of a subject is described, in a specific <em>format</em> (e.g., Alice is a citizen of a certain state).</li>
          <li>Proof(s): <em>cryptographic</em> proof of the integrity of the credential, typically via a digital signature.</li>
        </ul>
      </li>
      <li><strong>Verifiable Presentations</strong> (created by the Holder):
        <ul>
          <li>Metadata: of the Presentation</li>
          <li>Verifiable Credential(s): data from multiple Verifiable Credentials in the form of additional claims.</li>
          <li>Proof(s): <em>cryptographic</em> proof of the integrity of the credential, typically via a digital signature.</li>
        </ul>      
      </li>
    </ul>
    <p class="note">From a Threat Modeling perspective: we have cryptography, formats, serialization, <a href="https://www.w3.org/TR/rdf-canon/">canonicalization</a>, identifiers, revocation methods, etc...</p>
  </section>

  <section class="slide">
    <h1>What are we working on?<br><strong>Identifiers</strong></h1>
    <ul>
      <li>Talking about <strong>identifiers</strong>, we mainly refer to the Decentralized Identifiers (DIDs), an identifier technology based on cryptography that empowers the user to control their data and and usage.</li>
      <li>DIDs methods can rely on various technologies, including blockchains, the web, InterPlanetary File System (IPFS), and Domain Name System (DNS).</li>
    </ul>
    <p class="note">From a Threat Modeling perspective: <em>each DID method needs it is own Threat Model</em> (e.g., <code>did:web</code> may calls home, <code>did:btcr</code> may have correlation)</p>
  </section>

  <section class="slide">
    <h1>What can go wrong?<br><strong>Mnemonic Threat Lists</strong></h1>
    <q>One effective though inefficient approach to threat modeling is to cycle the various lists to understand how they may affect the model</q>
    <ul>
      <li><strong>STRIDE</strong> <i>(Security Threats)</i>: Spoofing, Tampering, <em>Repudiation</em>, Denial of service, Escalation of privileges</li>
      <li><strong>LINDDUN</strong> <i>(Privacy Threats)</i>: Linking, Identifying, <em>Non-Repudiation</em>, Detecting, Data Disclosure, Unawareness, Non-Compliance</li>
    </ul>
    <p class="note">Note: <strong>Repudiation</strong> is a Security Threat, and its negation <strong>Non-Repudiation</strong>, is a Privacy Threat.</p>
  </section>

  <section class="slide">
    <h1>What can go wrong?<br><strong>Other lists</strong></h1>
    <ul>
     <li><strong>Open Source Security Testing Methodology Manual (OSSTMM)</strong> <i>(Controls)</i>: Authentication, Indemnification, Resilience, Subjugation, Continuity, <em>Non-Repudiation</em>, Confidentiality, <em>Privacy</em>, Integrity, Alarm</li>
     <li><strong>RFC 3552</strong> <i>(Security Attacks)</i>: Replay Attacks, Message Insertion, Message Deletion, Message Modification, Man-In-The-Middle</li>
     <li><strong>RFC 6973</strong> <i>(Privacy Threats)</i>: Correlation, Identification, Secondary Use, Disclosure, Exclusion</li>
    </ul>
    <p class="note">Note: In OSSTMM, <em>Security and Privacy are together</em>, and anyway there are some overlaps.</p>
  </section>
  <section class="slide">
    <h1>What can go wrong?<br><strong>Using LINDDUN</strong></h1>
    <figure>
      <img src="assets/threat-model-digital-credentials-ietf120.svg"/>
      <figcaption>Brainstorming, using gamification, in a Side Meeting @ IETF120</figcaption>
    </figure>
  </section>

  <section class="slide">
    <h1>What are we going to do about it?<br><strong>Mitigations</strong></h1>
    <ul style="font-size: 80%;">
      <li><strong>Anonymous Revocation</strong>: a verifier must be able to verify the status of a credential, without having the ability to correlate information about the credentials and the holder.</li>
      <li><strong>Privacy-Preserving DID methods</strong>: For example, during resolution, it is possible that the method communicates with the issuer. If the DID uses a distributed ledger, it would be better not to write private information into it.</li>
      <li><strong>Selective Disclosure and Unlinkable Credentials</strong>: is the ability to show only a part of the credential and not the full one, in an unlinkable manner. For example, we can show only the date of birth rather than the full passport where it is contained, we are working on <a href="https://www.w3.org/TR/vc-di-bbs/">BBS cryptosuites</a>.</li>
      <li><strong>Post-Quantum Cryprography</strong>: <a href="https://w3c-ccg.github.io/di-quantum-safe/">Quantum-safe cryptosuites</a> for signatures.</li>
    </ul>
    <p class="note"><a href="https://github.com/eu-digital-identity-wallet/eudi-doc-architecture-and-reference-framework/issues/200">Feedback</a> on the EU Digital Identity's ARF 1.4.0: <q>Our specific recommendation is to use the BBS</q> [...], and <q>countering future quantum threats</q>, and we probably need new chips.</p>
  </section>

  <section class="slide">
    <h2>Did we do a good job?</h2>
    <p><q>All models are wrong, but some are useful</q> from statistician George Box (1976), quoted by Shostack (2014)</p>
    <ul>
      <li>This Model is useful for us to understand the big picture, create a place to sharing ideas, and understanding the need for other standards.</li>
      <li>Each solution needs a dedicated Threat Model (e.g., <a href="https://drive.google.com/drive/folders/1mgwhZ0jTAeGIE8Ewf3kK34dLjPwOTM5L">EUDI Communication Protocol and Wallet</a>) and to be <em>interoperable</em>.</li>
      <li>Welcome to join the Threat Model discussions in the <a href="https://www.w3.org/community/tmcg/">Threat Modeling Community Group</a>.</li>
    </ul>
  </section>

  <!-- Outro -->

  <section class="slide">
    <h1><span lang="cn">谢谢</span></h1>
    <p>See also:</p>
    <ul>
      <li>
        <q>Identity & the Web</q>
        <a href="https://www.w3.org/reports/identity-web-impact/">https://www.w3.org/reports/identity-web-impact/</a>
      </li>
      <li>
        <q>Threat Model for Digital Credentials</q>
        <a href="https://github.com/w3c-cg/threat-modeling/blob/main/models/decentralized-identities.md/">https://github.com/w3c-cg/threat-modeling/blob/main/models/decentralized-identities.md</a>
      </li>
    </ul>
    <div>
      <p>
        These slides:
        <br>
        <a href="https://w3.org/2024/Talks/inclusion-simone/">https://w3.org/2024/Talks/inclusion-simone/</a>
      </p>
      <p>Email: simone@w3.org</p>
      <p>WeChat: wxid_3hq0pclnrhr512</p>
    </div>
  </section>
  <!-- Backup -->


  <!--
  <section class="slide side right" id="how">
    <h2>Security @ W3C</h2>
    <ul style="font-size: smaller">
      <li><strong>Developing security technology standards</strong>
        <ul>
          <li>Web Application Security Working Group (e.g., Content-Security-Policy)</li>
          <li>Web Authentication Working Group (e.g., Passkeys in the Browser)</li>
          <li>Federated Identity Working Group (e.g., Digital Credentials API <sup>proposed</sup>)</li>
          <li>Web Payments Working Group (e.g., Secure Payments Confirmation)</li>
        </ul>
     </li>
      <li><strong>Reviewing the security of the standards</strong>
        <ul>
          <li><em>Threat Modeling Community Group</em></li>
          <li>Security Interest Group <sup>proposed</sup></li>
        </ul>
      </li>
      <li><strong>Guiding Web Developers</strong>
      <ul>
        <li>Security Web Application Guidelines Community Group</li>
      </ul>
      </li>
    </ul>
   <p class="note">More info: <a href="https://www.w3.org/mission/security/">https://www.w3.org/mission/security/</a></p>
   </section>
  -->
  <!-- 
  <section class="slide">
    <h2>Identity @ W3C</h2>
    <ul>
      <li>Centralized Identity: Web Authentication for Passwordless logins</li>
      <li>Federated Identity: Federated Credentials Management and Status API to avoid third-party cookies</li>
      <li>Decentralized Identity:
      <ul>
        <li>Digital Credentials API for mediation of presentation <sup>proposed</sup></li>
        <li>Verifiable Credentials and Decentralized Identifiers (DID) with BBS</li>
        <li>Verifiable Credentials API, Verifiable Credentials Barcodes, Quantum-Proof signatures <sup>community</sup></li>
    </ul>
  </section> 
  -->
  
  <!--
  <section class="slide">
    <h2>Which model is better?</h2>
    <div class="columns">
     <div class="next">
      <figure>
        <img src="assets/falcon-lego.png"/>
        <figcaption>LEGO's Millenium Falcon</figcaption>
      </figure>
     </div>
     <div class="next">
     <figure>
      <img src="assets/falcon-park.png"/>
      <figcaption>Walt Disney World's Millenium Falcon</figcaption>
    </figure>
    </div>
   </section>
  <section class="slide">
    <h2>Which model is better?</h2>
    <q class="shout">All models are wrong, but some are useful</q>
    <p>from statistician George Box (1976), quoted by Shostack (2014) in the context of threat modeling</p>
  </section>
  -->
  <!--
  <section class="slide">
    <h2>What are we working on?<br>Decentralized Identities Ecosystem</h2>
    <figure class="center">
      <img width="60%" src="https://www.w3.org/reports/identity-web-impact/figures/decentralized-identity-layers.svg">
      <figcaption>Decentralized Identity Ecosystem</figcaption>
    </figure>
  </section>
  <section class="slide">
    <h1>What are we working on?<br><strong>Credential Layer</strong></h1>
    <figure class="center">
      <img src="assets/credential-layer.svg">
      <figcaption>Credential Layer</figcaption>
    </figure>
  </section>
  --> 
  <!--
  <section class="slide">
    <h1>What are we working on?<br><strong>Decentralized Identifiers</strong></h1>
    <p style="font-size: 80%;">
      An identifier technology based on cryptography that empowers us to control our
      data and consent to its usage, often paired with Verifiable Credentials.
      These methods can rely on various technologies, including blockchains, the web, InterPlanetary File
      System (IPFS), and Domain Name System (DNS) [did-spec-registries]. 基于密码学的标识符技术，促使我们掌管我们的个人数据并授权同意其使用；通常与 VC
      可验证凭据配对。这些方法可以依靠各种技术，包括区块链，Web，行星际文件系统（IPFS）和域名系统（DNS）[DID Spec-Spec-Registries]。<br>
      <a href="https://www.w3.org/TR/did-core/">Decentralized Identifiers (DIDs) v1.0</a>, W3C Standard, July 2022.
    </p>
    <div style="margin: auto; max-width:90%">
      <img src="https://w3.org/2023/Talks/plh-jp-mic/did.svg"
        alt="An example of a decentralized identifier shown left to right the 'did' scheme, followed by a colon, followed by an 'example' DID Method identifier, followed by another colon, followed by a method specific identifier with the characters '123456789abcdefghi' is shown." />
    </div>
  </section>
  -->
</body>

</html>