From 5b4e0ec21f39001acd649b64b6c753753bd8b6ab Mon Sep 17 00:00:00 2001 From: Jarek Potiuk Date: Fri, 5 Jun 2026 04:31:17 +0200 Subject: [PATCH] =?UTF-8?q?Revise=20threat=20model=20per=20DaanHoogland/vi?= =?UTF-8?q?shesh92=20review=20(resolve=20=C2=A714=20Q3/Q6/Q7)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- draft-THREAT-MODEL.md | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/draft-THREAT-MODEL.md b/draft-THREAT-MODEL.md index bff149f8442..f8da5cc8c52 100644 --- a/draft-THREAT-MODEL.md +++ b/draft-THREAT-MODEL.md @@ -897,11 +897,11 @@ treated as trusted-once-enrolled peers, or do they get their own trust tier?~~ **RESOLVED** *(maintainer)* — **yes**, same trust tier as agents, not a separate tier. Folded into §2 caller-roles. -**Q3.** Are external integrations (LDAP, SAML2 IdP, OAuth2 IdP, NSX +**Q3.** ~~Are external integrations (LDAP, SAML2 IdP, OAuth2 IdP, NSX controller, Netscaler, Tungsten, S3-compatible storage, backup -providers) modeled as trusted control-plane peers (proposed: **yes**)? If -trusted, that licenses §3 item 2 and §11a trusted-input dispositions. -*(maps to §2, §3, §11a)* +providers) modeled as trusted control-plane peers?~~ **RESOLVED** +*(maintainer: DaanHoogland — yes)* — trusted control-plane peers; this +licenses §3 item 2 and §11a trusted-input dispositions. *(maps to §2, §3, §11a)* **Q4.** ~~SecondaryStorageVM HTTP download surface — is the URL token per-template ACL-checked, or is the SSVM URL itself a bearer credential?~~ @@ -921,14 +921,14 @@ with CloudStack changes; vendored bugs go upstream. There is **no automated update procedure today** (dependabot has not produced viable PRs); the PMC would prefer to establish one. Folded into §3 item 8, §11a. -**Q6.** Is "an operator with `root` on a management-server host, the +**Q6.** ~~Is "an operator with `root` on a management-server host, the JCEKS keystore + encryption keys, the Root CA private key, or MariaDB -credentials" out of scope (proposed: **yes**, `OUT-OF-MODEL: -adversary-not-in-scope`)? *(maps to §3 item 1, §9)* +credentials" out of scope?~~ **RESOLVED** *(maintainer: DaanHoogland — yes)* +— `OUT-OF-MODEL: adversary-not-in-scope`. *(maps to §3 item 1, §9)* -**Q7.** Hypervisor bugs (libvirt / vSphere SDK / XenAPI / Hyper-V API / -KVM/QEMU itself) — out of scope, report upstream (proposed)? *(maps to -§3 item 3)* +**Q7.** ~~Hypervisor bugs (libvirt / vSphere SDK / XenAPI / Hyper-V API / +KVM/QEMU itself) — out of scope, report upstream?~~ **RESOLVED** +*(maintainer: DaanHoogland — yes, out of scope; report upstream)*. *(maps to §3 item 3)* ### Wave 2 — the two big insecure defaults