From 0b76a5825f019fa32e8dd4c6cf15a4243c836bdc Mon Sep 17 00:00:00 2001 From: cameronvoell Date: Sat, 21 Sep 2024 00:19:35 -0700 Subject: [PATCH 1/3] added threat model section to XIP 47 --- XIPs/xip-47-group-chat-permissions.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/XIPs/xip-47-group-chat-permissions.md b/XIPs/xip-47-group-chat-permissions.md index bbe900a..4541032 100644 --- a/XIPs/xip-47-group-chat-permissions.md +++ b/XIPs/xip-47-group-chat-permissions.md @@ -109,6 +109,17 @@ Another consideration was whether the extra complexity is worth making permissio The ability to update permissions is needed to address the use cases of initial group permission misconfiguration and the inevitable evolution of a group’s trust dynamic. For example, just because an online project group chat starts as a small group of well-intentioned contributors does not mean that the group may not evolve to have a larger variety of member trustworthiness and contributor types over time. +## Threat Model + +There are three main categories of threats that are considered when designing the permissions system: + +1. Can group creators share responsibility with admins while retaining the ability to recover from malicious admins? + This threat is mitigated by the three tiered permission system, the fact that super admins can not be removed by admins, and only super admins can update permissions. +2. Does the permissions sytem have some recoverability in case an action was taken by mistake and needs to be undone? + This threat is mitigated by the ability to update permissions, which allows a previously configured permission set to be adjusted if necessary. +3. Is the group permission system safe from malicious actors who are running modified versions of our client code? + This threat is mitigated by client side verification of all group actions that are subject to group permission policies. + ## Backward compatibility In addition to adding the new **Permission Policies** and **Permission Options** and making **Permissions Updatable**, we will also make the permission system itself updatable in the following ways: From d30922b25bcbb841c32254e1f26dc3e6d4fb335e Mon Sep 17 00:00:00 2001 From: J-Ha <5481259+jhaaaa@users.noreply.github.com> Date: Wed, 2 Oct 2024 09:25:30 -0700 Subject: [PATCH 2/3] Update XIPs/xip-47-group-chat-permissions.md Co-authored-by: Richard Hua --- XIPs/xip-47-group-chat-permissions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/XIPs/xip-47-group-chat-permissions.md b/XIPs/xip-47-group-chat-permissions.md index 4541032..2a9eb00 100644 --- a/XIPs/xip-47-group-chat-permissions.md +++ b/XIPs/xip-47-group-chat-permissions.md @@ -115,7 +115,7 @@ There are three main categories of threats that are considered when designing th 1. Can group creators share responsibility with admins while retaining the ability to recover from malicious admins? This threat is mitigated by the three tiered permission system, the fact that super admins can not be removed by admins, and only super admins can update permissions. -2. Does the permissions sytem have some recoverability in case an action was taken by mistake and needs to be undone? +2. Does the permissions system have some recoverability in case an action was taken by mistake and needs to be undone? This threat is mitigated by the ability to update permissions, which allows a previously configured permission set to be adjusted if necessary. 3. Is the group permission system safe from malicious actors who are running modified versions of our client code? This threat is mitigated by client side verification of all group actions that are subject to group permission policies. From 979b2560f6782e92238d0c46f2f32e425f340ac1 Mon Sep 17 00:00:00 2001 From: J-Ha <5481259+jhaaaa@users.noreply.github.com> Date: Wed, 2 Oct 2024 09:27:35 -0700 Subject: [PATCH 3/3] Update XIPs/xip-47-group-chat-permissions.md --- XIPs/xip-47-group-chat-permissions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/XIPs/xip-47-group-chat-permissions.md b/XIPs/xip-47-group-chat-permissions.md index 2a9eb00..5ec96dd 100644 --- a/XIPs/xip-47-group-chat-permissions.md +++ b/XIPs/xip-47-group-chat-permissions.md @@ -118,7 +118,7 @@ There are three main categories of threats that are considered when designing th 2. Does the permissions system have some recoverability in case an action was taken by mistake and needs to be undone? This threat is mitigated by the ability to update permissions, which allows a previously configured permission set to be adjusted if necessary. 3. Is the group permission system safe from malicious actors who are running modified versions of our client code? - This threat is mitigated by client side verification of all group actions that are subject to group permission policies. + This threat is mitigated by client side verification of all group actions that are subject to group permission policies. ## Backward compatibility