Security Considerations: Origin Verification and Expected-Origins Sig…

index.html

@@ -1321,108 +1321,23 @@ <h2>
           for Digital Credentials, both broadly and for presentation on the
           web. Their contents will be integrated into this document gradually.
         </p>
-        <ul>
-          <li>
-            <a href=
-            "https://github.com/w3c-fedid/digital-credentials/wiki/Horizontal-reviews#self-review-questionnaire-security-and-privacy">
-            TAG Security and Privacy Considerations Questionnaire (WIP)</a>
-          </li>
-          <li>
-            <a href=
-            "https://github.com/w3c-cg/threat-modeling/blob/main/models/decentralized-identities.md">
-            Threat Model for Decentralized Identities</a>
-          </li>
-        </ul>
       </div>
       <section>
-        <!---->
-        <h3>
-          Credential Protocols
-        </h3>
-        <p class="issue" title="Work in progress">
-          Explain that while the API provides security at the browser API
-          level, that security for the underlying credential issuance or
-          presentation protocol is a separate concern and that developers need
-          to understand that layer of the stack to get a total picture of the
-          protections that are in place during any given transaction.
-        </p>
-      </section>
-      <section>
-        <!--
-        // MARK: Cross-device Protocols
-        -->
-        <h3>
-          Cross-device Protocols
-        </h3>
-        <p class="issue" title="Work in progress">
-          Explain that cross-device issuance or presentation uses a separate
-          protocol that has its own security characteristics.
-        </p>
-      </section>
-      <section>
-        <!--
-        // MARK: Quishing
-        -->
-        <h3>
-          Quishing
-        </h3>
-        <p class="issue" title="Work in progress">
-          Explain that the API is designed to avoid the problem of quishing
-          (phishing via QR Codes) and other QR Code and non-browser API-based
-          attacks and to be aware of exposure of QR Codes during digital
-          credential interactions.
-        </p>
-      </section>
-      <section>
-        <!--
-        // MARK: Data Integrity
-        -->
-        <h3>
-          Data Integrity
-        </h3>
-        <p class="issue" title="Work in progress">
-          Explain that the API does not provide data integrity on the digital
-          credential requests or responses and that responsibility is up to the
-          underlying protocol used for the request or response.
-        </p>
-      </section>
-      <section>
-        <!--
-        // MARK: Authentication
-        -->
-        <h3>
-          Authentication
-        </h3>
-        <p class="issue" title="Work in progress">
-          Explain that authentication (such as a PIN code to unlock) to a
-          particular app, such as a digital wallet, that responds to an API
-          request is crucial in high-risk use cases.
-        </p>
-      </section>
-      <section>
-        <!--
-        // MARK: Cross-Site Scripting (XSS) and Cross-Site
-        -->
-        <h3>
-          Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF)
-        </h3>
-        <p class="issue" title="Work in progress">
-          Explain what attacks are possible via XSS and CSRF, if any.
-        </p>
-      </section>
-      <section>
-        <!--
-        // MARK: Session Security
-        -->
-        <h3>
-          Session Security
-        </h3>
-        <p class="issue" title="Work in progress">
-          Explain that once a secure session is established at a website using
-          credentials exchanged over this API, that the subsequent security is
-          no longer a function of the credential used or this API and is up to
-          the session management utilized on the website.
-        </p>
+          <h3>Security properties and mitigations defined by this specification</h3>
+          <p>Where security protections are explicitly defined in this document, they MUST be implemented by conforming
+              User Agents. The following mitigations derive from normative requirements already present in the
+              specification.</p>
+          <section>
+              <h4>Origin Verification and Expected-Origins Signaling</h4>
+              <p>The specification provides the user with a way to compare the [=environment settings object&#39;s=]
+                  [=environment settings object/origin=] provided in the request, clearly showing it, even if the origin
+                  is long.</p>
+              <p>This transfers T5 and T7 by allowing the other components of the ecosystem to display their origins
+                  clearly.</p>
+              <p>When displaying URLs the User Agent should consider the <a
+                      href="https://url.spec.whatwg.org/#security-considerations">Security Consideration Sections of the
+                      URL Living Standard</a>.</p>
+          </section>
       </section>
     </section>
     <section class="informative" data-cite="privacy-principles">