Skip to content

security: write a STRIDE threat-model document #207

Description

@juev

Summary

Capture the security audit's STRIDE reasoning as a written threat-model document. The audit passes under #178 applied STRIDE per entry point, but the result was never recorded as a durable artifact.

Scope

Produce docs/security/threat-model.md (or an ADR) covering, per entry point — management API, web UI, agent enroll/poll, OIDC, CLI, config:

  • Assets at stake (CA private keys, master KEK, operator credentials, enrollment tokens, signing authority).
  • STRIDE categories per entry point (Spoofing, Tampering, Repudiation, Information disclosure, DoS, Elevation of privilege).
  • Mitigations in place, with code/ADR references.
  • Residual risks and explicitly accepted trade-offs (e.g. the control-plane-holds-the-CA trust model, documented in the Security audit — full code review & offensive assessment #178 second-pass comment).

Why

A written model lets future changes be checked against a baseline and makes the "verified safe" conclusions reproducible instead of living only in issue comments.

Part of #178 (checklist: Threat model document).

Metadata

Metadata

Assignees

No one assigned

    Labels

    area: docsDocs / README / examplessecuritySecurity-related

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions