Structuring the security considerations section

[simoneonofri]

This issue refers to the security review requested in this issue w3c/security-request#58

As specified in the comment, this is the Issue to ask to structure the Security Consideration section in the way specified here

[cc'ing: @innotommy]

[msporny]

@simoneonofri and @innotommy the VCWG is currently preparing to transition up to seven of our specifications to the Proposed Recommendation phase, so this request is coming at a very unfortunate time in the WG's lifecycle. Is this a blocking request before Proposed Recommendation, or can we address this request during v2.1 work (the next cycle)?

Are you asking us to re-structure all seven of those specification's Security Considerations sections? or the Privacy Considerations sections as well?

I have looked through the proposed new structure, and the references to the C2PA specification, and it's not clear what structure you want us to use, or what content to include, in order to address this issue. A complete specification example would help. I do think that the existing Privacy and Security Considerations sections have most of the information suggested around threats and mitigations:

https://w3c.github.io/vc-data-model/#privacy-considerations
https://w3c.github.io/vc-data-model/#security-considerations

... but you might be asking for a comprehensive re-write of those sections? I need some guidance here because what it sounds like you're asking for is multiple days of specification editing per specification leading to weeks to months of delays (e.g., WG discussion on the PRs) for the specifications nearing Proposed Recommendation.