hi folks! I wanted to share a blog post, C2PA Threat Modeling, and get thoughts on a question: Did they do a good job?
Threat modeling for an industry standard is different than threat modeling for a thing you’re building for internal use, which is different than threat modeling for an API or a platform. One of my key goals in my Threat Modeling Thursday blogs is that no one should ever wince because I’m going all Gordon Ramsey on them. So while I intentionally accentuate the positive, I’m curious: what else can we learn by looking at their work?