-
Notifications
You must be signed in to change notification settings - Fork 70
Roles
OONI • Threat-Model • Roles • Use-Cases • Threats • Impacts • Disclosure
Contents
This page defines general roles associated with OONI's development and operation. The Use-Cases, Threat-Model, Threats, issue tickets, and other documentation can refer to these roles for clarity and specificity.
Whenever any feature, bug, security vulnerability, or conversation refers to a role that's not on this page, please add it.
A role represents a distinct set of behaviors and interests with respect to OONI's operation.
Roles are abstract, and do not refer to individuals or organizations. A particular individual or organization may have overlapping roles in their interaction with OONI. The division is not perfect: there may be individuals or organizations which only exhibit a subset of the behaviors or interests defined here.
This section defines roles and has details about what features and security properties each role relies on. (Note: Feature and security property reliance is not complete; see Ticket 135
The potential security risk for each role is represented as a column in the Impacts table.
Behavior: An Analyst examines OONI data and publishes their analysis.
Responsiblity: To publish accurate analyses.
Reliances: An Analyst relies on:
- The Publisher to provide accurate, complete data.
- The Net-Test Developer to provide accurate descriptions of test specifications.
- The Publisher and Net-Test Developer to provide report data that:
- protects the privacy of ooniprobe Operator and Bystander, including both personal information as well as private network infrastructure data.
- is free from injection attack vectors (such as XSS vectors).
- is free from illegal data such as child pornography.
Behavior: A oonib Operator runs oonib and maintains the required infrastructure to support that.
Responsibilities: To ensure oonib provides test helpers and collects reports from ooniprobe
Reliances: The oonib Operator relies on:
- The ooniprobe Operator to deliver accurate report data.
- The Publisher to aggregate and report data and make it public.
- The Directory Service Operator to ensure their
oonibinstance connection details are distributed toooniprobeinstances.
Behavior: A Bystander is anyone who could be harmed or impacted by ooniprobe's operation.
This is distinct from all other roles. For example, a vulnerability in oonib could allow an attacker to compromise a oonib Operator, but in that case the oonib Operator is not considered a Bystander.
Responsibilities: None.
Reliances: Bystanders rely on all other roles to prevent abuse.
Behavior: A Core Developer develops the ooniprobe and oonib core software.
Responsibilities:
- Precisely document OONI's design so that other roles understand its operation and risks.
- Implement
ooniprobeandoonibaccording to the documentation. - Notice discrepencies between documentation and implementation.
- Evaluate the impact of newly discovered security risks.
Reliances: Core Developers rely on:
- The Publisher to vet specifications such that they can assume liability for published data.
Behavior: A Net-Test Developer develops Net-Tests which measure specific network behavior.
This role is distinct from Core Developer because we anticipate Net-Test contributions from a wider community.
Responsibilities:
- Precisely document the design of particular net-tests so that other roles understand what it measures, its operational characteristics, and risks in running the particular net-tests.
- Implement net tests according to the documentation.
- Notice discrepencies between documentation and implementation.
Reliances:
- The Publisher to vet specifications such that they can assume liability for published data.
Behavior: The Directory Service Operator maintains and operates the some service that links the OONI client to a server hosting oonib.
Note: For the M-Lab use case, this would be the operator of mlab-ns, which should not to be confused with DNS.
Responsibilities: Ensure Directory Service correctly distributes connection details for oonib instances.
Reliances: The Directory Service Operator relies on:
- The oonib Operator to configure
oonibto correctly register connection details. - The Core Developer to document operational risks to the Directory Service and to reduce the designed impact when possible.
Behavior: A ooniprobe Operator runs ooniprobe and typically examines test results, as well as publishing them to a collector.
Responsibilities:
- Have a general understanding of the potential operational impact of
ooniprobeand the net-tests involved in the selected test deck. - Execute
ooniprobein relevant network locations to generate report data.
Reliances: The ooniprobe Operator relies on:
- The Directory Service Operator to configure a Directory Service to return appropriate
oonibconnection details. - The oonib Operator to configure
oonibto return appropriate test decks. (Note: This assumes a use case of non-probe-operator-specified inputs.) - The Core Developer to document operational risks, including forensic risk if that is a concern for a particular ooniprobe Operator.
Behavior: A Publisher stores and makes the collected OONI data available to the public.
Responsibilities:
- The provide OONI report data for Analysts.
- To assume liability associated with publishing data.
- To vet test specifications in order to evaluate the liability they imply.
- To vet test decks in order to evaluate the liability particular inputs imply.
Reliances: A Publisher relies on:
- The Net-Test Developer to document potential liability data collected from particular net-tests.
- The Core Developer to document operational risks related to collecting data from
oonib.
Behavior: A Reader accesses published OONI data or an Analysis thereof. An Analyst is therefore also a Reader.
Responsibilities: To read and learn from analyses.
Reliances: A Reader relies on:
- The Analyst to provide accurate analyses.
- The Publisher and/or ooniprobe Operator to select relevant test inputs, such that analyses are biased as little as possible.