consider publishing the threat model #17
Description
The threats to the evoting system are modeled and rated, and include attacker profiles from outside and inside the organization. Furthermore, the abuse cases are built and maintained.
I believe it would be very welcome to have the threat model published along with the system overview documentation. While the architecture and code seems well documented, the motivations driving the security design are crucial and mostly missing.
This would lead to a more efficient and smooth collaboration from the community, allowing to focus security review on the most critical (publicly available) parts of the system depending on the rating and priorities.
For example, #15 raises interesting questions regarding the passwords. Humans are notoriously bad at picking good passwords (especially repeatedly) and there is a consensus that arbitrary composition rules are near useless (humorously depicted in https://xkcd.com/936/). It is then understandable that this topic raises concern. But if overall the passwords are low priority targets in the threat model — and it is clearly stated, then a lengthy discussion about them may be avoided saving everyone's time and energy.