Security Characteristics are difficult to relate to did:webs

[swcurran]

The Security Characteristics seem (from my reading) to be targeting those familiar with KERI and its not clear to me what the relevance of the "Concepts for securing did:webs informationtodid:webs. Admittedly, the definitions for KEL Backed DataandKRAMare not yet linked. But the line to connect those concepts todid:webs` security are hard to follow.

What about writing that section from the perspective of the "Common Security Threats" list. How does (for example), did:webs mitigate denial of service or key compromise attacks?

I think the answer comes back in many cases to -- if the KERI Event Log is verifiable, all is well. But how for the different cases? And in the cases where the KERI Event Log is not the answer (e.g. DOS attacks), what is the answer?

[swcurran]

A second question. Why is the "security characteristics" section not in the "Security Considerations" section?

[2byrds]

@swcurran great observations/questions. The quick history is that security considerations came before security characteristics. They serve a somewhat different purpose but probably could be united. Security characteristics explains how a cryptographic root-of-trust that uses a key event log secures an identity and it's actions. Then further explains some limited security mechanisms that are useful (BADA-RUN and KRAM) given a limited context (discovery, query/response).
I think we could combine the sections. Happy to work on that and provide a PR. I will try to reduce the Security characteristics sections do less explaining and more referencing :)