Re: [PING] [Questionnaire Update] - Week 4 Status

Thanks Jason and tf, great progress!

On 10/15/2018 10:47 AM, Jason A. Novak wrote:
> We’re in the home stretch of our group review of the Security & Privacy Questionnaire!  
> 
> Here’s the current status by section:
> - Introduction and How To Use: Our edits have been accepted by the TAG and merged into master <https://github.com/w3ctag/security-questionnaire/pull/39>.
> - Questions to Consider: This morning, I finalized our edits and sent to the TAG for review <https://github.com/w3ctag/security-questionnaire/pull/41> and incorporation into master.
> - Mitigation Strategies: Took proposed edits from the small group and make a PR for our internal review <https://github.com/jasonanovak/security-questionnaire/pull/14>.

In light of the conversation last week on device memory and JS v header
invocation, is it worth considering a mitigation of the form "require
usage to be observable or auditable"?

For example, even if a feature's activation or use gives no specific
warning to the end-user, it might be observable by the user, by
third-party tools operating on the user's behalf, or by
observers/analysts doing web crawls or investigations at an ecosystem
level. Features with anticipated privacy impacts should make their use
detectable.

--Wendy
> 
> If folks could please review the Mitigation Strategies edits developed by the small group <https://github.com/jasonanovak/security-questionnaire/pull/14> by this Friday, I would appreciate it and then I’ll send it to the TAG for incorporation in the master document so that by TPAC we have a revised (or mostly revised) document.
> 
> Best,
> Jason
> 


-- 
Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office)
Strategy Lead, World Wide Web Consortium (W3C)
https://wendy.seltzer.org/        +1.617.863.0613 (mobile)

Received on Monday, 15 October 2018 15:23:23 UTC