W3C home > Mailing lists > Public > public-w3process@w3.org > May 2014

RE: Case for/data about elections --> security focus

From: GALINDO Virginie <Virginie.GALINDO@gemalto.com>
Date: Mon, 26 May 2014 10:48:18 +0200
To: Jeff Jaffe <jeff@w3.org>, Larry Masinter <masinter@adobe.com>, "Nottingham, Mark" <mnotting@akamai.com>, "Michael Champion (MS OPEN TECH)" <Michael.Champion@microsoft.com>
CC: Brian Kardell <bkardell@gmail.com>, Charles McCathie Nevile <chaals@yandex-team.ru>, "public-w3process@w3.org" <public-w3process@w3.org>
Message-ID: <239D7A53E5B17B4BB20795A7977613A40251C66B019A@CROEXCFWP04.gemalto.com>
Jeff and all,

Related to security.
There is a W3C Web Security IG [1] which is up and running again since few months now. We have been discussing about the security reviews (based on some discussion with IETF security leaders, taking inspiration from Internationalization process) and we drafted a security review process [2] and some guidelines for chairs and editors [3] to address the security considerations. We have also invited OWASP [4] representative to see where we could benefit from collaboration.
That is true that we are lacking of skills to conduct serious security reviews.

So I would recommend to finalize little tiny things like this security guidelines and process, to make security part of the W3C culture, and then you will get more resources to solve the big problem of the platform security.

Hope it helps,

[1] http://www.w3.org/Security/wiki/IG
[2] http://www.w3.org/Security/wiki/IG/W3C_spec_review
[3] really-draft security guidelines https://www.w3.org/Security/wiki/IG/W3C_spec_review/Security_Guidelines
[4] OWASP https://www.owasp.org/index.php/Main_Page

-----Original Message-----
From: Jeff Jaffe [mailto:jeff@w3.org]
Sent: lundi 26 mai 2014 06:37
To: Larry Masinter; Nottingham, Mark; Michael Champion (MS OPEN TECH)
Cc: Brian Kardell; Charles McCathie Nevile; public-w3process@w3.org
Subject: Re: Case for/data about elections

On 5/26/2014 12:24 AM, Larry Masinter wrote:
> Let me suggest you take a look at the AB and the TAG selection from a different point of view:
> Who would be on your "dream team" of leaders if you could recruit them? Ideally what would you have the TAG and AB do?
> How could you get any of your dream team (or your second choices) to volunteer and commit the time?
> The discussion about voting and selection seems to be disconnected from the fundamental gap.
>  From my viewpoint, the web platform is enormously over complicated, fragile and insecure, poorly integrated with other (non-web) Internet applications -- architecturally baroque and getting worse every year. And W3C isn't poised to lead effectively to fix this or even apply back-pressure.

+1 to defining some real problems on this thread.

Also, I'm interested in hearing people's approaches to finding real
solutions: either from the TAG or the AB or on this thread.  Here are some examples, elaborating on Larry's post.

We've been attempting to fight "complicated and fragile" through modularity.  Many of the major workgroups (e.g. CSS, WebApps, even now
HTML) are looking to increase modularity in the hope that it leads to clarity.  I don't know if we are doing it well enough or if this is even the best approach to fight "complicated and fragile". I invite comments, and especially I invite technical approaches to address the problems.

We, like you, have called for increased focus on security [1].  In Wendy's blogposts we talked about work we are doing, workshops we have created, and the need for more focus.  Are there specific security issues that need to be addressed?  One thing we are definitely focused on is "security reviews".  Does anyone have suggestions how to get more community resources focused on security reviews?


> Those are the kinds of problems I'd want them to take on.
> Larry
> --
> http://larry.masinter.net

This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus
Received on Monday, 26 May 2014 08:48:53 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:35:10 UTC