Re: Require security review before FPWD from Jeff Jaffe on 2014-11-03 (public-w3process@w3.org from November 2014)

From: Jeff Jaffe <jeff@w3.org>
Date: Mon, 03 Nov 2014 17:14:47 -0500
To: Henri Sivonen <hsivonen@hsivonen.fi>
CC: Anne van Kesteren <annevk@annevk.nl>, Philippe Le Hegaret <plh@w3.org>, public-w3process <public-w3process@w3.org>
Message-ID: <5457FE57.2060602@w3.org>

On 11/3/2014 8:01 AM, Henri Sivonen wrote:
>> >Surely we want the right architecture.  So if the WG wants to mandate TLS,
>> >they should.
> I think there's also a need to deal with the case where the WG doesn't
> really want to mandate TLS even when mandating TLS in needed. That is,
> there's a need of*early*  oversight for WGs that don't realize things
> early on their own initiative.
>

An interesting question is to understand how far you want to take this.  
There is a range.  At the "lightest" end of the spectrum these reviews 
are to provide advice.  At the "heaviest" end of the spectrum, failure 
to achieve a certain level of security could be a reason for a REC to be 
blocked.  In that interpretation, EME and WebRTC could potentially still 
be blocked.

When you say "deal with the case where the WG doesn't want to mandate 
TLS even when it is needed" - I hear you on the more intrusive side of 
the spectrum.  Is that a correct interpretation?

Received on Monday, 3 November 2014 22:14:56 UTC