W3C home > Mailing lists > Public > public-w3process@w3.org > November 2014

Re: Require security review before FPWD

From: <chaals@yandex-team.ru>
Date: Tue, 04 Nov 2014 08:35:26 +0100
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Jeff Jaffe <jeff@w3.org>, Philippe Le Hegaret <plh@w3.org>, public-w3process <public-w3process@w3.org>
Message-Id: <78811415086526@webcorp01f.yandex-team.ru>
You're getting into the weeds of a specific example of why I think we should not be making a blanket policy that overly restricts us.

It also appears that you are trying to make a blanket policy to require a review, in order to enforce a single constraint (use TLS everywhere). That's the wrong way to do things - if you want to enforce that single constraint, it is a technical issue. You should for example convince the TAG that it is a hard requirement, which presumably means the cost is always outweighed by the benefits.

If you are trying to accomplish that technical goal, this isn't the place to do it. 

As I said, although I disagree with the specific blocks to progress you mooted in your process proposal, I do support clarifying the review status in a number of areas.

However we should be aware that security review (like internationalisation, accessibility, etc) isn't a boolean property, and the fact that somebody did one doesn't mean that no more is required. There is a risk that the labeling of "this had a security review" will give people a false sense of how likely it is that there are remaining issues…

cheers

03.11.2014, 13:40, "Anne van Kesteren" <annevk@annevk.nl>:
> On Sun, Nov 2, 2014 at 10:32 PM,  <chaals@yandex-team.ru> wrote:
>>  I will need to have more power, or suffer an inferior experience, in order to use a secured connection.
>
> Just to be clear, this is nonsense. TLS these days hardly has
> overhead. I recommend studying https://istlsfastyet.com/
>
> I also take issue with the argument that an average user can juggle
> these concerns adequately. They should not have to know about the
> difference between plain text and secure connections. That's too much
> of an implementation detail.
>
> (As for <canvas>, one implementation was shipping, not two, which made
> it possible to change the status quo.)
>
> --
> https://annevankesteren.nl/

--
Charles McCathie Nevile - web standards - CTO Office, Yandex
chaals@yandex-team.ru - - - Find more at http://yandex.com
Received on Tuesday, 4 November 2014 07:35:58 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:35:12 UTC