W3C home > Mailing lists > Public > public-w3process@w3.org > November 2014

Re: Require security review before FPWD

From: <chaals@yandex-team.ru>
Date: Fri, 07 Nov 2014 13:57:17 +0100
To: David Singer <singer@apple.com>
Cc: Jeff Jaffe <jeff@w3.org>, GALINDO Virginie <virginie.galindo@gemalto.com>, Karl Dubost <karl@la-grange.net>, Anne van Kesteren <annevk@annevk.nl>, Philippe Le Hegaret <plh@w3.org>, public-w3process <public-w3process@w3.org>
Message-Id: <38011415365037@webcorp02g.yandex-team.ru>


07.11.2014, 13:08, "David Singer" <singer@apple.com>:
> On Nov 7, 2014, at 12:02 , chaals@yandex-team.ru wrote:
>>  04.11.2014, 15:25, "Jeff Jaffe" <jeff@w3.org>:
>>>  On 11/4/2014 3:40 AM, GALINDO Virginie wrote:
>>>>  +1 for the guidelines,
>>>  Would the Security IG be the right place to develop those guidelines?
>>  They would be the obvious group to have them as a deliverable. But in the nature of things, they probably should look around for expertise in other groups to help make the guidelines as good as we can get them…
>>
>>  cheers
>
> I think the community as a whole should develop the guidelines, and if we don’t get input from the security IG then I am not sure we’d have a good set of guidelines.

Agreed.

> But the model that ‘the XXX IG is responsible for developing the guidelines’ or, worse, ‘the primary responsibility for an XXX review lies with the YYY IG’, is flawed.

These are very different. Asking "the whole community" to publish and maintain the document falls into the "4 people" trap (everybody, somebody, anybody nobody) and makes it difficult to work out how to resolve issues (including that the document was maintained by nobody).

>  This is, in effect, signing up IGs for open-ended amounts of work.  The primary responsibility for ensuring that XXX has had consideration in a document, lies with the group that wants to publish that document,

Indeed.

> and in this case, the primary responsibility for developing requirements and guidelines in the process for XXX reviews lies with the group that is working on the process — the process G and the AB, with the AC and staff.

That seems to be signing up the process CG to produce the deliverable. Which is a priori a reasonable alternative proposal - but I think not the right choice.

There is a requirement to discuss the technical aspects of privacy/accessibility/security/etc in order to make the guidelines as useful as we can. Very little of the required expertise is in the Process CG, and it isn't in the scope of the Process CG.

> Yes, we want the security IG’s (and privacy IG’s, and…) help.  No, it is not their deliverable.

I think that the relevant IGs are in fact the best home for the various guidelines, and I think making them deliverables of the respective IGs is in fact the right thing to do - while recognising that the responsibility for getting the reviews rests not with the IGs but the producers of whatever spec needs review.

(And that's what you get for 2 kopecks these days)

cheers

> David Singer
> Manager, Software Standards, Apple Inc.

--
Charles McCathie Nevile - web standards - CTO Office, Yandex
chaals@yandex-team.ru - - - Find more at http://yandex.com
Received on Friday, 7 November 2014 12:57:56 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:35:12 UTC