W3C home > Mailing lists > Public > public-w3process@w3.org > November 2014

Re: Require security review before FPWD

From: Mike West <mkwst@google.com>
Date: Mon, 10 Nov 2014 11:54:04 +0100
Message-ID: <CAKXHy=cjyF813qGr0qxONB_JVjwmh81U-yJb3srwkMSkaOif2g@mail.gmail.com>
To: GALINDO Virginie <Virginie.Galindo@gemalto.com>, Brad Hill <hillbrad@gmail.com>
Cc: "chaals@yandex-team.ru" <chaals@yandex-team.ru>, Jeff Jaffe <jeff@w3.org>, David Singer <singer@apple.com>, Karl Dubost <karl@la-grange.net>, Anne van Kesteren <annevk@annevk.nl>, Philippe Le Hegaret <plh@w3.org>, public-w3process <public-w3process@w3.org>
We could probably overload the WebAppSec list for a dicussion, as it's
seeing a post-TPAC rebound in participation (and is also rechartering).
That might also be a reasonable place to publish a Note, assuming the TAG
doesn't want to pick it up. (+Brad Hill)

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Mon, Nov 10, 2014 at 11:50 AM, GALINDO Virginie <
Virginie.Galindo@gemalto.com> wrote:

> Chaals, David, Jeff,
>
> Direct answer to the Web Security IG involvement in delivering security
> guidelines...
> - The Web Security IG has been re-born one year ago, the dynamic of the
> Web Security IG is still low (10 people maximum, all overbooked)
> - Developing those guidelines were part of my goal as co-chair (see
> https://www.w3.org/Security/wiki/IG#Current_Work_Items_for_the_Web_Security_IG
> )
> - I believe that if the W3C were to decide to develop the guidelines,
> based on Mike's straw man proposal, that would be great.
> - The Web Security IG could be a mean to gather the appropriate people,
> organize the work and make sure something is delivered (provided that we
> can get on board some contributors)
> - and finally, changing my hat, wearing my gemalto hat, we would be
> delighted to participate...
>
> Virginie
> Co-chair web security IG
>
>
>
>
>
>
>
> -----Original Message-----
> From: chaals@yandex-team.ru [mailto:chaals@yandex-team.ru]
> Sent: vendredi 7 novembre 2014 13:57
> To: David Singer
> Cc: Jeff Jaffe; GALINDO Virginie; Karl Dubost; Anne van Kesteren; Philippe
> Le Hegaret; public-w3process
> Subject: Re: Require security review before FPWD
>
>
>
> 07.11.2014, 13:08, "David Singer" <singer@apple.com>:
> > On Nov 7, 2014, at 12:02 , chaals@yandex-team.ru wrote:
> >>  04.11.2014, 15:25, "Jeff Jaffe" <jeff@w3.org>:
> >>>  On 11/4/2014 3:40 AM, GALINDO Virginie wrote:
> >>>>  +1 for the guidelines,
> >>>  Would the Security IG be the right place to develop those guidelines?
> >>  They would be the obvious group to have them as a deliverable. But
> >> in the nature of things, they probably should look around for
> >> expertise in other groups to help make the guidelines as good as we
> >> can get them…
> >>
> >>  cheers
> >
> > I think the community as a whole should develop the guidelines, and if
> we don’t get input from the security IG then I am not sure we’d have a good
> set of guidelines.
>
> Agreed.
>
> > But the model that ‘the XXX IG is responsible for developing the
> guidelines’ or, worse, ‘the primary responsibility for an XXX review lies
> with the YYY IG’, is flawed.
>
> These are very different. Asking "the whole community" to publish and
> maintain the document falls into the "4 people" trap (everybody, somebody,
> anybody nobody) and makes it difficult to work out how to resolve issues
> (including that the document was maintained by nobody).
>
> >  This is, in effect, signing up IGs for open-ended amounts of work.
> > The primary responsibility for ensuring that XXX has had consideration
> > in a document, lies with the group that wants to publish that
> > document,
>
> Indeed.
>
> > and in this case, the primary responsibility for developing requirements
> and guidelines in the process for XXX reviews lies with the group that is
> working on the process — the process G and the AB, with the AC and staff.
>
> That seems to be signing up the process CG to produce the deliverable.
> Which is a priori a reasonable alternative proposal - but I think not the
> right choice.
>
> There is a requirement to discuss the technical aspects of
> privacy/accessibility/security/etc in order to make the guidelines as
> useful as we can. Very little of the required expertise is in the Process
> CG, and it isn't in the scope of the Process CG.
>
> > Yes, we want the security IG’s (and privacy IG’s, and…) help.  No, it is
> not their deliverable.
>
> I think that the relevant IGs are in fact the best home for the various
> guidelines, and I think making them deliverables of the respective IGs is
> in fact the right thing to do - while recognising that the responsibility
> for getting the reviews rests not with the IGs but the producers of
> whatever spec needs review.
>
> (And that's what you get for 2 kopecks these days)
>
> cheers
>
> > David Singer
> > Manager, Software Standards, Apple Inc.
>
> --
> Charles McCathie Nevile - web standards - CTO Office, Yandex
> chaals@yandex-team.ru - - - Find more at http://yandex.com
> ________________________________
>  This message and any attachments are intended solely for the addressees
> and may contain confidential information. Any unauthorized use or
> disclosure, either whole or partial, is prohibited.
> E-mails are susceptible to alteration. Our company shall not be liable for
> the message if altered, changed or falsified. If you are not the intended
> recipient of this message, please delete it and notify the sender.
> Although all reasonable efforts have been made to keep this transmission
> free from viruses, the sender will not be liable for damages caused by a
> transmitted virus.
>
Received on Monday, 10 November 2014 10:54:52 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:35:12 UTC