- From: Mike West <mkwst@google.com>
- Date: Mon, 10 Nov 2014 11:54:04 +0100
- To: GALINDO Virginie <Virginie.Galindo@gemalto.com>, Brad Hill <hillbrad@gmail.com>
- Cc: "chaals@yandex-team.ru" <chaals@yandex-team.ru>, Jeff Jaffe <jeff@w3.org>, David Singer <singer@apple.com>, Karl Dubost <karl@la-grange.net>, Anne van Kesteren <annevk@annevk.nl>, Philippe Le Hegaret <plh@w3.org>, public-w3process <public-w3process@w3.org>
- Message-ID: <CAKXHy=cjyF813qGr0qxONB_JVjwmh81U-yJb3srwkMSkaOif2g@mail.gmail.com>
We could probably overload the WebAppSec list for a dicussion, as it's seeing a post-TPAC rebound in participation (and is also rechartering). That might also be a reasonable place to publish a Note, assuming the TAG doesn't want to pick it up. (+Brad Hill) -mike -- Mike West <mkwst@google.com> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) On Mon, Nov 10, 2014 at 11:50 AM, GALINDO Virginie < Virginie.Galindo@gemalto.com> wrote: > Chaals, David, Jeff, > > Direct answer to the Web Security IG involvement in delivering security > guidelines... > - The Web Security IG has been re-born one year ago, the dynamic of the > Web Security IG is still low (10 people maximum, all overbooked) > - Developing those guidelines were part of my goal as co-chair (see > https://www.w3.org/Security/wiki/IG#Current_Work_Items_for_the_Web_Security_IG > ) > - I believe that if the W3C were to decide to develop the guidelines, > based on Mike's straw man proposal, that would be great. > - The Web Security IG could be a mean to gather the appropriate people, > organize the work and make sure something is delivered (provided that we > can get on board some contributors) > - and finally, changing my hat, wearing my gemalto hat, we would be > delighted to participate... > > Virginie > Co-chair web security IG > > > > > > > > -----Original Message----- > From: chaals@yandex-team.ru [mailto:chaals@yandex-team.ru] > Sent: vendredi 7 novembre 2014 13:57 > To: David Singer > Cc: Jeff Jaffe; GALINDO Virginie; Karl Dubost; Anne van Kesteren; Philippe > Le Hegaret; public-w3process > Subject: Re: Require security review before FPWD > > > > 07.11.2014, 13:08, "David Singer" <singer@apple.com>: > > On Nov 7, 2014, at 12:02 , chaals@yandex-team.ru wrote: > >> 04.11.2014, 15:25, "Jeff Jaffe" <jeff@w3.org>: > >>> On 11/4/2014 3:40 AM, GALINDO Virginie wrote: > >>>> +1 for the guidelines, > >>> Would the Security IG be the right place to develop those guidelines? > >> They would be the obvious group to have them as a deliverable. But > >> in the nature of things, they probably should look around for > >> expertise in other groups to help make the guidelines as good as we > >> can get them… > >> > >> cheers > > > > I think the community as a whole should develop the guidelines, and if > we don’t get input from the security IG then I am not sure we’d have a good > set of guidelines. > > Agreed. > > > But the model that ‘the XXX IG is responsible for developing the > guidelines’ or, worse, ‘the primary responsibility for an XXX review lies > with the YYY IG’, is flawed. > > These are very different. Asking "the whole community" to publish and > maintain the document falls into the "4 people" trap (everybody, somebody, > anybody nobody) and makes it difficult to work out how to resolve issues > (including that the document was maintained by nobody). > > > This is, in effect, signing up IGs for open-ended amounts of work. > > The primary responsibility for ensuring that XXX has had consideration > > in a document, lies with the group that wants to publish that > > document, > > Indeed. > > > and in this case, the primary responsibility for developing requirements > and guidelines in the process for XXX reviews lies with the group that is > working on the process — the process G and the AB, with the AC and staff. > > That seems to be signing up the process CG to produce the deliverable. > Which is a priori a reasonable alternative proposal - but I think not the > right choice. > > There is a requirement to discuss the technical aspects of > privacy/accessibility/security/etc in order to make the guidelines as > useful as we can. Very little of the required expertise is in the Process > CG, and it isn't in the scope of the Process CG. > > > Yes, we want the security IG’s (and privacy IG’s, and…) help. No, it is > not their deliverable. > > I think that the relevant IGs are in fact the best home for the various > guidelines, and I think making them deliverables of the respective IGs is > in fact the right thing to do - while recognising that the responsibility > for getting the reviews rests not with the IGs but the producers of > whatever spec needs review. > > (And that's what you get for 2 kopecks these days) > > cheers > > > David Singer > > Manager, Software Standards, Apple Inc. > > -- > Charles McCathie Nevile - web standards - CTO Office, Yandex > chaals@yandex-team.ru - - - Find more at http://yandex.com > ________________________________ > This message and any attachments are intended solely for the addressees > and may contain confidential information. Any unauthorized use or > disclosure, either whole or partial, is prohibited. > E-mails are susceptible to alteration. Our company shall not be liable for > the message if altered, changed or falsified. If you are not the intended > recipient of this message, please delete it and notify the sender. > Although all reasonable efforts have been made to keep this transmission > free from viruses, the sender will not be liable for damages caused by a > transmitted virus. >
Received on Monday, 10 November 2014 10:54:52 UTC