W3C home > Mailing lists > Public > public-w3process@w3.org > October 2014

Re: Require security review before FPWD

From: Chris Wilson <cwilso@google.com>
Date: Thu, 30 Oct 2014 10:32:21 -0700
Message-ID: <CAJK2wqVdnAhP6qEvzU0Zubr2vpwB3SZeg3kU2zP5aB2QoMKKnQ@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: public-w3process <public-w3process@w3.org>
In general, I'm in agreement that security should be considered early;
since FPWD is the only place you can make sure it's "early", I might agree
with this, but what would you consider a "security review"?  Are there
specific people you'd want involved, signoff from someone particular, or
simply a "security review" section in the FPWD doc?  Specific questions
like "why don't you require TLS (if you don't)?"

On Thu, Oct 30, 2014 at 10:17 AM, Anne van Kesteren <annevk@annevk.nl>
wrote:

> Without due security review implementers end up implementing drafts
> and then we cannot fix the broken security and privacy
> characteristics.
>
> See e.g. https://www.w3.org/Bugs/Public/show_bug.cgi?id=26332#128 and
> the rest of that thread for how hard it is to do this
> post-publication.
>
> Requiring TLS for an API is something that should be considered very early
> on.
>
>
> --
> https://annevankesteren.nl/
>
>
Received on Thursday, 30 October 2014 17:32:48 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:35:12 UTC