W3C home > Mailing lists > Public > public-w3process@w3.org > October 2014

Re: Require security review before FPWD

From: fantasai <fantasai.lists@inkedblade.net>
Date: Thu, 30 Oct 2014 15:49:05 -0700
Message-ID: <5452C061.2080209@inkedblade.net>
To: public-w3process@w3.org
On 10/30/2014 10:46 AM, Anne van Kesteren wrote:
> On Thu, Oct 30, 2014 at 6:32 PM, Chris Wilson <cwilso@google.com> wrote:
>> In general, I'm in agreement that security should be considered early; since
>> FPWD is the only place you can make sure it's "early", I might agree with
>> this, but what would you consider a "security review"?  Are there specific
>> people you'd want involved, signoff from someone particular, or simply a
>> "security review" section in the FPWD doc?  Specific questions like "why
>> don't you require TLS (if you don't)?"
>
> Probably specific questions would work best, combined with review from
> the WebAppSec community.

+1 from me. Seems totally reasonable.

Would you require the review from WebAppSec prior to FPWD publication,
or trigger it by FPWD publication?

~fantasai
Received on Thursday, 30 October 2014 22:49:34 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:35:12 UTC