Re: [W3C Web Security IG] call for comments on Security Review Process and Security Guidelines from Arthur Barstow on 2014-05-28 (public-web-security@w3.org from May 2014)

From: Arthur Barstow <art.barstow@gmail.com>
Date: Wed, 28 May 2014 12:42:31 -0400
To: public-web-security@w3.org
Message-ID: <538611F7.4090904@gmail.com>

On 5/28/14 11:57 AM, GALINDO Virginie wrote:
>
> Dear all,
>
> As we received our first requests for conducting security review on 
> Web RTC and Manifest specifications, I think it is time for this IG to 
> confirm that the tools proposed on our wiki are relevant to start 
> security review. This is why I am calling for comments on :
>
> -Security Review Process [1] : allowing the other groups to request 
> security review and setting up a frame for the review and reviewer
>
> -Security Guidelines [2] : supporting editors and chairs to fill in 
> the Security Consideration section in their deliverable
>
> Lets give us **15 days** to collect comments on this mailing list ( I 
> will edit those tools accordingly on the wiki).
>
> After that first period, those tools will be our basis for beta 
> testing our security reviews.
>
> Hope to see your active contributions here.
>

Hi Virginie, All,

Has the group agreed to "track" reviews to facilitate Qs like "so, what 
is now being reviewed; when does the review for doc X end; who agreed to 
review doc X; where are the comments from the review of doc X; what were 
the results of the review" and such? I see there is an empty section in 
[1] that could include this type of data (or it might make sense to 
create a new page).

Is the expectation the reviews will be done on this list? The TAG uses 
GH for its reviews [GH]. It also seems something like [specifiction] 
could be used. How does PING conduct its spec reviews and track them (as 
it might make sense to use similar/identical methods)?

-Thanks, AB

[GH] <https://github.com/w3ctag/spec-reviews>
[specifiction] <http://discourse.specifiction.org/>


> Regards,
>
> Virginie
>
> Gemalto
>
> Co-chair of Web Security IG
>
> [1] Security Review process 
> http://www.w3.org/Security/wiki/IG/W3C_spec_review 
> <http://www.w3.org/Security/wiki/IG/W3C_spec_review>
>
> [2] Security Guidelines 
> https://www.w3.org/Security/wiki/IG/W3C_spec_review/Security_Guidelines
>
> ------------------------------------------------------------------------
> This message and any attachments are intended solely for the 
> addressees and may contain confidential information. Any unauthorized 
> use or disclosure, either whole or partial, is prohibited.
> E-mails are susceptible to alteration. Our company shall not be liable 
> for the message if altered, changed or falsified. If you are not the 
> intended recipient of this message, please delete it and notify the 
> sender.
> Although all reasonable efforts have been made to keep this 
> transmission free from viruses, the sender will not be liable for 
> damages caused by a transmitted virus.

Received on Wednesday, 28 May 2014 16:43:01 UTC