WebAppSec re-charter status from Wendy Seltzer on 2015-02-04 (public-webappsec@w3.org from February 2015)

From: Wendy Seltzer <wseltzer@w3.org>
Date: Wed, 04 Feb 2015 07:16:47 -0500
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <54D20DAF.1080804@w3.org>
Hi WebAppSec,

The Advisory Committee's review of the WebAppSec re-charter has closed,
with substantial support but one formal objection from Mozilla to some
of our proposed deliverables. The Formal Objection means that before
bringing the Charter to the Director for approval, we should discuss
with Mozilla and either address their concerns or explain why the
Director should overrule the objection.[1]

Mozilla has agreed that we can share their comments publicly[2], so I'm
pasting them below. They also discussed the subject on public lists.[3]
(Most of the other comments are available Member-only[4]).

[Mozilla]
> The reviewer's organization suggests changes to this Charter, and only
> supports the proposal if the changes are adopted [Formal Objection].
> 
> Additional comments about the proposal:
>     There are a number of problematic aspects to this charter to which
> we object:
> 
> (1) The "Confinement with Origin Web Labels" deliverable is described
>      in a way that makes it unclear what the deliverable would do.  It
>      should be clearer.  Furthermore, the lack of clarity means we
>      couldn't evaluate whether we are comfortable with it being in the
>      charter.
> 
> (2) The "Entry Point Regulation for Web Applications" deliverable seems
>      to have serious risks of breaking the ability to link.  It's not
>      clear that the security benefits of this specification outweigh the
>      risks to the abilities of Web users.
> 
>      At the very least, the charter should be explicit that the group
>      may decide not to complete this item because of these tradeoffs.
> 
> (3) In the scope section, the item "Application awareness of powerful
>      features which may require explicit user permission to enable." It's
>      not clear whether this part of the scope is intended to allow
>      https://w3c.github.io/permissions/ to be a document in the working
>      group, or whether it's intended to put
>      https://w3c.github.io/webappsec/specs/powerfulfeatures/ in the scope
>      of the working group.  (I've heard separately that the powerfeatures
>      draft was intended to be in the charter as a deliverable but was
>      accidentally omitted.)  It seems like this probably refers to the
>      Permissions API spec, and if it does, it would probably be best to
>      avoid the use of the term "powerful features" to avoid confusion.
> 
>      We may be comfortable with the Permissions API spec, although some
>      of us have concerns about it, and for that perhaps the charter
>      should be explicit about potentially abandoning the work as in point
>      (2).
> 
>      We have more serious concerns about the scope of the
>      powerfulfeatures spec.  In particular, we don't believe the
>      WebAppSec WG should be in the role of policing the specifications of
>      other groups (which is not the role it has historically held) or
>      defining general (and likely overly-broad) rules to determine when a
>      feature has an important effect on a user's privacy or security.
> 
>      Therefore, we would like to see producing enforceable definitions of
>      what is a powerful feature as explicitly out of scope for the Web
>      Application Security WG, since that determination should be made
>      primarily by the working group developing the feature, perhaps in
>      consultation with the Web Application Security WG.
> 
> (4) We believe the charter should have provision for asynchronous
>      decision making, perhaps as in
>      http://www.w3.org/2014/06/webapps-charter.html#decisions .


In the meantime, I'm working on an interim extension to give us time
continue under our current charter while we work on the revision.

Thanks,
--Wendy


[1] http://www.w3.org/2014/Process-20140801/#FormalObjection
[2] https://lists.w3.org/Archives/Public/www-archive/2015Feb/0001.html
[3]
<https://groups.google.com/forum/?_escaped_fragment_=topic/mozilla.dev.platform/yEqC74IgnqQ#!topic/mozilla.dev.platform/yEqC74IgnqQ>
[4]
https://www.w3.org/2002/09/wbs/33280/WebAppSec-Recharter-2015/results
[member-only link]

-- 
Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office)
Policy Counsel and Domain Lead, World Wide Web Consortium (W3C)
http://wendy.seltzer.org/        +1.617.863.0613 (mobile)
Received on Wednesday, 4 February 2015 12:17:04 UTC