Re: Securing the security reviews in W3C - how to proceed ? from Yan Zhu on 2016-07-21 (public-webappsec@w3.org from July 2016)

From: Yan Zhu <yan@mit.edu>
Date: Thu, 21 Jul 2016 11:00:23 -0400
To: Anne van Kesteren <annevk@annevk.nl>
Cc: GALINDO Virginie <Virginie.Galindo@gemalto.com>, "www-tag@w3.org" <www-tag@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Wendy Seltzer <wseltzer@w3.org>, Samuel Weiler <weiler@w3.org>
Message-ID: <CAFDBa1WB5NXgeAMQq5C4myiW=zQFMKs6+OSgmh17UoMKUXa1MA@mail.gmail.com>

IIRC, the TAG has/had an informal policy of asking groups to self-review
using https://www.w3.org/TR/security-privacy-questionnaire/ before a spec
reached TAG review. I would be in favor of making this self-review process
mandatory.

On Thu, Jul 21, 2016 at 10:49 AM, Anne van Kesteren <annevk@annevk.nl>
wrote:

> On Thu, Jul 21, 2016 at 4:34 PM, GALINDO Virginie
> <Virginie.Galindo@gemalto.com> wrote:
> > Thanks for jumping in that thread if you believe you can help with
> improving security reviews in W3C !
>
> I think increasing the overall security competence and understanding
> of the same-origin policy, through self-review and learning, is much
> more important than delegating the task to a pool of "experts". The
> idea of having "accessibility", "internationalization", and now
> "security" pillars has proven not to scale and has done more harm than
> good. It's good to have communities where you can go for help, but
> making them responsible doesn't really work.
>
>
> --
> https://annevankesteren.nl/
>
>

Received on Thursday, 21 July 2016 15:00:56 UTC