- From: Johnathan Nightingale <johnath@mozilla.com>
- Date: Fri, 12 Sep 2008 09:03:07 -0400
- To: W3C WSC W3C WSC Public <public-wsc-wg@w3.org>
So I took this action a while ago to try to flesh out aspects of the web security guideline document we have been discussing. There's certainly lots of reference material out there, but I don't think it makes a lot of sense for us to look at writing the document just by collating "secure web dev" sources. Certainly there's value in having something authoritative that does that, but if *this* group is going to produce that document, I think we probably ought, in addition to security vendors, browser authors, researchers and others, have some actual invited experts on the subject of *web* security, because I think our perspective is otherwise a little unbalanced. Ian's been doing a commendable job arguing for major web properties and the deployment difficulties they'd have with some of our recommendations, but I don't think that's quite the level of coverage we'd need to be confident about our recommendations. And when I think about bringing those people in, I wonder if we start to encroach on our mandate a little, as we move away from things having to do with usable security and more to do with programming hygiene? The net effect of all of this soul-searching and navel-gazing is that I don't have a synthesized list of commonly recommended practices, but I have added a couple documents to the SharedBookmarks which having potentially harvestable content: http://www.w3.org/2006/WSC/wiki/SharedBookmarks#head-c0400f4bd18ce327a3e48f7dcecbaece4c6645a5 I think I'd like to close out/cancel ACTION-490, because I think it's not the right way to build out that document. Cheers, Johnathan --- Johnathan Nightingale Human Shield johnath@mozilla.com
Received on Friday, 12 September 2008 13:03:48 UTC