- From: Léonie Watson <tink@tink.uk>
- Date: Thu, 1 Jun 2017 16:49:12 +0100
- To: Samuel Weiler <weiler@w3.org>, Michal Zalewski <lcamtuf@google.com>, "public-html@w3.org" <public-html@w3.org>
+public-html@w3.org Thanks for helping out with this, we appreciate having a security review. If there is anything that can be done to speed up this review, it would be appreciated though. We had hoped the wide review would be complete by 26th May, so we could begin transitioning to CR early next week. Anything that can be done to minimise the impact to our timeline would be welcome. Thanks. Léonie -- @LeonieWatson tink.uk Carpe diem On 01/06/2017 12:44, Samuel Weiler wrote: > Michał, > > Thank you for your willingness to do a review for us (or, as Sam > suggested, recruit another victim). CC'ed is Léonie Watson, co-chair of > the W3C Web Platform WG. See her note (two below) re: scoping this > review to be manageable). > > I have a set of meta-questions, below, that I'd like answered briefly in > a separate note - those will help guide the review process going forward. > > -- Sam Weiler, W3C > > > > > > -------- Forwarded Message -------- > Subject: Security Review request: HTML 5.2 > Date: Fri, 26 May 2017 08:18:24 -0400 > From: Samuel Weiler <weiler@w3.org> > To: samsrinivas@google.com > > Thank you for taking my call yesterday. > > As we discussed, W3C is trying to get broader security reviews of our > specs before they're published as recommendations. At the moment we're > recruiting one-off reviews to collect some experience - my hope is to > establish a routine for this by the end of the year. > > We would appreciate the Google team's help. I suspect Michał Zalewski > would be an excellent reviewer, though I welcome a review from anyone > you suggest. > > Specifically, we'd like a review of the HTML 5.2 spec. Details are in > the note below, also available at: > https://lists.w3.org/Archives/Public/public-web-security/2017Apr/0000.html > > I recognize that this spec is unusually long. If order to keep the > process tractable, I suggest focusing on the changes between 5.1 and > 5.2, consistent with Léonie's note below. I'm hoping for a review in > the next 2-3 weeks, which I know is later than the timeline originally > requested. > > https://www.w3.org/TR/html52/changes.html#changes-fpwd > > > Questions that I'm interested in the answers to: > > -- How complete is the document's own discussion of security issues? How > well has the WG done at identifying issues on its own? > > -- How reasonable are its own solutions/mitigations? > > -- Are there any showstopper issues, documented or not, that require > more attention? > > > Meta questions: > > -- How long did you spend on the review? (To gauge the burden.) > > -- How appropriately timed was the WG's request for review (in this > case, in April, before CR)? Do you think your input would have been > more helpful at another phase (e.g. at FPWD)? If so, when? > > -- How willing would you be to future reviews (of a shorter spec!), > perhaps once every 2-3 months? > > > > Many thanks for your help! Feel free to reach out to me with questions > at any point. > > Sam Weiler, W3C > > > -------- Forwarded Message -------- > Subject: Requesting Security IG review of HTML5.2 > Resent-Date: Thu, 13 Apr 2017 09:48:16 +0000 > Resent-From: public-web-security@w3.org > Date: Thu, 13 Apr 2017 10:47:25 +0100 > From: Léonie Watson <tink@tink.uk> > Reply-To: tink@tink.uk > To: public-web-security@w3.org > CC: public-html@w3.org > > Hello Security IG, > > Our plan is to begin the process of moving HTML5.2 to CR in early June, > per our planned timetable [1]. We'd therefore welcome your review of the > current WD [2]. > > To make things manageable the parts of the spec that need review are > those noted in the Changes section [3]. We're not expecting the entire > spec to be reviewed unless you wish to do so. > > Please file issues on Github, with a reference to the Security IG in the > comment [4]. If you could also send a message here when your review is > complete, that would be helpful. > > We'd be glad of your input as soon as possible, but our cut-off for > making CR would be 26th May. > > Any questions, you know where to find us. > > Thanks > Léonie > [1] https://lists.w3.org/Archives/Public/public-html/2016Nov/0014.html > [2] https://www.w3.org/TR/2017/WD-html52-20170406/ > [3] https://www.w3.org/TR/2017/WD-html52-20170406/changes.html#changes > [4] https://github.com/w3c/html/issues/
Received on Thursday, 1 June 2017 15:49:45 UTC