Re: Security Review request: HTML 5.2

+ public-html@w3.org

Thank you all for helping with this.

Would it be possible for the review to be completed next week? We had 
originally put the 5.2 spec out for wide review by 26th May, with a view 
to being in CR (Candidate Recommendation) by 20th June [1]. That meant 
freezing the spec today so we could go to the WG to ask for their 
consent to make the transition.

We want a security review, but we also want to minimise the impact to 
our timeline. Even if the review is completed next week, we're still 
looking at a two week delay (plus any time needed to respond to any 
issues you might file).

Anything you can do to help us would be greatly appreciated.

Thanks
Léonie
-- 
@LeonieWatson tink.uk Carpe diem

On 02/06/2017 10:14, Artur Janc wrote:
> Thanks, Michal!
> 
> Sam, Léonie -- we'll be happy take a look at the changes to the spec in 
> the coming weeks, starting with the questions you raised. If you have 
> any other thoughts or suggestions in the meantime, feel free to drop me 
> a line.
> 
> Cheers,
> -Artur
> 
> On Fri, Jun 2, 2017 at 9:50 AM, Michal Zalewski <lcamtuf@google.com 
> <mailto:lcamtuf@google.com>> wrote:
> 
>     Hey Samuel, Leonie,
> 
>     Sorry for the slightly delayed response - I was at an offsite.
> 
>     Artur Janc (cc:ed) runs a very successful team within my org that
>     spends a lot of time helping bake new security mechanisms into
>     browsers (CSP strict-dynamic, per-page suborigins, etc) and working
>     with stakeholders across all of Google to leverage these and other
>     mechanisms within large-scale web apps. In fact, you might be familiar
>     with some of their public work on CSP, e.g.:
> 
>     https://speakerdeck.com/mikispag/acm-ccs-2016-csp-is-dead-long-live-csp
>     <https://speakerdeck.com/mikispag/acm-ccs-2016-csp-is-dead-long-live-csp>
> 
>     Artur, Michele, and Lukas expressed interest in chiming in on this
>     effort, with Artur coordinating the work. I am happy to contribute in
>     any way I can, but the team is more than capable of tackling this -
>     and I think you will be pleased with the results!
> 
>     Artur - see the thread below for some questions from Samuel to get the
>     ball rolling.
> 
>     Cheers,
>     /mz
> 
> 
>     On Thu, Jun 1, 2017 at 4:44 AM, Samuel Weiler <weiler@w3.org
>     <mailto:weiler@w3.org>> wrote:
>      > Michał,
>      >
>      > Thank you for your willingness to do a review for us (or, as Sam
>     suggested,
>      > recruit another victim).  CC'ed is Léonie Watson, co-chair of the
>     W3C Web
>      > Platform WG.  See her note (two below) re: scoping this review to be
>      > manageable).
>      >
>      > I have a set of meta-questions, below, that I'd like answered
>     briefly in a
>      > separate note - those will help guide the review process going
>     forward.
>      >
>      > -- Sam Weiler, W3C
>      >
>      >
>      >
>      >
>      >
>      > -------- Forwarded Message --------
>      > Subject: Security Review request: HTML 5.2
>      > Date: Fri, 26 May 2017 08:18:24 -0400
>      > From: Samuel Weiler <weiler@w3.org <mailto:weiler@w3.org>>
>      > To: samsrinivas@google.com <mailto:samsrinivas@google.com>
>      >
>      > Thank you for taking my call yesterday.
>      >
>      > As we discussed, W3C is trying to get broader security reviews of
>     our specs
>      > before they're published as recommendations.  At the moment we're
>     recruiting
>      > one-off reviews to collect some experience - my hope is to
>     establish a
>      > routine for this by the end of the year.
>      >
>      > We would appreciate the Google team's help.  I suspect Michał
>     Zalewski would
>      > be an excellent reviewer, though I welcome a review from anyone
>     you suggest.
>      >
>      > Specifically, we'd like a review of the HTML 5.2 spec.  Details
>     are in the
>      > note below, also available at:
>      >
>     https://lists.w3.org/Archives/Public/public-web-security/2017Apr/0000.html
>     <https://lists.w3.org/Archives/Public/public-web-security/2017Apr/0000.html>
>      >
>      > I recognize that this spec is unusually long.  If order to keep
>     the process
>      > tractable, I suggest focusing on the changes between 5.1 and 5.2,
>     consistent
>      > with Léonie's note below.  I'm hoping for a review in the next
>     2-3 weeks,
>      > which I know is later than the timeline originally requested.
>      >
>      > https://www.w3.org/TR/html52/changes.html#changes-fpwd
>     <https://www.w3.org/TR/html52/changes.html#changes-fpwd>
>      >
>      >
>      > Questions that I'm interested in the answers to:
>      >
>      > -- How complete is the document's own discussion of security
>     issues? How
>      > well has the WG done at identifying issues on its own?
>      >
>      > -- How reasonable are its own solutions/mitigations?
>      >
>      > -- Are there any showstopper issues, documented or not, that
>     require more
>      > attention?
>      >
>      >
>      > Meta questions:
>      >
>      > -- How long did you spend on the review?  (To gauge the burden.)
>      >
>      > -- How appropriately timed was the WG's request for review (in
>     this case, in
>      > April, before CR)?  Do you think your input would have been more
>     helpful at
>      > another phase (e.g. at FPWD)?  If so, when?
>      >
>      > -- How willing would you be to future reviews (of a shorter
>     spec!), perhaps
>      > once every 2-3 months?
>      >
>      >
>      >
>      > Many thanks for your help!  Feel free to reach out to me with
>     questions at
>      > any point.
>      >
>      > Sam Weiler, W3C
>      >
>      >
>      > -------- Forwarded Message --------
>      > Subject: Requesting Security IG review of HTML5.2
>      > Resent-Date: Thu, 13 Apr 2017 09:48:16 +0000
>      > Resent-From: public-web-security@w3.org
>     <mailto:public-web-security@w3.org>
>      > Date: Thu, 13 Apr 2017 10:47:25 +0100
>      > From: Léonie Watson <tink@tink.uk <mailto:tink@tink.uk>>
>      > Reply-To: tink@tink.uk <mailto:tink@tink.uk>
>      > To: public-web-security@w3.org <mailto:public-web-security@w3.org>
>      > CC: public-html@w3.org <mailto:public-html@w3.org>
>      >
>      > Hello Security IG,
>      >
>      > Our plan is to begin the process of moving HTML5.2 to CR in early
>     June, per
>      > our planned timetable [1]. We'd therefore welcome your review of
>     the current
>      > WD [2].
>      >
>      > To make things manageable the parts of the spec that need review
>     are those
>      > noted in the Changes section [3]. We're not expecting the entire
>     spec to be
>      > reviewed unless you wish to do so.
>      >
>      > Please file issues on Github, with a reference to the Security IG
>     in the
>      > comment [4]. If you could also send a message here when your
>     review is
>      > complete, that would be helpful.
>      >
>      > We'd be glad of your input as soon as possible, but our cut-off
>     for making
>      > CR would be 26th May.
>      >
>      > Any questions, you know where to find us.
>      >
>      > Thanks
>      > Léonie
>      > [1]
>     https://lists.w3.org/Archives/Public/public-html/2016Nov/0014.html
>     <https://lists.w3.org/Archives/Public/public-html/2016Nov/0014.html>
>      > [2] https://www.w3.org/TR/2017/WD-html52-20170406/
>     <https://www.w3.org/TR/2017/WD-html52-20170406/>
>      > [3]
>     https://www.w3.org/TR/2017/WD-html52-20170406/changes.html#changes
>     <https://www.w3.org/TR/2017/WD-html52-20170406/changes.html#changes>
>      > [4] https://github.com/w3c/html/issues/
>     <https://github.com/w3c/html/issues/>
>      > --
>      > @LeonieWatson tink.uk <http://tink.uk> Carpe diem
>      >
> 
> 

Received on Friday, 2 June 2017 10:41:18 UTC