[wbs] response to 'Call for Review: Web Application Security (WebAppSec) WG Charter' from Tantek Çelik via WBS Mailer on 2021-07-10 (public-new-work@w3.org from July 2021)

From: Tantek Çelik via WBS Mailer <sysbot+wbs@w3.org>
Date: Sat, 10 Jul 2021 00:51:02 +0000
To: public-new-work@w3.org
Message-Id: <wbs-e1c600429f56c33fc836adc9e41b7227@w3.org>

The following answers have been successfully submitted to 'Call for Review:
Web Application Security (WebAppSec) WG Charter' (Advisory Committee) for
Mozilla Foundation by Tantek Çelik.


The reviewer's organization suggests changes to this Charter, and only
supports the proposal if the changes are adopted [Formal Objection].

Additional comments about the proposal:
   We have filed a GitHub issue on the charter prior to this survey
response with our concerns with a number of the deliverables listed in the
charter:

https://github.com/w3c/webappsec/issues/595

There appears to be some progress with considering dropping many of the
deliverables we have asked to be dropped, however it’s worth listing
those here explicitly (please see the GitHub issue for details about why
each of these should be dropped from the charter)

* Trusted Types
* Content Security Policy: Embedded Enforcement. In particular, we’d like
to see maintenance on CSP, but no new features at this point.
* Subresource Integrity Level 2
* Suborigins
* Origin Policy

In general, we believe that specs should only be put on the standards track
(included as a Working Group deliverable towards a Recommendation) when
there is at least some explicit *interest* from two or more practical (web
impactful) implementations.

We request that specs be dropped that have shown interest from only one
implementer, otherwise we are at risk of a single-implementation spec,
which will only ever serve as documentation (i.e. not an actual open
standard), as we know that monoculture based standards end-up becoming de
facto, based on the one specific implementation’s details, bugs,
interpretations, and not what is written in a specification.


The reviewer's organization intends to participate in these groups:
   - Web Application Security (WebAppSec) Working Group

The reviewer's organization:
   - intends to review drafts as they are published and send comments.
   - intends to develop experimental implementations and send experience
reports.
   - intends to develop products based on this work.
   - intends to apply this technology in our operations.

Answers to this questionnaire can be set and changed at
https://www.w3.org/2002/09/wbs/33280/webappsec2021/ until 2021-07-09.

 Regards,

 The Automatic WBS Mailer

Received on Saturday, 10 July 2021 00:51:05 UTC