[PING] [Questionnaire Update] - Week 1 Status

Wanted to provide everyone with a status update on the updating of the Privacy Questionnaire.  If you have any questions about the below, please feel free to respond to this email and we can discuss on the PING mailing list.  If you’re interested in joining the smaller set of folks working on these edits, please email me CCing the folks on the CC line of this email.

Last week, the smaller group exchanged on the following topic:
> Week of 9/17 - Discussion regarding PING’s goals for the questionnaire — how does it feed into the review process writ large, what the format of privacy and security consideration sections should be, etc.

And we have a few takeaways:
- The document should be retitled and re-scoped to be a questionnaire and guidance document for specification authors so it can be sued to help authors in their writing of their specifications and to prepare them for conversations with PING.
- The process for use of this document would be something like:
- Group formed to write a specification;
- Group is given the guidance/questionnaire;
- Group meets with PING to discuss any questions they have about how the guidance/questionnaire intersects with their feature at a conceptual level;
- Group develops specification with the guidance/questionnaire informing their development process;
- Group brings an early draft of the specification with Privacy consideration section to PING for review;
- Iterate
- In addition to the above, we may want to explore the privacy champion model for specs.
- As part of the document re-scoping, the the Privacy Threats section of the existing Privacy Considerations document <https://w3c.github.io/privacy-considerations/> should be merged into the 'Threat Model’ section of the guidance + questionnaire document and 4.1, 4.2, 4.3 and 4.4 of Privacy Considerations should be brought into a new “common mitigations” section in the guidance + questionnaire document.
- There are some specific concepts or phrasing that we want to pull from the following:
- https://github.com/w3c/ping/blob/master/privacy-questions.html <https://github.com/w3c/ping/blob/master/privacy-questions.html>- https://github.com/gnorcie/ping-privacy-questions <https://github.com/gnorcie/ping-privacy-questions>
- https://www.w3.org/wiki/Privacy_and_security_questionnaire <https://www.w3.org/wiki/Privacy_and_security_questionnaire>
- https://www.w3.org/wiki/Privacy/Privacy_Considerations <https://www.w3.org/wiki/Privacy/Privacy_Considerations>- With respect to writing a privacy and security section, we should look to RFC3552 <https://tools.ietf.org/html/rfc3552#section-5> for guidance and either reference it or adapt it for the security/questionnaire document.

This week’s topic is:
> Week of 9/24 - Review of Introduction and Threat Models.
Again, if you’re interested in participating in the smaller group, please email me CCing the folks on the CC line of this email.

The goal of this week is to develop a branch <https://github.com/jasonanovak/security-questionnaire/tree/week-02-introductions-and-threat-models> containing PING edits to the introductions and threat models sections that we will submit as a PR to the TAG to accept into the master document.

We’re tracking our work in jasonanovak/security-questionnaire <https://github.com/jasonanovak/security-questionnaire>.  If you have issues you want to see addressed in the questionnaire/guidance document, please file an Issue there (or email me + folks on CC if you would prefer and we can take care of it).

Thanks!
Jason

Received on Monday, 24 September 2018 21:09:13 UTC