- From: Manu Sporny <msporny@digitalbazaar.com>
- Date: Sun, 29 Mar 2026 13:16:56 -0400
- To: peace@acm.org
- Cc: Simone Onofri <simone@w3.org>, public-security@w3.org, public-privacy@w3.org
On Sun, Mar 29, 2026 at 1:03 PM Tom Jones <thomasclinganjones@gmail.com> wrote: > I guess what you are saying is that a w3c standard requires a threat analysis (mitigations, acceptances, etc.) as well as a threat model. Yes, this has been the requirement for many years now where the results are documented in the Security and Privacy Considerations sections. > I really don't like this idea because it seems to assume that the final word on the threats and mitigations can be known at spec time. This is demonstrably false. I don't think that follows and I don't think anyone is saying that. > Worst it doesn't allow for updates to the analysis which might be required during the lifetime of the standard. Most W3C specs have a "maintenance mode" that allows for these updates. > Perhaps a better approach would be to attach an analysis to the standard as released and updated from time to time without requiring an update on the spec? This can be done fairly easily through the "maintenance mode" process that most WGs follow these days. It doesn't need to be external to the document, and doing so creates even more W3C Process overhead that results in the document not being updated (because it's a PITA to do so). -- manu -- Manu Sporny - https://www.linkedin.com/in/manusporny/ Founder/CEO - Digital Bazaar, Inc. https://www.digitalbazaar.com/
Received on Sunday, 29 March 2026 17:17:36 UTC