[wbs] response to 'Call for Review: Web Application Security Working Group Charter'

The following answers have been successfully submitted to 'Call for Review:
Web Application Security Working Group Charter' (Advisory Committee) for
Mozilla Foundation by Tantek Çelik.


The reviewer's organization suggests changes to this Charter, but supports
the proposal whether or not the changes are adopted.

Additional comments about the proposal:
   The new "Off-The-Record Response Header Field" (OTR) deliverable focuses
on addressing *Privacy* use-cases and as such it should instead be added as
an OPTIONAL deliverable for the Privacy Working Group charter to take up
if/when it has shown sufficient incubation. We believe it is an error (in
scope, choice of most appropriate Working Group to to do the work) to add
OTR to the list of deliverables for the Web Application *Security* Working
Group charter. We could live with OTR being taken up for consideration by
the Privacy CG.

We recommend the following actions, which do not require synchronization:
* The Team should amend the proposed Web Application Security Working Group
Charter to drop OTR
* The Team should add OTR as an optional deliverable to the in-progress
Privacy Working Charter, and then re-poll the AC with that updated Charter,
which also resolves 2 of the 3 Formal Objections on the prior polled
Privacy WG Charter. This also provides an opportunity to see if the
remaining 3rd (anonymous) Formal Objection on the prior polled Privacy WG
Charter is restated or not for the updated proposed Privacy WG Charter. We
believe this path has a better chance of creating a Privacy Working Group
charter more quickly than further delays in processing an anonymous Formal
Objection on an outdated WG charter proposal.

We are objecting (suggesting changes) but are not making this a Formal
Objection because we believe this to be a W3C Team clerical error (putting
a new deliverable in the wrong Working Group) that the Team is empowered to
fix without having to exercise the full Formal Objection process and
mechanisms.

Additionally, we are concerned about the new "End-to-End Encryption email"
proposed optional deliverable because it looks out of scope for the working
group: https://www.w3.org/2024/01/proposed-wg-webappsec.html#scope
* The proposed charter does not have cryptography in its scope except for
maintaining the Web Cryptography API
* The proposed charter does not have messaging standards, formats,
protocols in its scope

We also note that the link in the deliverables section to "End-to-End
Encryption email" is also only to a section of minutes of a meeting from
nearly 6 months ago, and NOT a Proposal draft (whether incubated or not) or
even an Explainer draft, which is highly unusual and unexpected. This seems
like a Charter drafting clerical error of leaving in the wrong link, since
the linked minutes do say there is a "draft that we have" that "if there's
enough interest we will publish", so presumably that publication may
(should?) have happened in the past 6 months since one implementer proposed
it and another implementer said "There is interest".

Since we are not sure if there was an attempt to expand the Scope but it
wasn't written up, and/or if there was a clerical error of failing to link
to an actual proposal, or if this was perhaps a Charter editing-in-progress
tentative addition that was errantly not removed before taking to an AC
poll, we do not feel we have enough information to propose a specific set
of actions to resolve these concerns.

We are expressing our concerns (on apparent scope violation and failure to
link to an actual proposal) but we are not making this a Formal Objection
because optimistically the error or errors may again be clerical (rather
than substantial) in nature, and we expect the Team to address such
corrections before adopting an updated Web Application Security Working
Group Charter.

Thanks for your consideration and attention to these details.


The reviewer's organization intends to participate in these groups:
   - Web Application Security Working Group

The reviewer's organization:
   - intends to review drafts as they are published and send comments.


Comments about the deliverables:
   Intending to review drafts does not imply actual implementation interest
or intent on any particular draft.


Answers to this questionnaire can be set and changed at
https://www.w3.org/2002/09/wbs/33280/webappsec-2024/ until 2024-03-01.

 Regards,

 The Automatic WBS Mailer

Received on Saturday, 2 March 2024 00:00:03 UTC