- From: Tantek Çelik via WBS Mailer <sysbot+wbs@w3.org>
- Date: Sat, 02 Mar 2024 00:00:01 +0000
- To: public-review-comments@w3.org
- CC: tantek@tantek.com
The following answers have been successfully submitted to 'Call for Review: Web Application Security Working Group Charter' (Advisory Committee) for Mozilla Foundation by Tantek Çelik. The reviewer's organization suggests changes to this Charter, but supports the proposal whether or not the changes are adopted. Additional comments about the proposal: The new "Off-The-Record Response Header Field" (OTR) deliverable focuses on addressing *Privacy* use-cases and as such it should instead be added as an OPTIONAL deliverable for the Privacy Working Group charter to take up if/when it has shown sufficient incubation. We believe it is an error (in scope, choice of most appropriate Working Group to to do the work) to add OTR to the list of deliverables for the Web Application *Security* Working Group charter. We could live with OTR being taken up for consideration by the Privacy CG. We recommend the following actions, which do not require synchronization: * The Team should amend the proposed Web Application Security Working Group Charter to drop OTR * The Team should add OTR as an optional deliverable to the in-progress Privacy Working Charter, and then re-poll the AC with that updated Charter, which also resolves 2 of the 3 Formal Objections on the prior polled Privacy WG Charter. This also provides an opportunity to see if the remaining 3rd (anonymous) Formal Objection on the prior polled Privacy WG Charter is restated or not for the updated proposed Privacy WG Charter. We believe this path has a better chance of creating a Privacy Working Group charter more quickly than further delays in processing an anonymous Formal Objection on an outdated WG charter proposal. We are objecting (suggesting changes) but are not making this a Formal Objection because we believe this to be a W3C Team clerical error (putting a new deliverable in the wrong Working Group) that the Team is empowered to fix without having to exercise the full Formal Objection process and mechanisms. Additionally, we are concerned about the new "End-to-End Encryption email" proposed optional deliverable because it looks out of scope for the working group: https://www.w3.org/2024/01/proposed-wg-webappsec.html#scope * The proposed charter does not have cryptography in its scope except for maintaining the Web Cryptography API * The proposed charter does not have messaging standards, formats, protocols in its scope We also note that the link in the deliverables section to "End-to-End Encryption email" is also only to a section of minutes of a meeting from nearly 6 months ago, and NOT a Proposal draft (whether incubated or not) or even an Explainer draft, which is highly unusual and unexpected. This seems like a Charter drafting clerical error of leaving in the wrong link, since the linked minutes do say there is a "draft that we have" that "if there's enough interest we will publish", so presumably that publication may (should?) have happened in the past 6 months since one implementer proposed it and another implementer said "There is interest". Since we are not sure if there was an attempt to expand the Scope but it wasn't written up, and/or if there was a clerical error of failing to link to an actual proposal, or if this was perhaps a Charter editing-in-progress tentative addition that was errantly not removed before taking to an AC poll, we do not feel we have enough information to propose a specific set of actions to resolve these concerns. We are expressing our concerns (on apparent scope violation and failure to link to an actual proposal) but we are not making this a Formal Objection because optimistically the error or errors may again be clerical (rather than substantial) in nature, and we expect the Team to address such corrections before adopting an updated Web Application Security Working Group Charter. Thanks for your consideration and attention to these details. The reviewer's organization intends to participate in these groups: - Web Application Security Working Group The reviewer's organization: - intends to review drafts as they are published and send comments. Comments about the deliverables: Intending to review drafts does not imply actual implementation interest or intent on any particular draft. Answers to this questionnaire can be set and changed at https://www.w3.org/2002/09/wbs/33280/webappsec-2024/ until 2024-03-01. Regards, The Automatic WBS Mailer
Received on Saturday, 2 March 2024 00:00:03 UTC