Re: Require security review before FPWD

On 10/31/2014 2:28 PM, Philippe Le Hegaret wrote:
> On Thu, 2014-10-30 at 18:17 +0100, Anne van Kesteren wrote:
>> Without due security review implementers end up implementing drafts
>> and then we cannot fix the broken security and privacy
>> characteristics.
>> See e.g. and
>> the rest of that thread for how hard it is to do this
>> post-publication.
>> Requiring TLS for an API is something that should be considered very early on.
> I'm all for improving security on the Web and encouraging early reviews
> but I'm concerned about raising the bar before a FPWD can be published.
> Take that as a list of things to consider rather than objections.

This is a specific example of something more general.

Part of why we dropped Last Call from the process, is that we wanted to 
give Chairs more flexibility in when they execute process steps (such as 
wide review).  This could suggest adding this to the required set of 
steps to be done prior to CR; together with encouragement to do it early 
(even prior to FPWD).

> If the effect is increased delays in publication, it means that:
> 1. the Working Group will work under a longer time without any firm IP
> commitment (since the PP won't start its clock until the FPWD is
> published [1]).
> 2. unless you're in the group/list, you're also delaying the opportunity
> from the wider community to pay attention to it.
> We should make sure we can clear willingness/commitments from the
> appropriate groups/forums/experts to do those early reviews, otherwise
> we're about to add additional steps without having the ability to
> fulfill them.
> Finally, why stop at security (and privacy)? What about accessibility,
> i18n, device independence, performance, etc? We would effectively send a
> message that security/privacy is more important for early reviews than
> those other areas. This will be acceptable for some but not all. And if
> we add additional reviews, we're delaying the clock even further.
> Philippe
> [1]

Received on Sunday, 2 November 2014 07:23:51 UTC