Re: Require security review before FPWD

At the risk of repeating myself: on a page that lists documents that are up for some sort of review, with the deadlines, we could have explicit “XXX review” listed, where XXX is accessibility, i18n, security, privacy, etc.

It would be helpful if somehow we could find the most recent such review for a document, as then it ought to be possible to work out whether it’s still an adequate review for the document at hand.

What we are trying to achieve is that by the time of Rec publication, the appropriate reviews have been done and the issues they raised resolved, not that the issues be raised at a particular stage.

On Nov 3, 2014, at 4:33 , fantasai <> wrote:

> On 11/02/2014 07:41 PM, Jeff Jaffe wrote:
>> Mind you, I have no strong objection to the proposal; just discussing whether it is most effective. More effective would be to
>> raise the level of understanding and training among spec writers to be constantly security aware.
> I think having a questionnaire, as Anne suggested, filled out prior to FPWD,
> might be helpful. Other cross-WG review groups could also provide a standard
> questionnaire that prompts tech designers to think about the implications of
> the technology they're designing and fix any common mistakes prior to FPWD.
> I don't think requiring WebSec review prior to FPWD is ideal schedule-wise,
> but having it trigger a WebSec review seems reasonable.
> (You don't even have to modify the process for any of this, just create the
> questionnaires and educate the staff contacts about using them...)
> ~fantasai

David Singer
Manager, Software Standards, Apple Inc.

Received on Monday, 3 November 2014 10:38:29 UTC