Re: Require security review before FPWD from Mike West on 2014-11-03 (public-w3process@w3.org from November 2014)

From: Mike West <mkwst@google.com>
Date: Mon, 3 Nov 2014 13:03:19 +0100
To: Anne van Kesteren <annevk@annevk.nl>
Cc: David Singer <singer@apple.com>, public-w3process <public-w3process@w3.org>
Message-ID: <CAKXHy=e4t4-D6fnZkHu99+bU1-9qHMfTuXS+1MFF=Rs4_WQbgg@mail.gmail.com>

My general impression is that it would be quite valuable indeed to have
security/privacy review of specs before they're implemented in browsers.
It's not clear to me, however, that there's a group in the W3C that feels
both responsible for reviews, and is willing to dedicate effort to
reviewing specs in a reasonable timeframe.

I haven't followed the conversations in the Web Security IG closely, but my
impression is that there was some discussion around review guidelines
earlier in the year[1], but it's not clear that anything concrete came out
of that discussion. Likewise, WebAppSec gets looped in every once in a
while, but that hasn't seemed to result in actionable feedback. My guess is
that folks (myself included) generally assume that someone else will take
care of things; that doesn't seem to have been tremendously effective.

Right now, we end up more or less relying on individual browser vendors to
be vigilant while implementing features. I think that ends up being too
late to effect any change in the foundations of any particular
specification, and probably means that subject area experts (who may not
have the security or privacy implications in mind) end up making decisions
and shipping things that we end up stuck with. Ideally we'd move that
vigilance somewhere up the stack.

The only group from which I've received consistently high-quality review
feedback is the TAG. Perhaps forking off a "task force" or "whatever" from
that group could be an effective way of assigning visible responsibility,
and thereby increasing the likelihood that feedback would reach the
relevant WG before an implementation ships in the wild.

-mike

[1]:
http://lists.w3.org/Archives/Public/public-web-security/2014May/0017.html

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Mon, Nov 3, 2014 at 12:30 PM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Mon, Nov 3, 2014 at 12:27 PM, David Singer <singer@apple.com> wrote:
> > By the time the w3c indicates that something is implementable, i.e. that
> implementations
> > start occurring and hence security/accessibility/privacy/i18nability
> issues actually hit people,
> > we should be clear that the appropriate reviews have been done, not that
> they were done
> > explicitly at FPWD or at any other particular named stage.
>
> The W3C hasn't even decided yet to my knowledge whether it wants to
> endorse DRM, yet various browsers implemented it. Again, this is not
> how things work.
>
>
> --
> https://annevankesteren.nl/
>
>

Received on Monday, 3 November 2014 12:04:08 UTC