- From: Mike West <mkwst@google.com>
- Date: Mon, 3 Nov 2014 13:03:19 +0100
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: David Singer <singer@apple.com>, public-w3process <public-w3process@w3.org>
- Message-ID: <CAKXHy=e4t4-D6fnZkHu99+bU1-9qHMfTuXS+1MFF=Rs4_WQbgg@mail.gmail.com>
My general impression is that it would be quite valuable indeed to have security/privacy review of specs before they're implemented in browsers. It's not clear to me, however, that there's a group in the W3C that feels both responsible for reviews, and is willing to dedicate effort to reviewing specs in a reasonable timeframe. I haven't followed the conversations in the Web Security IG closely, but my impression is that there was some discussion around review guidelines earlier in the year[1], but it's not clear that anything concrete came out of that discussion. Likewise, WebAppSec gets looped in every once in a while, but that hasn't seemed to result in actionable feedback. My guess is that folks (myself included) generally assume that someone else will take care of things; that doesn't seem to have been tremendously effective. Right now, we end up more or less relying on individual browser vendors to be vigilant while implementing features. I think that ends up being too late to effect any change in the foundations of any particular specification, and probably means that subject area experts (who may not have the security or privacy implications in mind) end up making decisions and shipping things that we end up stuck with. Ideally we'd move that vigilance somewhere up the stack. The only group from which I've received consistently high-quality review feedback is the TAG. Perhaps forking off a "task force" or "whatever" from that group could be an effective way of assigning visible responsibility, and thereby increasing the likelihood that feedback would reach the relevant WG before an implementation ships in the wild. -mike [1]: http://lists.w3.org/Archives/Public/public-web-security/2014May/0017.html -- Mike West <mkwst@google.com> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) On Mon, Nov 3, 2014 at 12:30 PM, Anne van Kesteren <annevk@annevk.nl> wrote: > On Mon, Nov 3, 2014 at 12:27 PM, David Singer <singer@apple.com> wrote: > > By the time the w3c indicates that something is implementable, i.e. that > implementations > > start occurring and hence security/accessibility/privacy/i18nability > issues actually hit people, > > we should be clear that the appropriate reviews have been done, not that > they were done > > explicitly at FPWD or at any other particular named stage. > > The W3C hasn't even decided yet to my knowledge whether it wants to > endorse DRM, yet various browsers implemented it. Again, this is not > how things work. > > > -- > https://annevankesteren.nl/ > >
Received on Monday, 3 November 2014 12:04:08 UTC