Re: Require security review before FPWD

On Mon, Nov 3, 2014 at 4:08 PM, David Singer <singer@apple.com> wrote:

>
> On Nov 3, 2014, at 14:17 , Mike West <mkwst@google.com> wrote:
>
> > Skimming through this thread again, the concept of a questionnaire makes
> a lot of sense to me. I did a quick brain dump at
> https://github.com/mikewest/spec-questionnaire/blob/master/questionnaire.markdown
> which skims through some of the questions that come to mind regarding both
> security and privacy considerations.
>
> These are mostly questions for the review groups to assemble.


I don't really understand this response. The groups doing review would, of
course, need to decide whether these were the right questions to ask.
Specification authors/WGs would, of course, need to assemble answers to
these questions. I'm attempting to kick off a conversation around what set
of questions we as a group should care about. :)

If the goal is to get the WG thinking about the security and privacy
impacts of their specification, than these questions seem to be a
reasonable start to a conversation with whoever ends up reviewing the
specification. Perhaps even as part of an FPWD publication request?


> Obviously, the question of whether there are XXXX Considerations sections
> at all are more global.


Indeed. But it's an important question, because it's a pretty rare
specification that doesn't actually need one or both of these sections,
regardless of whether or not they're actually written. :)

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)