Re: Require security review before FPWD

On 11/03/2014 10:06 AM, David Singer wrote:
>
> On Nov 3, 2014, at 13:07 , Sam Ruby <rubys@intertwingly.net> wrote:
>
>> On 11/03/2014 07:33 AM, Anne van Kesteren wrote:
>>> On Mon, Nov 3, 2014 at 1:10 PM, David Singer <singer@apple.com>
>>> wrote:
>>>> Since I have no idea how we got from ‘when is it required that an
>>>> XXX review be done?’ to ‘has the W3C endorsed DRM?’ I can only
>>>> conclude that we’re seriously at cross purposes.
>>>
>>> I brought up EME as an example of where vendors implemented and
>>> shipped something that is bad for security and privacy. Reviewers
>>> are at a loss. You said vendors should follow the W3C. I argued that
>>> such an argument did not apply here as the W3C has not made up its
>>> made mind (or so claims the leadership).
>>
>> Having recently been at a F2F with those vendors, I can confidently
>> state that a security review prior to FPWD would not have changed vendor
>> behavior.
>
> If a vendor wants to ship before these reviews are done, of course they can.  But we owe it to them to make it clear that they have not been done, and also to do them ‘in a timely manner’ so they are not caught between shipping now (with possible XXXX issues) or not meeting their markets needs in a timely fashion.

Requiring all documents between FPWD and CR to include a status of 
various reviews would indeed be a good thing.  Doing so would reinforce 
the message that such activities be done early without unduly slowing 
down the process.

I don't think that this should be limited to security.  PLH listed[1] a 
few other areas that should be considered.

> David Singer
> Manager, Software Standards, Apple Inc.

[1] http://lists.w3.org/Archives/Public/public-w3process/2014Oct/0205.html

Received on Monday, 3 November 2014 15:22:38 UTC