Re: Require security review before FPWD

On Nov 7, 2014, at 12:02 , wrote:

> 04.11.2014, 15:25, "Jeff Jaffe" <>:
>> On 11/4/2014 3:40 AM, GALINDO Virginie wrote:
>>> +1 for the guidelines,
>> Would the Security IG be the right place to develop those guidelines?
> They would be the obvious group to have them as a deliverable. But in the nature of things, they probably should look around for expertise in other groups to help make the guidelines as good as we can get them…
> cheers

I think the community as a whole should develop the guidelines, and if we don’t get input from the security IG then I am not sure we’d have a good set of guidelines.

But the model that ‘the XXX IG is responsible for developing the guidelines’ or, worse, ‘the primary responsibility for an XXX review lies with the YYY IG’, is flawed.  This is, in effect, signing up IGs for open-ended amounts of work.  The primary responsibility for ensuring that XXX has had consideration in a document, lies with the group that wants to publish that document, and in this case, the primary responsibility for developing requirements and guidelines in the process for XXX reviews lies with the group that is working on the process — the process G and the AB, with the AC and staff.

Yes, we want the security IG’s (and privacy IG’s, and…) help.  No, it is not their deliverable.

David Singer
Manager, Software Standards, Apple Inc.

Received on Friday, 7 November 2014 12:08:43 UTC