W3C home > Mailing lists > Public > public-w3process@w3.org > November 2014

Re: Require security review before FPWD

From: Henri Sivonen <hsivonen@hsivonen.fi>
Date: Fri, 14 Nov 2014 12:58:56 +0200
Message-ID: <CANXqsR+E3aDPq9LJCZpjfuOVqamUtuZ3hyWqxfuPUSKHxZkDgw@mail.gmail.com>
To: Jeff Jaffe <jeff@w3.org>
Cc: Anne van Kesteren <annevk@annevk.nl>, Philippe Le Hegaret <plh@w3.org>, public-w3process <public-w3process@w3.org>
On Tue, Nov 4, 2014 at 12:14 AM, Jeff Jaffe <jeff@w3.org> wrote:
> On 11/3/2014 8:01 AM, Henri Sivonen wrote:
>> Surely we want the right architecture.  So if the WG wants to mandate TLS,
>> they should.
> I think there's also a need to deal with the case where the WG doesn't
> really want to mandate TLS even when mandating TLS in needed. That is,
> there's a need of *early* oversight for WGs that don't realize things
> early on their own initiative.
> An interesting question is to understand how far you want to take this.
> There is a range.  At the "lightest" end of the spectrum these reviews are
> to provide advice.  At the "heaviest" end of the spectrum, failure to
> achieve a certain level of security could be a reason for a REC to be
> blocked.  In that interpretation, EME and WebRTC could potentially still be
> blocked.
> When you say "deal with the case where the WG doesn't want to mandate TLS
> even when it is needed" - I hear you on the more intrusive side of the
> spectrum.  Is that a correct interpretation?

While I'm generally not a fan of some oversight group that hasn't
looked deeply into a particular issue exercising high-level oversight
(e.g. "must be more XML-y" attitude of the yesteryer) with less domain
knowledge than a group working on a particular spec, in this case, I
think in this case there's a need for oversight on the more intrusive
side. Specifically, it seems to me that each group wants their thing
to be popular among authors, sees a restriction to https as hindering
popularity among authors and will, therefore, come up with excuses why
their stuff shouldn't be restricted to https. Once restriction to
https for privacy-sensitive stuff comes as naturally to groups as the
notion that textual data should be Unicode comes today, oversight will
be less necessary.

Henri Sivonen
Received on Friday, 14 November 2014 10:59:24 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:51:23 UTC