Re: Require security review before FPWD

On Tue, Nov 4, 2014 at 12:14 AM, Jeff Jaffe <jeff@w3.org> wrote:
>
> On 11/3/2014 8:01 AM, Henri Sivonen wrote:
>
>> Surely we want the right architecture.  So if the WG wants to mandate TLS,
>> they should.
>
> I think there's also a need to deal with the case where the WG doesn't
> really want to mandate TLS even when mandating TLS in needed. That is,
> there's a need of *early* oversight for WGs that don't realize things
> early on their own initiative.
>
> An interesting question is to understand how far you want to take this.
> There is a range.  At the "lightest" end of the spectrum these reviews are
> to provide advice.  At the "heaviest" end of the spectrum, failure to
> achieve a certain level of security could be a reason for a REC to be
> blocked.  In that interpretation, EME and WebRTC could potentially still be
> blocked.
>
> When you say "deal with the case where the WG doesn't want to mandate TLS
> even when it is needed" - I hear you on the more intrusive side of the
> spectrum.  Is that a correct interpretation?

While I'm generally not a fan of some oversight group that hasn't
looked deeply into a particular issue exercising high-level oversight
(e.g. "must be more XML-y" attitude of the yesteryer) with less domain
knowledge than a group working on a particular spec, in this case, I
think in this case there's a need for oversight on the more intrusive
side. Specifically, it seems to me that each group wants their thing
to be popular among authors, sees a restriction to https as hindering
popularity among authors and will, therefore, come up with excuses why
their stuff shouldn't be restricted to https. Once restriction to
https for privacy-sensitive stuff comes as naturally to groups as the
notion that textual data should be Unicode comes today, oversight will
be less necessary.

-- 
Henri Sivonen
hsivonen@hsivonen.fi
https://hsivonen.fi/

Received on Friday, 14 November 2014 10:59:24 UTC