- From: Chris Wilson <cwilso@google.com>
- Date: Thu, 30 Oct 2014 10:32:21 -0700
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: public-w3process <public-w3process@w3.org>
Received on Thursday, 30 October 2014 17:32:48 UTC
In general, I'm in agreement that security should be considered early; since FPWD is the only place you can make sure it's "early", I might agree with this, but what would you consider a "security review"? Are there specific people you'd want involved, signoff from someone particular, or simply a "security review" section in the FPWD doc? Specific questions like "why don't you require TLS (if you don't)?" On Thu, Oct 30, 2014 at 10:17 AM, Anne van Kesteren <annevk@annevk.nl> wrote: > Without due security review implementers end up implementing drafts > and then we cannot fix the broken security and privacy > characteristics. > > See e.g. https://www.w3.org/Bugs/Public/show_bug.cgi?id=26332#128 and > the rest of that thread for how hard it is to do this > post-publication. > > Requiring TLS for an API is something that should be considered very early > on. > > > -- > https://annevankesteren.nl/ > >
Received on Thursday, 30 October 2014 17:32:48 UTC