Re: Require security review before FPWD

In general, I'm in agreement that security should be considered early;
since FPWD is the only place you can make sure it's "early", I might agree
with this, but what would you consider a "security review"?  Are there
specific people you'd want involved, signoff from someone particular, or
simply a "security review" section in the FPWD doc?  Specific questions
like "why don't you require TLS (if you don't)?"

On Thu, Oct 30, 2014 at 10:17 AM, Anne van Kesteren <annevk@annevk.nl>
wrote:

> Without due security review implementers end up implementing drafts
> and then we cannot fix the broken security and privacy
> characteristics.
>
> See e.g. https://www.w3.org/Bugs/Public/show_bug.cgi?id=26332#128 and
> the rest of that thread for how hard it is to do this
> post-publication.
>
> Requiring TLS for an API is something that should be considered very early
> on.
>
>
> --
> https://annevankesteren.nl/
>
>

Received on Thursday, 30 October 2014 17:32:48 UTC