W3C home > Mailing lists > Public > public-w3process@w3.org > October 2014

Re: Require security review before FPWD

From: GALINDO Virginie <Virginie.Galindo@gemalto.com>
Date: Thu, 30 Oct 2014 19:19:58 +0000
To: Chris Wilson <cwilso@google.com>, Anne van Kesteren <annevk@annevk.nl>
CC: public-w3process <public-w3process@w3.org>
Message-ID: <ipo4gl9x0y3xamorxadkaj4i.1414696595767@email.android.com>
Dear all,
Note that web security IG is trying to define a security review process. Unfortunately we did not have enough involvment to bêta test it on specification.
Feel free to amend...
Virginie Galindo
Web Security IG co-chair

---- Anne van Kesteren a écrit ----

On Thu, Oct 30, 2014 at 6:32 PM, Chris Wilson <cwilso@google.com> wrote:
> In general, I'm in agreement that security should be considered early; since
> FPWD is the only place you can make sure it's "early", I might agree with
> this, but what would you consider a "security review"?  Are there specific
> people you'd want involved, signoff from someone particular, or simply a
> "security review" section in the FPWD doc?  Specific questions like "why
> don't you require TLS (if you don't)?"

Probably specific questions would work best, combined with review from
the WebAppSec community.


 This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus.
Received on Thursday, 30 October 2014 19:20:29 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:51:22 UTC