Re: Require security review before FPWD from Chris Wilson on 2014-10-30 (public-w3process@w3.org from October 2014)

From: Chris Wilson <cwilso@google.com>
Date: Thu, 30 Oct 2014 16:02:27 -0700
To: fantasai <fantasai.lists@inkedblade.net>
Cc: public-w3process <public-w3process@w3.org>
Message-ID: <CAJK2wqUSd5J7DYk3m8-UnhfmeqVb4JuUdW+Da5js0xUVCi8a5g@mail.gmail.com>

I'd really like to not block on a review by WebAppSec *for* FPWD
publication, though I think it would be good to have a boilerplate spec
template section that *is* required for FPWD that includes questions that
will at least spark thinking about the security and privacy implications.
Perhaps that could trigger WebAppSec review of that FPWD?

On Thu, Oct 30, 2014 at 3:49 PM, fantasai <fantasai.lists@inkedblade.net>
wrote:

> On 10/30/2014 10:46 AM, Anne van Kesteren wrote:
>
>> On Thu, Oct 30, 2014 at 6:32 PM, Chris Wilson <cwilso@google.com> wrote:
>>
>>> In general, I'm in agreement that security should be considered early;
>>> since
>>> FPWD is the only place you can make sure it's "early", I might agree with
>>> this, but what would you consider a "security review"?  Are there
>>> specific
>>> people you'd want involved, signoff from someone particular, or simply a
>>> "security review" section in the FPWD doc?  Specific questions like "why
>>> don't you require TLS (if you don't)?"
>>>
>>
>> Probably specific questions would work best, combined with review from
>> the WebAppSec community.
>>
>
> +1 from me. Seems totally reasonable.
>
> Would you require the review from WebAppSec prior to FPWD publication,
> or trigger it by FPWD publication?
>
> ~fantasai
>
>

Received on Thursday, 30 October 2014 23:02:59 UTC