Re: Require security review before FPWD

On Thu, 2014-10-30 at 18:17 +0100, Anne van Kesteren wrote:
> Without due security review implementers end up implementing drafts
> and then we cannot fix the broken security and privacy
> characteristics.
> 
> See e.g. https://www.w3.org/Bugs/Public/show_bug.cgi?id=26332#128 and
> the rest of that thread for how hard it is to do this
> post-publication.
> 
> Requiring TLS for an API is something that should be considered very early on.

I'm all for improving security on the Web and encouraging early reviews
but I'm concerned about raising the bar before a FPWD can be published.
Take that as a list of things to consider rather than objections.

If the effect is increased delays in publication, it means that:
1. the Working Group will work under a longer time without any firm IP
commitment (since the PP won't start its clock until the FPWD is
published [1]).
2. unless you're in the group/list, you're also delaying the opportunity
from the wider community to pay attention to it.

We should make sure we can clear willingness/commitments from the
appropriate groups/forums/experts to do those early reviews, otherwise
we're about to add additional steps without having the ability to
fulfill them.

Finally, why stop at security (and privacy)? What about accessibility,
i18n, device independence, performance, etc? We would effectively send a
message that security/privacy is more important for early reviews than
those other areas. This will be acceptable for some but not all. And if
we add additional reviews, we're delaying the clock even further.

Philippe

[1]
http://www.w3.org/Consortium/Patent-Policy-20040205/#sec-exclusion-resign

Received on Friday, 31 October 2014 18:28:30 UTC