Re: [W3C Web Security IG] call for comments on Security Review Process and Security Guidelines from Stephen Farrell on 2014-06-02 (public-web-security@w3.org from June 2014)

From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Date: Mon, 02 Jun 2014 13:25:10 +0100
To: GALINDO Virginie <Virginie.Galindo@gemalto.com>, "public-web-security@w3.org" <public-web-security@w3.org>
CC: 'Wendy Seltzer' <wseltzer@w3.org>
Message-ID: <538C6D26.5090207@cs.tcd.ie>

Hiya,

On 02/06/14 13:18, GALINDO Virginie wrote:
> Stephen, Thanks for your feedback. I believe that PM should be taken
> into account into the guidelines, but the RFC7258 is just stating
> that one should pay attention to it, there is no 'opretaional'
> recommendation inside. As such, this will not help the editors and
> chairs to fill their 'security recommendation' section. I would
> rather add in the guideline the fact that "editors and chair should
> monitor deliverables related to RFC7258." As soon as you guys will
> have delivered something, we will consider adding it to our
> guidelines. Would that work for you ? Regards, Virginie

Its entirely your (i.e. W3C's) call.

I think calling out 7258 and advising chairs/editors to consider
PM is fine, however you want to phrase that.

I'd not bother with asking them to monitor ongoing activities in
the IETF though, purely on the basis that that'd be too onerous
in most cases. When/if the IETF manage to update 3552 then you
might want update your guidance to note that.

Cheers,
S.




> 
> -----Original Message----- From: Stephen Farrell
> [mailto:stephen.farrell@cs.tcd.ie] Sent: mercredi 28 mai 2014 21:57 
> To: GALINDO Virginie; public-web-security@w3.org Cc: 'Wendy Seltzer' 
> Subject: Re: [W3C Web Security IG] call for comments on Security
> Review Process and Security Guidelines
> 
> 
> Wrt [2]. How'd you feel about also adding RFC7258 as another
> guideline? FWIW, as a non-member of W3C, I think that'd be a fine
> thing.
> 
> I hope (not promising) that the IETF might produce a companion
> document for RFC 3552 as guidelines for PM, but that will take some
> time if it happens.
> 
> S.
> 
> 
> On 28/05/14 16:57, GALINDO Virginie wrote:
>> Dear all,
>> 
>> As we received our first requests for conducting security review on
>> Web RTC and Manifest specifications, I think it is time for this IG
>> to confirm that the tools proposed on our wiki are relevant to
>> start security review. This is why I am calling for comments on :
>> 
>> -          Security Review Process [1] : allowing the other groups
>> to request security review and setting up a frame for the review
>> and reviewer
>> 
>> -          Security Guidelines [2] : supporting editors and chairs
>> to fill in the Security Consideration section in their deliverable
>> 
>> Lets give us *15 days* to collect comments on this mailing list ( I
>> will edit those tools accordingly on the wiki). After that first
>> period, those tools will be our basis for beta testing our security
>> reviews. Hope to see your active contributions here.
>> 
>> Regards, Virginie Gemalto Co-chair of Web Security IG
>> 
>> [1] Security Review process 
>> http://www.w3.org/Security/wiki/IG/W3C_spec_review [2] Security
>> Guidelines 
>> https://www.w3.org/Security/wiki/IG/W3C_spec_review/Security_Guideline
>>
>> 
s
>> 
>> ________________________________ This message and any attachments
>> are intended solely for the addressees and may contain confidential
>> information. Any unauthorized use or disclosure, either whole or
>> partial, is prohibited. E-mails are susceptible to alteration. Our
>> company shall not be liable for the message if altered, changed or
>> falsified. If you are not the intended recipient of this message,
>> please delete it and notify the sender. Although all reasonable
>> efforts have been made to keep this transmission free from viruses,
>> the sender will not be liable for damages caused by a transmitted
>> virus.
>> 
> ________________________________ This message and any attachments are
> intended solely for the addressees and may contain confidential
> information. Any unauthorized use or disclosure, either whole or
> partial, is prohibited. E-mails are susceptible to alteration. Our
> company shall not be liable for the message if altered, changed or
> falsified. If you are not the intended recipient of this message,
> please delete it and notify the sender. Although all reasonable
> efforts have been made to keep this transmission free from viruses,
> the sender will not be liable for damages caused by a transmitted
> virus.
> 
>

Received on Monday, 2 June 2014 12:25:40 UTC