Re: [W3C Web Security IG] call for comments on Security Review Process and Security Guidelines

On 5/28/14 11:57 AM, GALINDO Virginie wrote:
> Dear all,
> As we received our first requests for conducting security review on 
> Web RTC and Manifest specifications, I think it is time for this IG to 
> confirm that the tools proposed on our wiki are relevant to start 
> security review. This is why I am calling for comments on :
> -Security Review Process [1] : allowing the other groups to request 
> security review and setting up a frame for the review and reviewer
> -Security Guidelines [2] : supporting editors and chairs to fill in 
> the Security Consideration section in their deliverable
> Lets give us **15 days** to collect comments on this mailing list ( I 
> will edit those tools accordingly on the wiki).
> After that first period, those tools will be our basis for beta 
> testing our security reviews.
> Hope to see your active contributions here.

Hi Virginie, All,

Has the group agreed to "track" reviews to facilitate Qs like "so, what 
is now being reviewed; when does the review for doc X end; who agreed to 
review doc X; where are the comments from the review of doc X; what were 
the results of the review" and such? I see there is an empty section in 
[1] that could include this type of data (or it might make sense to 
create a new page).

Is the expectation the reviews will be done on this list? The TAG uses 
GH for its reviews [GH]. It also seems something like [specifiction] 
could be used. How does PING conduct its spec reviews and track them (as 
it might make sense to use similar/identical methods)?

-Thanks, AB

[GH] <>
[specifiction] <>

> Regards,
> Virginie
> Gemalto
> Co-chair of Web Security IG
> [1] Security Review process 
> <>
> [2] Security Guidelines 
> ------------------------------------------------------------------------
> This message and any attachments are intended solely for the 
> addressees and may contain confidential information. Any unauthorized 
> use or disclosure, either whole or partial, is prohibited.
> E-mails are susceptible to alteration. Our company shall not be liable 
> for the message if altered, changed or falsified. If you are not the 
> intended recipient of this message, please delete it and notify the 
> sender.
> Although all reasonable efforts have been made to keep this 
> transmission free from viruses, the sender will not be liable for 
> damages caused by a transmitted virus. 

Received on Wednesday, 28 May 2014 16:43:01 UTC