[W3C Web security IG] Require security review before FPWD from GALINDO Virginie on 2014-11-04 (public-web-security@w3.org from November 2014)

From: GALINDO Virginie <Virginie.Galindo@gemalto.com>
Date: Tue, 4 Nov 2014 07:00:43 +0000
To: "public-web-security@w3.org " <public-web-security@w3.org>
Message-ID: <g955rv99uk9wtcw63m32e9jk.1415044005400@email.android.com>

Hi all, an interesting conversation going on on w3c process and switching now to tag mailing lists. Security review in w3c is in the spot...
Virginie

>From my mobile

---- Message original ----
Objet : Re: Require security review before FPWD
Envoyé : 3 nov. 2014 07:19
De : Mike West <mkwst@google.com>
À : Sam Ruby <rubys@intertwingly.net>
Cc : public-w3process@w3.org

Skimming through this thread again, the concept of a questionnaire makes a lot of sense to me. I did a quick brain dump at https://github.com/mikewest/spec-questionnaire/blob/master/questionnaire.markdown which skims through some of the questions that come to mind regarding both security and privacy considerations.

Does that document capture the general direction folks are considering?

-mike

--
Mike West <mkwst@google.com<mailto:mkwst@google.com>>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Mon, Nov 3, 2014 at 2:07 PM, Sam Ruby <rubys@intertwingly.net<mailto:rubys@intertwingly.net>> wrote:

On 11/03/2014 07:33 AM, Anne van Kesteren wrote:
On Mon, Nov 3, 2014 at 1:10 PM, David Singer <singer@apple.com<mailto:singer@apple.com>>
wrote:
Since I have no idea how we got from ‘when is it required that an
XXX review be done?’ to ‘has the W3C endorsed DRM?’ I can only
conclude that we’re seriously at cross purposes.

I brought up EME as an example of where vendors implemented and
shipped something that is bad for security and privacy. Reviewers
are at a loss. You said vendors should follow the W3C. I argued that
such an argument did not apply here as the W3C has not made up its
made mind (or so claims the leadership).

Having recently been at a F2F with those vendors, I can confidently
state that a security review prior to FPWD would not have changed vendor
behavior. In fact, I see a lot of parallel to the <video> tag[1]. That
being said, discussion is ongoing, and I encourage readers to consult
the following:

https://www.w3.org/Bugs/Public/show_bug.cgi?id=26332#c130

https://dvcs.w3.org/hg/html-media/raw-file/tip/encrypted-media/encrypted-media.html#privacy-secureorigin

- Sam Ruby

[1] http://lists.w3.org/Archives/Public/public-whatwg-archive/2009Jun/0599.html

________________________________
This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus.

Received on Tuesday, 4 November 2014 07:01:14 UTC